(6 min read)
WARNING! THIS IS FULL OF FACTS.
NIS2 is a European law related to cyber security coming into effect in October 2024 that has an impact for most companies in the EU, but also those outside the EU working with European companies – which will affect many businesses in the UK. Plus, it won’t be long before other countries start adopting it – the UK, US, Singapore for example will align fairly soon. So it’s important to be aware of what it is, why it matters, and why you should be training your people now to make sure you put your business in the best position.
What is NIS2?
The original NIS (Network and Information Systems Directive) came into force in 2016. Cyber risks are now much greater and critical data and system operations are increasingly a target for ever more sophisticated threats. NIS2 is the EU’s response. Published in December 2022, EU member states have until 17 October 2024 to adopt it nationally.
What’s new?
NIS2 has stricter requirements for risk management and incident reporting, covers more industry sectors and has heavier penalties for failing to comply. NIS2 removes the separate category of digital service providers and adds a new category – ‘important’ entities in specific industries – which almost doubles the number of organisations in scope. The distinction between essential and important is automatically determined according to the size and nature of the entity in question.
‘In-scope’ entities
|
Essential entities (Annex I): - Large organizations in Annex I sectors - Medium-sized organizations in Annex I sectors - Entities designated as critical under the CER Directive |
Important entities (Annex II): - Medium to large organizations in Annex II sectors |
|
- Energy - Transport - Banking - Financial Market Infrastructures - Health - Drinking Water - Waste Water - Digital Infrastructure - ICT Service Providers - Public Administration - Space |
- Postal and Courier Services - Waste Management - Manufacture, Production & Distribution of Chemicals - Food Production, Processing & Distribution - Manufacturing - Digital Providers |
Size Criteria
Essential Entities
These are large enterprises with either at least 250 employees or an annual turnover of at least 50 million euros, or an annual balance sheet total of at least 43 million euros.
Important Entities
These are medium-sized enterprises with at least 50 employees and an annual turnover (or balance sheet total) of at least 10 million euros, but fewer than 250 employees and not more than 50 million euros annual turnover or 43 million euros annual balance sheet total.
A crucial change under NIS2 is that organisations will be responsible for addressing cyber security risks in their supply chains. ‘In-scope’ entities will undoubtedly push certain requirements down the supply chain. So, even if a supplier is itself not in scope, it could still be affected by NIS2.
That could mean you, if you currently work with any ‘in-scope’ entity, or want to.
The NIS2 Directive lays out essential cybersecurity measures that these organisations must follow:
- Risk Analysis: Regularly assess risks and identify vulnerabilities and have information security policies and procedures in place.
- Incident Response: Have strong detection and reporting processes.
- Access Control: Use measures like multifactor authentication.
- Data Protection: Ensure data security with encryption.
- Vulnerability Management: Regularly check for and fix vulnerabilities.
- Backup and Continuity: Have backup and disaster recovery plans.
- Supply Chain Security: Manage risks with suppliers.
- Monitoring: Keep track of and respond to security events.
- Training: Educate staff about cybersecurity.
- Governance: Management should oversee all cybersecurity efforts.
Supervision and differences in treatment
Essential entities face more stringent supervision and higher fines for non-compliance compared to important entities. Essential entities are subject to regular audits and stricter control measures, while Important entities are primarily supervised based on evidence of non-compliance
Defining ‘state of the art’
NIS2 requires organisations to implement the latest and most effective cybersecurity measures and techniques available at the time. It is left to the organisations to define what this looks like for any given context and risk.
Useful references are, for example:
- From the UK’s National Cyber Security Centre, the Cyber Assessment Framework - https://www.ncsc.gov.uk/collection/cyber-assessment-framework/introduction-to-caf
- Or in Belgium, from the Centre for Cyber security Belgium, the Cyber Fundamentals Framework - https://atwork.safeonweb.be/tools-resources/cyberfundamentals-framework
There is also the famous ISO27001 – the comprehensive gold standard – it’s a little more involved though! https://www.iso.org/standard/27001
This means you need to start preparing now
Don’t let uncertainty over the definition of ‘state of the art’ hold up your compliance planning activities, however. It is more advisable for in-scope entities to start making progress at a level they feel comfortable with, in terms of compliance and strengthening cyber security, than to risk delay by worrying about whether their approach is perfect. Organisations shouldn’t underestimate what this will involve, either. Complying with NIS2 is much more than a problem for the technology team to deal with.
NIS2 also has more stringent reporting requirements – and those requirements are tight in terms of time. For example, every incident that’s deemed to have ‘significant impact’ should be reported within 24 hours, along with an indication of those impacts. A full report needs to be sent within 72 hours and a final report must be submitted within one month. This puts pressure on those businesses within the supply chain, which will also have to notify their end clients as well as the competent authority.
Knowing the NIS2 essentials
It’s very important to train your staff on the requirements of NIS2 – before it comes into operation. We’ve spoken to many organisations about this – both in the UK and in the EU – to help them understand the critical nature of NIS2 and that they must be ready for it within the next 3 months. And, as this period includes the notoriously quiet summer holidays when everyone is away, it makes sense to start this sooner rather than later.
As providers of online cyber security training that’s driven by behavioural science, we know that designing training the right way can help to share essential information – even about a seemingly dry subject – in a way that helps people to understand it and put learning into practice as soon as possible.
Using this type of training has several advantages, but most importantly, it puts you confidently in a position where you are a credible and reliable supplier who understands the regulatory environment and can demonstrate a proactive approach to training, compliance and – most importantly – good cyber security practice.
For more information you can contact our legal partner in Belgium: Legal Freaks. They can help you with pragmatic advice without legalese (and with fully transparent pricing!). Don’t hesitate to reach out to them at This email address is being protected from spambots. You need JavaScript enabled to view it. or by phone on +32 487544807.
Sign up to get our monthly newsletter, packed with hints and tips on how to stay cyber safe.
Mark Brown is a behavioural science expert with significant experience in inspiring organisational and culture change that lasts. If you’d like to chat about using Psybersafe in your business to help to stay cyber secure, contact Mark today.