Everything you need to know about the NIS2 Directive: requirements, sanctions and compliance solutions

NIS2 (Network and Information Security Directive 2) is a major evolution of the original NIS Directive, adopted by the European Union in 2016. The main aim of NIS2 is to strengthen the resilience of critical infrastructures and better protect Europe against growing cyber threats. By extending its scope to new sectors and imposing stricter, Europe-wide harmonized security requirements, NIS2 responds to the rapid evolution of digital threats.

 

This article explores the main changes brought about by NIS2 compared with the NIS Directive, and describes the roles and responsibilities of the various technology players involved in ensuring compliance and strengthening cybersecurity within organizations.

Main changes and improvements made by NIS2 compared with the original NIS directive

1. Scope extension

• NIS: The original directive applied mainly to essential service operators (ESOs) and digital service providers (DSPs).
• NIS2: The scope is extended to include more critical sectors such as financial market infrastructures, water management systems, waste management, utilities, public health, chemicals, and food production.

For example, a hospital will need to secure its IT systems to protect patient data and quickly report any cyber-attacks. A waste management company must ensure that its management systems are protected against digital intrusions, and that it is ready to respond rapidly in the event of an incident​ (NIS2-Info)​​ (The NIS2 Directive)​. Entities in the newly added sectors must comply with strict cybersecurity and risk management requirements, including the implementation of robust security measures tailored to each sector and the adoption of specific standards and certifications​ (DNV.com – When trust matters – DNV)​.

 

2. Reinforced security requirements

• NIS: Security requirements were relatively general.
• NIS2: Requirements are more detailed and harmonized at European level. They include risk management measures and mandatory reporting of security incidents.

This includes basic cybersecurity practices, business continuity policies, crisis management, and procedures for the use of encryption. For example, a transportation company will need to implement firewalls, intrusion detection systems, and encrypt its data to protect against digital intrusions​​. (Deloitte United States)​.

 

3. Improving cooperation

• NIS: Cooperation between member states was encouraged but not structured.
• NIS2: The directive introduces more formal mechanisms for cooperation and information exchange between member states. This includes the creation of EU-CyCLONe (Cyber Crisis Liaison Organisation Network) for cyber crisis management.

For example, an energy operator must now inform its European counterparts in the event of a cyber attack, facilitating a coordinated response at EU level​.

 

4. Stricter sanctions

• NIS: Penalties for non-compliance were left to the discretion of member states.
• NIS2: Penalties for non-compliance are harmonized and strengthened under the NIS2 directive, with fines of up to €10 million or 2% of annual worldwide sales.

This harmonization contrasts with the NIS Directive, where penalties were left to the discretion of member states. Companies must now comply with strict security standards or risk significant financial penalties. For example, a company failing to comply with security requirements could face heavy fines and legal implications for its executives​.

 

5. Management responsibility

• NIS: Obligations were mainly focused on companies as entities.
• NIS2: Company directors now have clear responsibilities and can be held personally liable in the event of a breach of security requirements.

 

6. Incident Management and Notification

• NIS: Incident notification rules varied between member states.
• NIS2: There is a standardization of incident notification procedures, with clear deadlines for initial notification (24 hours after discovery) and final reporting (one month) facilitating a rapid and coordinated response​​.

 

7. Role of the Regulatory Authorities

• NIS: Each member state had to designate one or more competent national authorities.
• NIS2: Regulatory authorities now have extended powers to monitor and enforce the new security rules.

Each Member State must designate one or more competent national authorities, with increased powers to carry out audits and impose fines. For example, a regulatory authority can inspect a company to verify its compliance with NIS2, and impose sanctions in the event of non-compliance​​.

In summary, NIS2 aims to create a more robust and harmonized cybersecurity framework within the European Union, taking into account rapidly evolving threats and including a greater number of critical sectors.

 

Action plan to prepare for NIS2 in force from October 2024

The NIS2 directive must be transposed into the national legislation of EU member states from October 2024. Until then, member states are in the process of finalizing the incorporation of the directive into their national laws. Once transposition has been completed, the regulatory authorities in the various countries will begin to apply the new rules, and it is at this point that the first sanctions may be observed.

The period leading up to the full entry into force of the NIS2 directive in October 2024 offers affected companies a valuable opportunity to prepare and implement the necessary security measures.

What companies can do during this period:

• Risk Assessment: Companies need to start with a thorough assessment of their IT infrastructures and cybersecurity practices to identify vulnerabilities and areas for improvement.
• Compliance: It’s crucial to implement NIS2-compliant measures such as risk management, data encryption, network monitoring, and business continuity planning.
• Cybersecurity Partner Selection: Companies can use this time to select and collaborate with cybersecurity partners, both internal and external. This includes consultants, cybersecurity experts, auditors, and suppliers of technological solutions capable of strengthening the resilience of information systems.
• Training and Awareness: Companies also need to train their teams in cybersecurity, particularly with regard to the new NIS2 obligations, to ensure that all employees are prepared to detect and react quickly to security incidents.
• Establish Notification Processes: It’s important to put in place incident notification processes, including protocols for reporting cyber-attacks to the relevant authorities within the timeframes stipulated by the directive.

By taking proactive steps now, companies can not only comply with NIS2 but also strengthen their overall cybersecurity posture, reducing the risk of future sanctions and improving the protection of their critical assets. This period of preparation is a key opportunity to ensure a smooth transition to the new regulatory requirements.

 

What roles and responsibilities do the various players in the technology sector have in strengthening organizations’ cybersecurity?

Under the NIS2 directive, various players in the technology sector, including web development companies, hosting providers, Chief Information Officers (CIOs), cybersecurity experts, and DPOs, play crucial roles in ensuring compliance and strengthening the security of information systems.

 

Role of Web Development Companies

• Security by Design: Web development companies must adopt secure development practices from the outset of projects, integrating security controls such as data encryption, strong authentication, and protection against common attacks like Cross-Site Scripting (XSS) and SQL injection​.
• Secure Updates and Maintenance: They must also ensure that web applications are regularly updated to address vulnerabilities and maintain the ongoing security of systems.

 

Role of Hosting Providers and Infrastructure

• Securing Environments: Hosting providers must ensure the physical and logical security of their data centers, including strict access controls, continuous monitoring, and protection against DDoS (Distributed Denial of Service) attacks.
• Compliance with Standards: They must also comply with security standards and certifications such as ISO/IEC 27001 to demonstrate their commitment to cybersecurity.

 

Role of Chief Information Officers (CIOs)

• Risk Management: CIOs are responsible for implementing risk management strategies, including identifying critical assets, assessing threats, and implementing appropriate safeguards​.
• Incident Monitoring: They oversee the management of security incidents, ensuring that incidents are promptly detected, reported, and resolved in accordance with the NIS2 requirements​.

 

Role of Cybersecurity Experts (Internal and External)

• Security Assessment and Audit: Cybersecurity experts, whether internal or external, conduct regular audits to assess the compliance and robustness of security systems. They identify vulnerabilities and recommend improvements​.
• Training and Awareness: They are also responsible for training and raising awareness among employees about best cybersecurity practices, ensuring that all staff understand the importance of IT security and how to respond in the event of an incident​.

 

Role of Data Protection Officers (DPOs)

• GDPR Compliance: While their primary role is to ensure compliance with the General Data Protection Regulation (GDPR), DPOs must collaborate with cybersecurity teams to ensure that personal data is protected against cyberattacks​.
• Data Incident Management: In the event of a data breach, the DPO plays a key role in notifying the authorities and coordinating appropriate responses.

 

Concrete Examples of Actions to Take within the Framework of NIS2

• Web Developers: Implement automated security checks in continuous deployment (CI/CD) pipelines to detect vulnerabilities before production deployment.
• Hosting Providers: Deploy advanced web application firewall (WAF) solutions to protect against attacks on hosted applications.
• CIOs: Establish a patch management policy to ensure all systems are up to date with the latest security patches.
• Cybersecurity Experts: Conduct cyberattack simulations (penetration tests) to test the resilience of systems and train internal teams on appropriate responses.

 

Role of Other Stakeholders

Role of Procurement and Supply Chain Management

Responsibilities:

• Supply Chain Security: They must ensure that suppliers and business partners comply with cybersecurity standards, thereby reducing supply chain risks​.
• Security Contracts and Clauses: Incorporate security clauses into contracts with suppliers to ensure robust cybersecurity practices.

 

Role of Internal and External Auditors

Responsibilities:

• Compliance Assessment: Conduct regular audits to assess the compliance of security systems and processes with the requirements of the NIS2 directive​.
• Improvement Recommendations: Identify security gaps and propose improvements to strengthen the organization’s security posture.

 

Role of Risk Management Officers

Responsibilities:

• Risk Assessment and Management: Identify, assess, and manage cybersecurity risks, ensuring a proactive approach to threat management​.
• Business Continuity Planning: Develop business continuity and disaster recovery plans to minimize the impact of cyber incidents.

 

Role of Human Resources (HR) Officers

Role and Responsibilities:

• Training and Awareness: Organize regular training to raise employee awareness of cybersecurity best practices and company security policies​.
• Access Management: Control employee access to sensitive systems and data, particularly when changing roles or leaving the company.

 

Role of Legal Advisors and Specialist Lawyers

Responsibilities:

• Legal Compliance: Advise on legal and regulatory obligations regarding cybersecurity and data protection​.
• Dispute Management: Assist the company in the event of disputes or investigations following cyber incidents.

 

Anticipating changes and preparing for NIS2

The NIS2 Directive represents a crucial step in the protection of critical infrastructures in Europe, extending cybersecurity obligations to a greater number of sectors and strengthening the requirements for all entities concerned.

For companies, this Directive is both a challenge and an opportunity: the challenge of complying with stricter standards and the opportunity to strengthen their cybersecurity posture, thus reducing the risks of major incidents.

By mobilizing the right actors, both internal and external, and implementing the necessary measures before the October 2024 deadline, companies can not only avoid sanctions, but also effectively protect their critical assets and their sensitive data against cyber threats.

 

Why choose Castelis for your NIS2 compliance?

Castelis: your trusted partner for compliance and cybersecurity

As a major player in the field of technology solutions, Castelis is perfectly positioned to support companies in their compliance with the NIS2 Directive. With our expertise in cybersecurity, we offer a complete range of services designed to strengthen your security posture and ensure the resilience of your critical infrastructures against cyber threats.

 

Our cybersecurity and compliance solutions

At Castelis, we offer a suite of innovative services tailored to the specific needs of each company:

• Cloud Security with Cloudflare: Protect your web applications against DDoS attacks, improve the performance of your sites, and ensure the continuous availability of your online services.
• Security Operations Center (SOC): Monitor, detect, and respond in real-time to security incidents with our dedicated SOC, which combines human expertise and advanced technologies.
• Cloud Infrastructure Design, Setup and Transformation: Develop and transform your cloud infrastructures with secure, high-performance solutions that meet regulatory requirements.
• Managed Infrastructure Services: Entrust us with the management of your infrastructures to guarantee their security, performance, and availability at all times.
• IT Security and Cybersecurity: Strengthen the security of your IT systems with our tailor-made solutions, including auditing, implementation, and cybersecurity management.
• Web Application Performance: Optimize your web applications to be fast, reliable, and secure, while respecting the strictest security standards.
• Cloud Compliance and Enforcement: Ensure that your cloud operations comply with current regulations, including NIS2, thanks to our compliance expertise.
• FinOps: Cloud Financial Management: Optimize your cloud costs while maintaining high-level security and compliance with our FinOps services.
• Remote Management or IT Staff Augmentation: Strengthen your internal teams with our dedicated IT experts, available for remote management for one-off or ongoing interventions.

 

ISO 27001 certification for your peace of mind

Castelis is certified ISO 27001, the international standard for information security management. This certification attests to our commitment to the highest standards of data security and the protection of sensitive information. With Castelis, you can be sure that your critical infrastructures are in good hands, compliant with the NIS2 requirements, and ready to face the challenges of cybersecurity.

 

Take Action with Castelis

Make security a priority. Contact Castelis today to find out how our tailored solutions can help you comply with NIS2 and strengthen the security of your systems. Together, let’s protect your critical assets from cyber threats.

 

Are you looking to strengthen your cybersecurity and comply with NIS2? Contact us to discuss!