Today’s topic is the NIS 2 Directive, which aims to improve the cyber-resilience of critical infrastructure and essential and important entities. NIS 2 looks set to do for information security in the EU what GDPR did for user data privacy.

It won’t be long now before the new directive will be transposed into national law, so if your organization is not yet ready, now’s the time to take steps.

What is NIS 2?

The revised Network and Information Security Directive (NIS 2) is the EU-wide legislation on cybersecurity. NIS 2 updates and complements the original NIS Directive, adopted in 2016, and creates a legal framework to enhance the overall level of cybersecurity across the EU.

The updated NIS 2 Directive focuses on three main areas:

Expanding the scope of application: the seven sectors covered by the original NIS Directive are supplemented by a number of new ones
New mechanisms for incident reporting and information sharing: NIS 2 mandates the timely reporting of significant incidents
Tighter enforcement of compliance: the updated NIS 2 introduces specific sanctions for non-compliance, including fines of up to 2% of global annual turnover

What organizations does NIS 2 apply to?

As mentioned above, the revised directive significantly broadens the scope of application compared to the original 2016 version. In addition, NIS 2 introduces a classification that divides the covered sectors into two categories:

Sectors of high criticality (Annex I):

Energy (electricity, district heating & cooling, gas, hydrogen, oil)
Transport (air, rail, water, road)
Banking
Financial market infrastructure
Health
Drinking water
Waste water
Digital infrastructure
ICT-service management (MSP, MSSP)
Public administration entities
Space

Other critical sectors (Annex II):

Postal and courier services
Waste management
Manufacture, production, and distribution of chemicals
Production, processing, and distribution of food
Manufacturing (medical devices, computer, electronic, or optical products, electrical equipment, machinery, motor vehicles, other transport equipment)
Digital providers
Research

Besides classifying sectors, NIS 2 introduces an additional classification of specific entities. It too consists of two categories:

Essential (Article 3.1):

Large entities (annual revenue of over €50 million) in sectors of high criticality
Certification authorities, top-level domain registrars, and DNS providers, regardless of size of the business
Telecom providers, from medium-sized upwards (revenue over €10 million)
Public administration institutions
Any entity belonging to a highly critical or other critical sector that’s defined by an EU Member State as essential
Entities defined as critical under Directive (EU) 2022/2557

Important (Article 3.2):

Medium-sized entities (annual revenue of €10-50 million) in highly critical sectors
Medium and large entities in other critical sectors
Any entity that’s defined by an EU Member State as important

The category an entity belongs to has significant practical implications. The activities of entities classified as essential will be subject to much stricter and proactive oversight, including random raids, special security checks, and requests for proof of compliance. For non-compliance with NIS 2, essential entities may face a fine of up to €10 million or 2% of global annual turnover.

Entities classified as important can breathe a bit more easily — they’re subject to less stringent controls. For important entities, the penalties are slightly more modest: up to €7 million or 1.4% of global annual turnover.

NIS 2 timeline

Note that, unlike GDPR, NIS 2 is a directive, — not a regulation of the European Union. This means that EU Member States are legally required to amend their national legislation within the designated time frame. In the case of NIS 2, the deadline is set for October 17, 2024.

In addition, EU Member States will have to draw up lists of essential and important entities subject to NIS 2 by April 17, 2025.

It will be useful to revisit the timeline of the main stages of NIS 2:

July 6, 2016: adoption of Directive (EU) 2016/1148, the original NIS
May 9, 2018: deadline for EU Member States to transpose the NIS Directive into their national legislation
July 7, 2020: start of European Commission (EC) consultations on the revision of NIS
December 16, 2020: publication of the proposal for NIS2 by the EC
May 13, 2022: European Parliament vote on adoption of the NIS 2 Directive
November 10, 2022: approval of the NIS 2 Directive by the Council of the EU
December 14, 2022: publication of the NIS 2 Directive in the Official Journal of the EU under the title Directive (EU) 2022/2555
January 16, 2023: entry into force of the NIS 2 Directive
October 17, 2024: deadline for EU Member States to transpose the NIS 2 Directive into their national legislation
April 17, 2025: deadline for EU Member States to draw up lists of essential and important These lists must be updated regularly thereafter — at least every two years
October 17, 2027: review of the NIS 2 Directive

How to prepare for NIS 2 implementation?

Assess whether, and to what extent, the requirements of NIS 2 apply to your organization
Investigate how the NIS Directive was transposed into the national legislation in your EU Member State
Follow the recommendations of national cybersecurity authorities
Assess and develop technical, operational, and organizational measures for managing network and information systems; security risks

More information about the updated EU Network and Information Security Directive, and how organizations can prepare for its entry into force, is available on our dedicated NIS 2 site.

Kaspersky official blog – ​Read More