What is the NIS 2 Directive, and how to prepare for it

Today’s topic is the NIS 2 Directive, which aims to improve the cyber-resilience of critical infrastructure and essential and important entities. NIS 2 looks set to do for information security in the EU what GDPR did for user data privacy.

It won’t be long now before the new directive will be transposed into national law, so if your organization is not yet ready, now’s the time to take steps.

What is NIS 2?

The revised Network and Information Security Directive (NIS 2) is the EU-wide legislation on cybersecurity. NIS 2 updates and complements the original NIS Directive, adopted in 2016, and creates a legal framework to enhance the overall level of cybersecurity across the EU.

The updated NIS 2 Directive focuses on three main areas:

• Expanding the scope of application: the seven sectors covered by the original NIS Directive are supplemented by a number of new ones
• New mechanisms for incident reporting and information sharing: NIS 2 mandates the timely reporting of significant incidents
• Tighter enforcement of compliance: the updated NIS 2 introduces specific sanctions for non-compliance, including fines of up to 2% of global annual turnover

What organizations does NIS 2 apply to?

As mentioned above, the revised directive significantly broadens the scope of application compared to the original 2016 version. In addition, NIS 2 introduces a classification that divides the covered sectors into two categories:

• Sectors of high criticality (Annex I):
  • Energy (electricity, district heating & cooling, gas, hydrogen, oil)
  • Transport (air, rail, water, road)
  • Banking
  • Financial market infrastructure
  • Health
  • Drinking water
  • Waste water
  • Digital infrastructure
  • ICT-service management (MSP, MSSP)
  • Public administration entities
  • Space
• Other critical sectors (Annex II):
  • Postal and courier services
  • Waste management
  • Manufacture, production, and distribution of chemicals
  • Production, processing, and distribution of food
  • Manufacturing (medical devices, computer, electronic, or optical products, electrical equipment, machinery, motor vehicles, other transport equipment)
  • Digital providers
  • Research

Besides classifying sectors, NIS 2 introduces an additional classification of specific entities. It too consists of two categories:

• Essential (Article 3.1):
  • Large entities (annual revenue of over €50 million) in sectors of high criticality
  • Certification authorities, top-level domain registrars, and DNS providers, regardless of size of the business
  • Telecom providers, from medium-sized upwards (revenue over €10 million)
  • Public administration institutions
  • Any entity belonging to a highly critical or other critical sector that’s defined by an EU Member State as essential
  • Entities defined as critical under Directive (EU) 2022/2557
• Important (Article 3.2):
  • Medium-sized entities (annual revenue of €10-50 million) in highly critical sectors
  • Medium and large entities in other critical sectors
  • Any entity that’s defined by an EU Member State as important

The category an entity belongs to has significant practical implications. The activities of entities classified as essential will be subject to much stricter and proactive oversight, including random raids, special security checks, and requests for proof of compliance. For non-compliance with NIS 2, essential entities may face a fine of up to €10 million or 2% of global annual turnover.

Entities classified as important can breathe a bit more easily — they’re subject to less stringent controls. For important entities, the penalties are slightly more modest: up to €7 million or 1.4% of global annual turnover.

NIS 2 timeline

Note that, unlike GDPR, NIS 2 is a directive, — not a regulation of the European Union. This means that EU Member States are legally required to amend their national legislation within the designated time frame. In the case of NIS 2, the deadline is set for October 17, 2024.

In addition, EU Member States will have to draw up lists of essential and important entities subject to NIS 2 by April 17, 2025.

It will be useful to revisit the timeline of the main stages of NIS 2:

• July 6, 2016: adoption of Directive (EU) 2016/1148, the original NIS
• May 9, 2018: deadline for EU Member States to transpose the NIS Directive into their national legislation
• July 7, 2020: start of European Commission (EC) consultations on the revision of NIS
• December 16, 2020: publication of the proposal for NIS2 by the EC
• May 13, 2022: European Parliament vote on adoption of the NIS 2 Directive
• November 10, 2022: approval of the NIS 2 Directive by the Council of the EU
• December 14, 2022: publication of the NIS 2 Directive in the Official Journal of the EU under the title Directive (EU) 2022/2555
• January 16, 2023: entry into force of the NIS 2 Directive
• October 17, 2024: deadline for EU Member States to transpose the NIS 2 Directive into their national legislation
• April 17, 2025: deadline for EU Member States to draw up lists of essential and important These lists must be updated regularly thereafter — at least every two years
• October 17, 2027: review of the NIS 2 Directive

How to prepare for NIS 2 implementation?

• Assess whether, and to what extent, the requirements of NIS 2 apply to your organization
• Investigate how the NIS Directive was transposed into the national legislation in your EU Member State
• Follow the recommendations of national cybersecurity authorities
• Assess and develop technical, operational, and organizational measures for managing network and information systems; security risks

More information about the updated EU Network and Information Security Directive, and how organizations can prepare for its entry into force, is available on our dedicated NIS 2 site.