Comprehensive Guide To The NIS2 Directive EN
Comprehensive Guide To The NIS2 Directive EN
NIS 2 Directive
This white paper is intended for people who are starting to learn about the European
Union’s NIS 2 Directive, and it presents the basic facts and guidance for this new Directive.
1. NIS 2 basics
1.1. NIS 2 Directive summary
The “NIS 2 Directive,” or simply “NIS2,” is a European Union directive that specifies
cybersecurity requirements that need to be implemented by EU companies that are
considered to be critical infrastructure.
Its full name is “Directive (EU) 2022/2555 on measures for a high common level of
cybersecurity across the Union,” and it was published on December 14, 2022.
Since NIS 2 is a directive, this means that each EU country will define its own cybersecurity
laws based on NIS 2, whereas NIS 2 specifies the minimum level of cybersecurity to be
achieved. In practice, this means that companies in some countries will have to comply
with the minimum specified in NIS 2, and in other countries they will have to comply with
more strict cybersecurity requirements specified in local laws.
NIS 2 has the mark “2” because it replaces the old NIS directive.
1.2. What is the old NIS directive, and how is NIS 2 different?
The old NIS directive (Directive 2016/1148) also specified cybersecurity for critical
infrastructure, but it did not manage to introduce the same level of cybersecurity across
all Member States, resulting in a fragmented approach.
The new NIS 2 introduces a wider array of industries (sectors) that must be compliant,
better cooperation between the Member States, new timelines for reporting incidents,
more focus on supply chains, the responsibility on the top management of entities, stricter
penalties, etc.
NIS 2 will take effect on October 18, 2024 – this is also the deadline for EU countries to
define their own laws and regulations based on NIS 2.
The full title of the old NIS directive was: “Directive (EU) 2016/1148 concerning measures for
a high common level of security of network and information systems across the Union.”
NIS 2 is important because it sets very strict cybersecurity requirements for a large
number of companies in the European Union – by some estimates, more than 100,000
companies in the European Union will have to become NIS 2 compliant.
Even though NIS 2 does not apply to as many companies as, e.g., the EU GDPR, it will
certainly become a de facto standard for critical infrastructure that other (non-EU)
countries will emulate – a very similar scenario has happened already in non-EU countries
with privacy regulations that are very similar to the EU GDPR.
You can also find the full text here, arranged by chapters and articles, and with the ability
to search by keyword: NIS 2 Directive Full Text.
NIS 2 starts with a preamble where, in 144 points, it explains the background and provides
some guidelines for the main part of the Directive. The main part of NIS 2 has 46 articles
that are structured in the following chapters:
You can read all the NIS 2 articles here: Full Text of the NIS 2 Directive.
• Article 20 - Governance
• Article 21 - Cybersecurity risk-management measures
• Article 22 - Union level coordinated security risk assessments of critical supply
chains
• Article 23 - Reporting obligations
• Article 24 - Use of European cybersecurity certification schemes
• Article 25 – Standardisation
2.1. Criteria that determine which companies must comply with NIS 2
There are three general criteria that define which organizations must comply with NIS 2:
• 1) Location — if they provide services or carry out activities in any country in the
European Union (no matter if they are based in the EU or not), and
• 2) Size — if they are categorized as mid-sized or large organizations (see the criteria
in the section below), and
• 3) Industry — if they operate in any of the 18 sectors listed in the table below.
However, there are some exceptions to these rules — see the table in the section below for
further explanation.
“Essential entities” and “important entities” are what NIS 2 calls companies and other
organizations that need to comply with NIS 2.
• Companies that are categorized as large enterprises (see the criteria in the next
section) and are in one of the 11 critical sectors (listed in the table below)
• Trust service providers
Important entities are all other organizations that are not categorized as essential entities,
but that fall under the 3 criteria mentioned in the previous section.
Since the above explanation from NIS 2 is a bit confusing, the table below shows which
organizations need to comply with NIS 2, and if they are classified as essential or
important entities.
For clarification, here’s how the EU classifies companies according to their size:
• Micro and small organizations — if they have fewer than 50 employees and less
than 10 million euros in annual revenue.
• Mid-size organizations — if they have 50 to 250 employees and 10 to 50 million
euros in annual revenue.
• Large organizations — if they have more than 250 employees and more than 50
million euros in annual revenue.
*Micro and small organizations also need to be compliant with NIS 2 in the following cases:
Here are the most important differences in how NIS 2 treats essential and important
entities:
Out of 46 articles in the NIS 2 Directive, only articles 20 to 25 are really relevant for
companies (i.e., essential and important entities) that must become compliant with NIS 2;
most of the other articles specify the requirements for government bodies that regulate
cybersecurity.
These most important requirements are placed in Chapter IV, and they revolve around
two main topics: cybersecurity risk management and reporting obligations. Besides
Chapter IV, there are only a few requirements relevant for essential and important entities.
So, here are the most important NIS 2 requirements you should be aware of:
According to Article 20, the top management of essential and important entities:
Article 21 requires cybersecurity measures to be appropriate for the related risks; when
assessing the risks, NIS 2 requires companies to take into account the following:
• exposure to risks
• company size
• likelihood of occurrence of incidents and their severity
• societal and economic impacts of incidents
Further, Article 21 requires an all-hazards approach, which basically means that companies
have to prepare for a wide range of potential threats.
Finally, Article 21 specifies a range of cybersecurity documents and measures, which are
listed in the section below.
Article 21 requires companies to pay special attention to risks related to direct suppliers
and service providers, in particular:
NIS 2 does not require essential and important entities to get certified. However, the NIS 2
Directive allows for EU countries (Member States) or the EU Commission to require those
entities to use IT products or services that are certified. At the time of writing this article,
there are no requirements for using certified IT products or services, but there is a high
chance that this will become mandatory.
Those IT products and services will need to be certified according to the European
cybersecurity certification scheme.
For companies that are not NIS 2 compliant, the fines are as follows:
It is important to note that Article 20 requires the top management of essential and
important entities to approve the cybersecurity risk management measures and oversee
their implementation, and it specifies that top management can be held liable if
cybersecurity is not compliant with Article 21.
Complying with complex regulations like the NIS 2 Directive is never easy, but if you have
a clear plan for how to do it, this whole project will become more straightforward. Below
you will see a best practice on which steps to follow to achieve full compliance with NIS 2
Chapter IV “Cybersecurity risk-management measures and reporting obligations” — the
steps focus on this chapter because it presents key NIS 2 requirements that companies
(i.e., essential and important entities) need to be compliant with.
You might think that, since NIS 2 is mandatory, complying with this regulation will go
smoothly with or without senior management commitment. Unfortunately, the reality is
different — if the top management does not actively support such a project, it will be slow,
underfunded, and blocked at every possible step.
So, even though NIS 2 is mandatory, you still have to convince your executives that this is
something worth focusing on.
NIS 2 places a big emphasis on performing security training, and it makes sense to
perform initial training very early in the project.
This way, everyone involved will have a much better picture of what NIS 2 is, what needs to
be done, why it is needed, etc. — and you will launch your project much more easily.
Even though NIS 2 does not specifically require a top-level document that would define
the direction for cybersecurity, such a document is a best practice according to
international standards because of the following fact: if you don’t know where you are
going, you will likely get lost.
This is why such a top-level document is needed – it clearly shows what needs to be
achieved with cybersecurity, what the main roles and responsibilities are, and how the
success will be measured.
Risk management is usually the most complex step in the compliance process, and, on
top of this, NIS 2 has some specific requirements for how this risk management needs to
be done.
To make sure that your company is compliant with NIS 2, and to make sure everyone in
the company understands how risks need to be managed, you have to create a document
that specifies clear rules – this is done through the Risk Management Methodology
document.
During the risk assessment, you have to find out what could jeopardize your information
systems – this is usually done by listing assets and related threats and vulnerabilities;
further, you have to find out how big those risks are by assessing likelihood and severity
(impact).
After you have the list of risks, you have to figure out how to treat (i.e., mitigate) the
highest risks – for most of them, you will implement the cybersecurity measures defined
in Article 21. In this way, you have cybersecurity that is based on a thorough analysis, rather
than implementing various measures without knowing why.
Once you have a complete idea of which risks you have and how to treat them, you will
need to create a concrete plan for how to implement cybersecurity measures – and, even
more importantly, to get the approval of senior management for such a plan.
The Risk Treatment Plan is in fact an implementation plan, and it typically includes a list of
all cybersecurity measures (i.e., activities, processes, and technologies) that need to be
implemented, together with information on who is in charge, what the deadlines are, etc.
In any case, you will have to write various cybersecurity policies and procedures to set
clear rules for those new processes, activities, and technologies.
See the section below about the required documents to learn which cybersecurity
measures are needed, and which documents to use.
NIS 2 has recognized that an increasing number of security incidents are related to
breaches with suppliers – it requires paying close attention to relationships with suppliers
and service providers, which includes assessment of their vulnerabilities, and studying
their software development procedures.
This is done through a formal risk assessment of suppliers, selecting only reliable suppliers
to work with, including security clauses in agreements with them, and monitoring their
security posture.
To set up those activities, you have to write a few key documents: Measurement
Methodology, Internal Audit Procedure, and Management Review Procedure.
One of the key NIS 2 requirements is to notify the CSIRT (or competent authority), and the
recipients of services, about significant incidents.
NIS 2 is very specific about setting up cybersecurity for all employees, including the senior
management. The challenge here is how to select the right topics, and what form of
training to choose in order to get the right knowledge transfer without spending too
much time or money.
See the section below to learn about potential approaches to resolve these dilemmas.
It is true that the internal audit is not mentioned in NIS 2; however, ISO 27001 and other
international standards suggest the internal audit as the best practice for senior
management to be able to oversee the implementation of cybersecurity measures.
Without identifying nonconformities during the internal audit, the senior management
would never have a complete picture of the state of cybersecurity, which could lead to
incidents and liability.
During the management review, the senior management could raise corrective actions,
change key roles and responsibilities, set new security objectives, define the security
budget, etc.
In other words, the purpose of corrective actions is to make sure that similar
nonconformities do not happen again.
If your company needs to comply with the NIS 2 Directive, you’ll have to write lots of new
documents to cover cybersecurity and reporting requirements. This section presents all
the documents that companies need to write according to NIS 2 Chapter IV
The table below shows NIS 2 requirements, the relevant articles from Chapter IV of this
Directive, and the best practice of documenting those requirements.
Article 21,
Basic cyber hygiene practices paragraph 2, IT Security Policy
point (g)
Article 21,
Cybersecurity training paragraph 2, Training and Awareness Plan
point (g)
Article 21,
Policies and procedures regarding the use of
paragraph 2, Policy on the Use of Encryption
cryptography and encryption
point (h)
Article 21,
Security Policy for Human
Human resources security paragraph 2,
Resources
point (i)
Article 21,
Access control policies paragraph 2, Access Control Policy
point (i)
Article 21,
Asset Management Procedure +
Asset management paragraph 2,
Inventory of Assets
point (i)
Article 21,
The use of multi-factor authentication or
paragraph 2, Authentication Policy
continuous authentication solutions
point (j)
Article 21,
Information Transfer Policy +
Secured voice, video and text communications paragraph 2,
Secure Communication Policy
point (j)
Article 21,
Secured emergency communication systems
paragraph 2, Secure Communication Policy
within the entity
point (j)
Take into account the vulnerabilities specific to
each direct supplier and service provider and the
Article 21, Supplier Security Policy + Risk
overall quality of products and cybersecurity
paragraph 3 Assessment and Treatment Report
practices of their suppliers and service providers,
including their secure development procedures
Take appropriate and proportionate corrective Article 21, Procedure for Corrective Action +
measures paragraph 4 Corrective Action Form
Notify CSIRT or competent authority of significant Article 23, Significant Incident Notification for
incident paragraph 1 CSIRT/Competent Authority
Notify the recipients of services of significant
Article 23, Significant Incident Notification for
incidents that are likely to adversely affect the
paragraph 1 Recipients of Services
provision of those services
Communicate to the recipients of services that are
potentially affected by a significant cyber threat
Article 23, Significant Incident Notification for
any measures or remedies that those recipients are
paragraph 2 Recipients of Services
able to take in response to that threat; also inform
those recipients of the significant cyber threat itself
An early warning that indicates whether the
Article 23,
significant incident is suspected of being caused by
paragraph 4, Significant Incident Early Warning
unlawful or malicious acts or could have a cross-
point (a)
border impact
An incident notification that indicates an initial
Article 23,
assessment of the significant incident, including its Significant Incident Notification for
paragraph 4,
severity and impact, as well as, where available, the CSIRT/Competent Authority
point (b)
indicators of compromise
Article 23,
Significant Incident Intermediate
An intermediate report on relevant status updates paragraph 4,
Report
point (c)
Article 23,
A final report not later than one month after the
paragraph 4, Significant Incident Final Report
submission of the incident notification
point (d)
A progress report - in the event of an ongoing Article 23,
Significant Incident Progress
incident at the time of the submission of the Final paragraph 4,
Report
Report point (e)
Besides the required documents listed above, it is also recommended to write the
following documents:
The NIS 2 Directive only specifies reporting obligations in Article 23, but this article is quite
lengthy and quite demanding. So, which incidents do you need to report, to whom do you
need to report them, and how do you need to do so?
Recital (101) in the preamble of NIS 2 says “Indicators such as the extent to which the
functioning of the service is affected, the duration of an incident or the number of affected
recipients of services could play an important role in identifying whether the operational
disruption of the service is severe.”
Both essential and important entities need to report significant incidents, while there are
no requirements to report other types of incidents.
NIS 2 requires essential and important entities to notify the following parties of significant
incidents:
The NIS 2 Directive states very clearly that all employees, including the senior
management, need to go through cybersecurity training. So, where should you start –
which topics should be covered, and how should the whole process be organized?
The best approach to defining topics for cybersecurity training and awareness is to cover
each of these activities and measures. However, not all of these topics will be appropriate
for everyone in the company — therefore, you will see below that the topics are separated
according to the target audience.
7.1.1. Topics for all employees (including the mid-level and senior management)
• What are the essential and important entities that must comply with NIS 2? (Article
3)
• Main cybersecurity requirements of NIS 2 (Article 21)
• Approving and overseeing cybersecurity risk management measures (Article 20
paragraph 1)
• Crisis management (Article 21 paragraph 2 point c)
• Supply chain security (Article 21 paragraph 2 point d)
• Reporting obligations (Article 23)
• NIS 2 fines and liabilities (Article 20 paragraph 1; Article 32 paragraph 6; Article 34)
• Cybersecurity legislation by EU countries (Article 41)
Overall, the process of setting up cybersecurity training that is compliant with NIS 2
should follow these steps:
1. Assess the risks in the company — this is the basis for writing security documents,
and for finding out what to focus on in cybersecurity training.
2. Define cybersecurity policies and procedures — this way, cybersecurity roles and
responsibilities become clear.
• Pros:
o Training can be adapted according to the needs of the company
o Higher engagement
• Cons:
o Probably the most expensive
o Cannot be delivered very often
o Hard to deliver separate training for different target groups
• Pros:
o Training can be adapted according to the needs of the company
• Cons:
o Lower engagement
• Pros:
o Easy tracking of attendance and test results
o Employees can watch videos at their convenience
o The most budget-friendly option
• Cons:
o Attendees cannot ask questions to the instructor directly
NIS 2 does not require the implementation of ISO 27001; however, it does mention the
ISO/IEC 27000 series in the preamble as a way to implement cybersecurity risk
management measures, and the main part of NIS 2 encourages the use of international
standards.
When comparing NIS 2 with ISO 27001 more closely, it becomes clear that ISO 27001
provides an excellent framework for complying with the cybersecurity risk management
The full title of the EU GDPR is “Regulation (EU) 2016/679 on the protection of natural
persons with regard to the processing of personal data and on the free movement of such
data (General Data Protection Regulation).”
Even though both NIS 2 and the GDPR both focus on protection of data, they are quite
different:
NIS 2 EU GDPR
The full title of DORA is “Regulation (EU) 2022/2554 on digital operational resilience for the
financial sector.”
Although NIS 2 and DORA were both published on the same day (December 27, 2022),
there are big differences between them:
NIS 2 DORA
8.4. What is the difference between NIS 2 and the Critical Entities
Resilience Directive (CER)
The full title of CER is “Directive (EU) 2022/2557 on the resilience of critical entities.”
Although NIS 2 and CER (as well as DORA) were published on the same day (December 27,
2022), they have a different focus:
• “Member States” are countries that are members of the European Union – they
must publish their own cybersecurity laws and regulations based on NIS 2.
• “Competent authorities” are designated by Member States to supervise the
essential and important entities that must be compliant with NIS 2 and local
cybersecurity laws.
• “Single points of contact” are established by Member States to enable cross-border
cooperation between authorities.
• “Cyber crisis management authorities” are competent authorities, designated by
Member States, which are responsible for the management of large-scale
cybersecurity incidents and crises.
• “Computer security incident response teams” (CSIRTs) are designated by Member
States in order to handle incidents in accordance with defined processes.
• The “European cyber crisis liaison organisation network” (EU-CyCLONe) supports
the coordinated management of large-scale cybersecurity incidents and crises.
• The “Cooperation Group” facilitates strategic cooperation and the exchange of
information among Member States.
• The “European Union Agency for Cybersecurity” (ENISA) establishes a vulnerability
database, creates a biennial report on the state of cybersecurity in the Union,
maintains a registry of entities with special status, draws up guidelines regarding
the technical areas and existing standards, etc.
EU countries (Member States) must publish local laws and regulations related to the NIS 2
Directive by October 17, 2024 – this process of adopting local legislation based on an EU
directive is called “transposition.”
As of the date of writing this white paper (March 2024), only one Member State has
transposed NIS 2 into their local legislation:
NIS 2 does not require essential and important entities to get certified.
However, Member States (or the EU commission) may require those entities to use
particular IT products or services that are certified in accordance with the European
cybersecurity certification scheme according to the Cybersecurity Act (EU Regulation
2019/881).
Sources:
• NIS 2 Directive
• Series of NIS 2 articles on Advisera.com
Author:
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books,
articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small
and medium businesses obtain the resources they need to become compliant with EU
regulations and ISO standards. He believes that making complex frameworks easy to
understand and simple to use creates a competitive advantage for Advisera's clients, and
that AI technology is crucial for achieving this.
As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best way to compliance
by eliminating overhead and adapting the implementation to their size and industry
specifics.
Our offices
US Office
1178 Broadway, 3rd Floor #3829
New York NY 10001
United States
Swiss Office
Via Maggio 1C
Lugano CH-6900
Switzerland
EU Office
Zavizanska 12
10000 Zagreb
Croatia, European Union
EMAIL:
[email protected]