What is the NIS2 Directive?

NIS2 represents an evolution of the original NIS Directive from 2016, which was the first European legislation specifically addressing the security of networks and information systems. However, with the increase in digitalization, the evolution of technologies, and the sophistication of cyberattacks, an update was necessary. NIS2 expands the scope of the regulation, introduces stricter requirements, and aims to ensure a high level of cybersecurity, with the goal of enhancing the resilience of critical infrastructures and ensuring the continuity of essential services across the EU.

Why was NIS2 introduced?

NIS2 addresses the new challenges posed by increasing digitalization and the growing sophistication of cyberattacks. In recent years, there has been a surge in large-scale cyber incidents, with a 32% increase in attacks in 2023 alone. These attacks not only compromise system security but also have potentially devastating effects on the operational continuity of entire economic sectors and essential services.

Main innovations of NIS2

  1. Expanded scope of application
    • One of the most significant updates in NIS2 is the broadened scope of the regulation. While the original directive focused on critical sectors such as energy and transport, NIS2 extends coverage to new categories of businesses and services, including telecommunications, cloud computing services, search engines, and even digital platforms like social media. This expansion reflects the growing importance of these sectors in daily life and their critical role in information security and data protection. Businesses operating in these sectors must prepare to adopt new security standards to ensure compliance.
  2. Enhanced incident reporting obligations
    • NIS2 places greater emphasis on managing and reporting cyber incidents. Previously, many businesses could handle incidents internally, but now transparency is essential. Under NIS2, operators must report significant incidents to the relevant authorities within 24 hours of discovery. This preliminary report serves to alert authorities to potential issues. Additionally, businesses must submit a detailed report within 72 hours, providing comprehensive information on the incident, its impact, and the measures taken to resolve it. The goal is clear: to reduce response times and enable coordinated management at a European level. These timely notifications foster collaboration between public and private sectors, helping to contain attacks quickly.
  3. Direct accountability of company executives
    • One of the most important, and perhaps controversial, updates in NIS2 is the introduction of direct accountability for company executives. Delegating cybersecurity to technical teams is no longer sufficient; top management must be actively involved. Executives are now responsible for ensuring the adoption of necessary security measures and maintaining compliance. Failure to meet NIS2 requirements could result in personal liability for executives, including administrative sanctions or fines in cases of negligence. This shift highlights that cybersecurity is no longer just a technical issue but a strategic concern involving the entire corporate governance structure.
  4. Focus on risk management
    • Risk management becomes a cornerstone of NIS2. Companies can no longer merely react to attacks but must adopt a proactive, risk-based approach. Organizations are required to conduct regular and systematic assessments of cybersecurity risks, identifying vulnerabilities and implementing preventive measures to mitigate them. The aim is not only to protect systems but also to ensure operational continuity during attacks, minimizing disruptions to essential services.
  5. Strengthened European cooperation
    • NIS2 also strengthens cooperation among EU member states. The directive promotes the creation of coordination mechanisms between competent authorities, facilitating the sharing of information and the joint management of incidents. This enhanced collaboration enables faster responses to cyberattacks and helps prevent threats, building a shared safety network that improves the overall resilience of Europe’s digital infrastructure.

How can companies comply with NIS2?

Adhering to the NIS2 directive is a complex challenge that requires a strategic approach, but it also presents an opportunity to enhance cybersecurity resilience and protect corporate data. Organizations need to address operational and technological aspects to achieve compliance, implementing measures ranging from risk management to staff training. Below is an overview of the key actions companies must take to ensure compliance.

Continuous risk assessment

A core requirement of NIS2 is the obligation for companies to conduct continuous risk assessments to identify vulnerabilities in their IT systems. This is not just a one-time checklist but an ongoing, iterative process. With cyber threats constantly evolving, companies must remain prepared to respond to changes in the threat landscape.

Risk assessments should be based on a thorough analysis of the IT infrastructure, identifying critical points that cybercriminals could exploit. Mapping all resources—from physical servers to cloud systems—and understanding which data or services are most at risk is essential. Many organizations rely on advanced cybersecurity tools to monitor network traffic and flag suspicious activities in real time. Additionally, risk assessments should consider organizational factors: Are responsibilities for cybersecurity clearly defined? Are the tools being used up-to-date and compliant with current standards? These questions must guide the process, ensuring that security measures align with the organization’s actual needs.

Implementation of an incident response plan

Complying with NIS2 means being prepared to respond promptly and effectively to any cyber incident. Every organization must have an incident response plan that includes well-defined procedures for detecting, responding to, and mitigating threats.

An incident response plan is not just a document but an operational system activated during an incident. Early detection is critical, requiring advanced monitoring systems that continuously analyze network traffic to identify suspicious activity. Once a threat is identified, the organization must initiate a coordinated response. This could involve isolating parts of the system to prevent the attack from spreading, communicating internally to inform relevant teams, and notifying the authorities. NIS2 mandates that significant incidents be reported within 24 hours, followed by a comprehensive report within 72 hours.

Regular attack simulations and testing of the incident response plan are crucial to ensuring readiness. These tests can uncover weaknesses that might otherwise go unnoticed until a real incident occurs.

Protection of critical infrastructure and security management

NIS2 requires companies to adopt measures to safeguard their critical infrastructure—systems and services essential to their operations. This involves deploying technologies to prevent unauthorized access and ensure the security of sensitive data. Beyond firewalls and intrusion detection systems (IDS), implementing data encryption during transmission and storage is vital. Adopting secure cloud solutions and regular backups ensures data recovery without compromising service continuity during an attack.

Physical security of data centers and IT infrastructure is also crucial. A compromised server can expose an entire system to significant risks. Companies must adopt a holistic approach to security, encompassing physical, technical, and organizational measures.

Staff training and awareness

A key aspect of NIS2 compliance is engaging and training employees. Many cyberattacks exploit human errors, such as phishing or weak passwords. Companies must organize regular training sessions to educate employees on cyber risks and prevention methods. For instance, phishing simulations can help staff recognize suspicious emails, while workshops on secure password management can prevent unauthorized system access.

Creating a corporate culture where cybersecurity is a shared responsibility is essential. Every employee, regardless of their role, should feel part of the company’s defense strategy. Clear internal policies outlining individual responsibilities in cybersecurity can facilitate this.

Constant monitoring and incident reporting

NIS2 requires not only system protection but also constant monitoring. Companies must implement systems capable of detecting suspicious activity and promptly reporting incidents. Security Information and Event Management (SIEM) tools, which aggregate and analyze security data in real time, are essential. These tools help identify anomalies or activities that could indicate an ongoing attack.

Systems must also be capable of generating automatic incident reports to facilitate notification to authorities. Timeliness is critical: delays in reporting can have severe consequences, not only for compliance but also for system security.

Collaboration with partners and suppliers

NIS2 emphasizes supply chain security. Companies must ensure that their suppliers adhere to adequate security standards. Active collaboration with business partners is necessary to ensure compliance and prevent vulnerabilities. Companies should include security clauses in supplier contracts, requiring the implementation of minimum cybersecurity standards. Regular assessments of suppliers are also essential to identify potential risks and ensure security levels remain adequate over time.

 

By requiring organizations to take a proactive approach to cybersecurity, NIS2 introduces rigorous obligations that directly involve corporate executives and foster collaboration between the public and private sectors. Compliance not only helps avoid sanctions but also contributes to building a more secure and resilient digital infrastructure, crucial for the future of the European economy.