Navigating the new NIS2 requirements: What’s new and who does it apply to?

Since introducing the Network and Information Security (NIS) Directive in 2016, the European Union has been at the forefront implementing regulations designed to protect its businesses and citizens from escalating digital threats. The groundbreaking legislation aimed to establish a common framework for cybersecurity across the EU and ensured that member states and organizations were better equipped to defend against cyber attacks. As the nature and sophistication of cyber threats advances, however, so does the need for a more robust and comprehensive approach.

Enter NIS2

The updated directive, which came into effect on October 17th, 2024, will replace the original NIS. It brings with it a host of new requirements including a broader scope of affected entities and increased accountability placed on management bodies, aligning Dora, the new EU regulation for the financial services industry.

But, here at Aftra, we see compliance as an opportunity as well as a challenge. Complying to new regulations requires a lot of hard work, but it also reaps a lot of benefits. One of those is that more organizations and citizens will be even better protected against growing cyber threats in the NIS2 era.

What’s new in NIS2?

So what exactly has changed from NIS? The scope has expanded with NIS2 in terms of both cybersecurity requirements and the sectors which fall under the directive.

Let’s start with the security requirements for organizations. The directive places a strong emphasis on:

• Risk management and incident reporting
• Supply chain security
• Encryption and vulnerability disclosure
• Resilient security measures with regular testing and auditing

Incident reporting obligations have been streamlined and harmonized under NIS2, meaning that organizations must now adopt clear guidelines on how to avoid cyberattacks. Under the new regulations, organizations must:

1. Report significant incidents within 24 hours of becoming aware of them.
2. Provide initial incident reports within 72 hours.
3. Submit final incident reports within one month.

This standardized approach ensures that relevant authorities are promptly informed of cyber incidents, enabling quick response and mitigation efforts. 

Which new sectors does NIS2 affect? 

Another significant change introduced by NIS2 is that the directive now applies to many more sectors. The original NIS primarily focused on operators of essential services and digital service providers. NIS2 now casts a much wider net encompassing what it calls “important entities” as well. This change almost doubles the amount of sectors who must now comply.

Here’s a quick breakdown of the sectors affected:

Essential Entities (EE)

Organizations that fall into the below sectors are considered essential entities according to the NIS2 directive. Generally speaking, those that are 250 employees or more or generate an annual turnover of 50 million € (this differs slightly for each sector) must comply with the new NIS2 regulations.

• Energy
• Health
• Transportation
• Finance
• Water supply 
• Space 
• Digital infrastructure
• Public administration

Important Entities (IE)

Organizations that fall into this category are considered important entities according to the NIS2 directive. And those that are 50 employees or more or generate an annual turnover of 10 million € (again, this differs slightly for each sector) must also comply.

• Digital providers
• Postal services
• Waste management
• Foods 
• Manufacturing
• Chemicals 
• Research

(Source: https://nis2directive.eu/)

Who's accountable?

One of the most notable new aspects of NIS2 is the increased emphasis on management responsibility and accountability. Executives and board members are now directly responsible for implementing cybersecurity measures, ensuring NIS2 compliance, and providing resources and training for staff, including an effective cyber security incident response.

Managers must also go through training “and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order for them to they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.” (https://www.nis-2-directive.com/). They may now also be held personally liable for infringements.

This shift in responsibility represents the critical role that leadership plays in driving cybersecurity excellence within organizations.

Your action plan for success

Adopting a holistic approach to cybersecurity ensures that organizations are well-prepared to meet the challenges posed by NIS2 and the evolving threat landscape. Here are some steps we recommend taking in order to be successful.

Step 1: Develop a clear action plan

This plan should outline the necessary steps, resources, and timelines for achieving compliance. It’s also critical to ensure that all stakeholders are in alignment and working towards a common goal.

Step 2: Conduct a thorough risk assessment

Once the action plan is in place, the next step is to conduct a thorough risk assessment. This involves identifying critical assets, processes and data that are essential to the organization’s operations and evaluating the potential impact of cyber incidents on these elements. By assessing the organization’s current cybersecurity posture against NIS2 requirements, gaps and areas for improvement can be identified, forming the basis for a robust compliance strategy.

Step 3: Develop and implement a cybersecurity strategy

Based on the findings of that risk assessment, businesses should then develop and implement a comprehensive cybersecurity strategy aligned with NIS2 requirements. This strategy should include:

• Establishing an information security management framework

• Implementing technical and organizational security measures

• Defining incident response and business continuity plans

• Regularly testing and auditing security controls

Step 4: Empower leadership

With the increased accountability on managing bodies, empowering leadership is even more crucial than before. Ensure that management possesses the necessary competence to oversee and guide the organization’s efforts effectively. Establishing clear communication channels between leadership and IT/security teams is an essential part of this step in order to facilitate informed decision-making.

Regular updates on NIS2 compliance progress and risk mitigation efforts should be provided to leadership, ensuring they remain engaged and accountable throughout the compliance journey.

Download our full NIS2 guide

Want to learn more? Download our comprehensive NIS2 guide covering what’s new, an overview of Dora (The complementary law for financial institutions), the price for non-compliance, and an action plan for success.

Get the guide