Key Points:

• NIS2 is an EU law raising cybersecurity standards for businesses due to new cyber threats and uneven implementation across the EU.
• It applies to many more businesses than before, including essential sectors like energy and new ones like postal services.
• Businesses must meet 10 key NIS2 compliance requirements by October 17, 2024 or face hefty fines.
• Download our guide to see how Metomic can help you achieve NIS2 compliance by giving visibility and control over where your sensitive data is stored.

In 2023, the EU passed a major new piece of cybersecurity legislation, the Network and Information Security 2 (NIS2) directive. It sets a higher bar for what organisations must do to guard against cyberattacks and protect their data.

The deadline for NIS2 compliance - October 17, 2024 - is fast approaching. But as recently as last October, only 34% of affected organisations in France, Germany, and the UK were ready to comply with NIS2.

Even many critical infrastructure organisations in the EU, which are highly vulnerable to cyberattacks, are not yet complying with NIS2 risk analysis requirements.

It’s clear, then, that meeting these higher NIS2 security standards is a challenge for many organisations. With this in mind, we’ve put together the following guide to help your business comply.

What is the NIS2 Directive and why was it introduced?

The original NIS Directive, established by the EU in 2016, was a significant step in increasing cybersecurity collaboration among member states and improving IT security standards among EU organisations.

However, a lot has changed in the cybersecurity landscape since 2016. In recent years, NIS became increasingly inadequate in handling new threats:

• The geopolitical landscape has become tenser, with cyberattacks from anti-Western states increasing. In particular, Russian cyberwarfare against the West has escalated significantly after the invasion of Ukraine. Russia is not only targeting government entities but also critical infrastructure and private sector companies.
• The methods used by state-sponsored and independent hackers alike have become more sophisticated. For example, advances in deepfake technology and AI have given cybercriminals powerful new weapons.
• The shift towards remote work exposed new security vulnerabilities within IT systems In particular, the widespread use of personal devices and unsecured home networks has opened up new attack vectors.

NIS security standards were also not consistently implemented by EU states. The directive allowed for some flexibility in interpretation, leading to differences in what was considered an 'essential' sector. This led to varying levels of cybersecurity preparedness across different regions, with some states’ critical sectors remaining under-protected.

To address these shortcomings, the NIS2 directive was introduced. It's a comprehensive update that extends and refines cybersecurity requirements to reflect the ever-present threats that organisations around the world are facing. NIS2 is also geared towards getting cybersecurity requirements to be implemented evenly across EU member states, ensuring that all are equally protected against threats.

Who do NIS2 regulations apply to?

A key change in the EU NIS2 directive is the inclusion of a significantly wider range of sectors. This expansion recognises that more industries are now integral to Europe's critical infrastructure and digital service landscape and, therefore, urgently need to comprehensively protect themselves from cyberattacks. NIS2 affects over 100,000 large and medium-sized organisations across various sectors, an increase from the original NIS directive.

Entities under NIS2 are classified into two categories: "essential" and "important." This classification hinges on how severe the impact of a cybersecurity breach would be. For an entity to be deemed "essential," its compromise must pose a significant threat to public safety, security, or economic stability.

• “Essential” sectors are those that are vital for the day-to-day functioning of society and the economy. These include energy, transport, banking, financial markets, health, digital infrastructure, public administration, and space.

• “Important” sectors, while not as critical to immediate public safety or security, are crucial for the economic and social well-being of EU states. For example, postal and courier services, waste management, manufacturing, and non-critical tech like search engines.

Both essential and important entities are subject to the same baseline security requirements under NIS2. However, essential entities are subject to more stringent and proactive supervision from EU authorities. This includes regular audits and stricter compliance checks to ensure they have the highest possible level of cybersecurity protection.

NIS2 also applies to non-EU companies that offer services within the EU. This means that international businesses, including cloud service providers, social networks, and search engines, must comply with NIS2 if they operate in the EU market. These companies need to designate an EU representative to comply with the directive.

What are the key NIS2 requirements, and how can organisations comply?

The EU NIS2 directive sets out 10 key security requirements that organisations need to adhere to. These requirements cover a range of cybersecurity practices and are an essential starting point for protecting against breaches.

Among all of these requirements, there are several key areas that deserve particular attention:

• NIS2 puts a significant emphasis on supply chain security. A slew of devastating attacks in recent years, like the TSMC and SolarWinds breaches, have highlighted just how important it is for organisations to guard against vulnerabilities in their supply chains. However, 80% of UK organisations, which are subject to NIS2 if operating within the EU, have not fully secured their supply chains.
• Creating a cyber-aware culture within organisations is crucial. Tech alone can’t completely protect against breaches, so all employees need to be aware of threats and understand their role in keeping the company safe. Regular training and awareness initiatives are key to creating this “human firewall”, as is software that keeps employees engaged with cybersecurity.
• Zero-Trust Authentication is now a must. NIS2 requires organisations to move beyond traditional multi-factor authentication (MFA) and implement zero-trust principles. This involves implementing measures like continuous authentication, ensuring that no user or device is trusted by default, even if they are already inside the network.
• Company leadership must establish robust systems for managing risk and data security. This means not taking a ‘set and forget’ approach, but instead constantly evaluating and adapting it to address emerging threats and vulnerabilities.

What are the risks of non-compliance with NIS2?

Non-compliance with NIS2 can lead to significant penalties. Essential entities may face fines of up to €10 million or 2% of global turnover, while important entities could incur fines of up to €7 million or 1.4%. There's also a provision that holds corporate management personally liable for cybersecurity negligence.

For companies that aren’t compliant yet, getting up to speed can often take longer than expected. When it came to the last significant EU cybersecurity legislation, GDPR, compliance took most companies seven months or longer. This resulted in around half missing the deadline.

So to avoid the risk of large fines, it’s critical to start preparing for the October 2024 deadline as soon as possible.

How can Metomic help with NIS2 compliance?

Securing your organisation’s sensitive data is a key requirement of NIS2, and you need the most up-to-date software to achieve this.

Metomic’s data security software gives you complete visibility and control over sensitive data in your SaaS applications, protecting you from critical cybersecurity risks.

Download our guide to see how Metomic can help you achieve NIS2 compliance by giving visibility and control over where your sensitive data is stored.