From NIS to NIS 2: What’s New, and What’s Changed?

NIS 2 is the updated version of the EU’s Network and Information Security (NIS) Directive, the first piece of EU-wide cybersecurity legislation. The Directive provides legal measures, requirements, and sanctions to support achieving “a high common level of cybersecurity across the Member States.”

After the original NIS Directive ran into a variety of implementation issues across the Member States, the European Parliament’s NIS 2 briefing stated an updated version was needed because there have been so many changes to the threat landscape since the NIS Directive was adopted in 2016. 

Timeline

NIS 2 entered into force on 16th January 2023. From that point, Member States had 21 months to transpose all NIS 2 measures and requirements into national law—the new Directive will become effective on 17th October 2024. 

Objectives

The evolved NIS Directive has three objectives:

1. Enhance cyber resilience among key EU organisations.

2. Reduce inconsistencies between affected organisations.

3. Improve joint situational awareness and response to cyber threats.

NIS to NIS 2: What’s New?

The most significant issue with the original NIS Directive—and the main reason why a second version was necessary—was the lack of both the specificity on which organisations were affected, and the consistency with which Member States enforced the Directive. NIS 2 clarifies these issues, making the final Directive far more enforceable across EU Member States.

However, assuming that NIS 2 has evolved in purely governance terms would be a mistake. This section will take a deep dive into some key changes.

1.  More Clearly Defined Governance and Oversight

NIS 2 requires Member States to adopt a national strategy for the security of network and information systems. This includes the requirement to designate:

1. National Computer Security Incident Response Teams (CSIRTs) responsible for risk and incident handling.

2. A Competent Authority to act as the regulatory authority for each Member State. In most cases, this will be the government organisation currently responsible for cybersecurity regulation in each State.

3. A single point of contact (SPOC) to act as a liaison for cross-border cooperation between Member State authorities and with the NIS Cooperation Group.

The Competent Authorities are particularly important, as they will will oversee incident reporting, compliance audits, and clarify requirements for affected entities.

2. Expanded Scope: Who Does NIS 2 Apply to?

In comparison to the original NIS directive, NIS 2 also covers a much broader range of “important” organisations, including postal services, food supply chains, and more. 

It also has a significantly wider scope, aiming to establish a “higher common level of cybersecurity” across the EU by affecting many industries and organisations. It covers a broad range of sectors divided into two main categories: essential entities (i.e. energy, transport, banking, health, etc.)  and important entities (i.e. postal and courier services, waste management, food supply chain entities, etc.) .

NIS 2 also specifies the size of organisations it covers, dividing them into medium and large entities.

• Large entities are organisations with a minimum of 250 employees or an annual turnover of €50 million or more and a balance sheet total of €43 million or more.

• Medium entities are organisations with 50+ employees or an annual turnover and balance sheet total of €10 million or more.

NIS 2 also specifies small and micro organisations as having fewer than 50 employees and an annual turnover or annual balance sheet total of less than €10 million. In most cases, these organisations will not be covered by NIS 2. However, it is best practice to contact your member state's Competent Authority for confirmation of the applicable sectors and entities.

3. Tougher Cybersecurity and Risk Management Requirements

While NIS included basic security measures and incident reporting requirements, NIS 2 imposes more stringent risk management and security measures. As is typically the case with cybersecurity legislation, NIS 2 specifies areas of cybersecurity where affected organisations must establish suitable controls but is light on specific requirements.

Both essential and important entities must: “take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.”

At a minimum, essential and important entities will need to have implemented—and be able to prove—appropriate cybersecurity controls in these 10 areas:

1. Risk analysis and information system security policies

2. Incident handling

3. Business continuity, e.g., backup management, disaster recovery, and crisis management

4. Supply chain security

5. Security in network and information systems acquisition, development, and maintenance

6. Policies and procedures to assess the effectiveness of risk-management measures

7. Basic cyber hygiene practices and cybersecurity training

8. Policies and procedures on the use of cryptography and encryption

9. Human resources security, access control policies, and asset management

10. Use of multi-factor authentication (MFA) or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems

These measures: “shall ensure a level of security of network and information systems appropriate to the risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.”

For most organisations, the safest approach to achieving NIS 2 compliance will be establishing controls and policies in line with a widely accepted industry standard. Since NIS 2 is an EU-wide Directive, standards such as ISO 27001 for information security and ISO 27036 for supply chain security are safe choices.

4. Mandatory Reporting Requirements

NIS required affected organisations to report incidents if they significantly impacted the continuity of essential services. NIS 2 introduces more precise reporting obligations and timelines, requiring affected organisations to notify their Competent Authority of “significant incidents” via multiple levels of reporting:

1. An “early warning” within 24 hours of detection. This indicates whether the incident is suspected of being caused by unlawful or malicious actors.

2. An “incident notification” within 72 hours. This provides an initial assessment of the incident, including its severity and impact.

3. A “final report” within 30 days of issuing the incident notification. This includes a detailed description of the incident, including its severity and impact, the threat or root cause that triggered the incident, and any mitigation measures applied.

NIS 2 also provides for two further types of reporting at the discretion of the Competent Authority:

1. An “intermediate report” if and when requested by the Competent Authority. This includes any relevant status updates.

2. A “progress report” (or potentially multiple reports) in the event of an ongoing incident.

5. Stricter Enforcement and Penalties

NIS 2 specifies penalties which go considerably further than the original Directive. Perhaps even more significantly, NIS 2 harmonises sanctions across all Member States by granting Competent Authorities specific powers to level sanctions against non-compliant organisations.

The sanctions described by NIS 2 fall into three categories:

• Non-monetary remedies: Competent Authorities can enforce non-monetary remedies, including compliance orders, binding instructions, security audit implementation orders, and threat notification orders to organisations’ customers.

• Administrative fines: For essential entities, Competent Authorities can issue a maximum fine of at least €10,000,000 or 2% of global annual revenue, whichever is higher. For important entities, Competent Authorities can issue a maximum fine of at least €7,000,000 or 1.4% of global annual revenue, whichever is higher.

• Criminal sanctions for management: Under NIS 2, top management (e.g., company directors) can be held personally liable and responsible if gross negligence is proven following a cybersecurity incident.  

6. Cross-Border Information Sharing and Cooperation

NIS 2 sets out a number of requirements for Member States to set up the infrastructure for information sharing between communities of essential and important entities. The aim is to enable organisations to better understand, prepare for, and prevent serious cybersecurity incidents and breaches. 

However, at least initially, all information sharing (not including incident reporting) will be on a voluntary basis.

7. Vulnerability Disclosure

NIS 2 emphasises the importance of a coordinated vulnerability disclosure framework to handle and report vulnerabilities, which was not explicitly covered by NIS.

This responsibility falls primarily on CSIRTs, who will facilitate a central EU vulnerability registry that acts as a source of information on the severity of reported vulnerabilities, how they can be exploited, and relevant guidance for users of vulnerable products and services. As intended by the NIS 2 directive, this central registry will be available to all affected organisations, and will no doubt prove valuable.

Book a demo with our team and see how Drata’s continuous compliance platform can help you achieve NIS 2 compliance while reducing operational overheads.