GDPR to NIS2
GDPR was arguably the most impactful regulatory standard and it changed the way companies worked. It was an EU-led legislation but companies all over the globe realized the scope of the regulatory standard and decided that it made sense to follow GDPR regulations even if a company had minimal presence in the EU.
With GDPR, data privacy, security, protection, and rights were sought to be assured on the user and customer level. The regulation was designed to give users more control and transparency of the data that companies collected on them. While only a few years has passed since the implementation of the law took place, it has shifted the landscape of how companies handle user data.
We believe that there’s a new compliance standard that may have just as large an impact as GDPR yet the discussion around it has been minimal. It’s an EU-based compliance standard called NIS2 Directive and it impacts a much wider scope of companies compared to the original NIS directive.
This is a new cybersecurity directive that aims to establish baseline incident reporting, cybersecurity risk management, supply chain risk management, and imposes heavy fines for non-compliance. Where GDPR sought to improve privacy and security standards on the user data level, NIS2 looks to improve privacy and security standards for companies and organizations as a whole.
While companies won’t need to comply with this new directive until Fall 2024, it’s important for them to be prepared sooner than later as compliance may require a significant undertaking, depending on the current cybersecurity controls and strategy companies have. By prioritizing NIS2 compliance now, companies can comfortably ensure they meet the deadline and won’t have to scramble as the deadline comes closer.
In this article, we’ll go over the most common questions you might have about NIS2.
NIS2 Frequently Asked Questions
What is the NIS Directive?
The NIS is the Network and Information Security (NIS) Directive that is an EU-wide piece of legislation on cybersecurity and is an expanded form of the original NIS Directive.
NIS2 expands the companies it applies to across multiple industries and imposes more specific and stringent cybersecurity and risk management requirements while also increasing the fines and penalties for non-compliance.
Among other things, NIS2 requires companies:
- to manage risks within their network and information systems
- implement a minimum standard of security measures that address supply chain security, vulnerability management, cybersecurity risk management assessment, and more
- Focus more on critical supply chain risk management.
- Establish a body of management that oversees, approves, and is trained on cybersecurity measures
- Adhere to a specific incident response window, which can range from 24 hours to 72 hours after becoming aware of the incident and issuing a final report one month after the incident notification is submitted.
You can find the exact text of NIS2 here.
Why haven’t I heard of NIS or NIS 1?
NIS 1 or just NIS, was originally adopted in 2016 but the companies it applied to was limited, especially compared to NIS2. NIS also had minimal enforcement and much less punishing penalties for non-compliance.
Who does NIS2 impact?
Because NIS2 is an EU directive, it applies to all companies based within an EU member state.
The new directive applies to companies designated as “Essential Entities” and “Important Entities”. While size threshold varies by sectors, essential entities include companies with 250 employees or more and a turnover of € 50 million or a balance sheet of € 43 million. Important entities include companies with more than 50 employees and an annual turnover or balance sheet of € 10 million.
Applicable sectors within Essential Entities include:
- Banking and financial markets
- Drinking and waste
- Digital infrastructure and ICT service management, including cloud computing service providers
- Public Administration
Applicable sectors within “Important Entities” include:
- All sectors within essential entities but with the “Important Entities” size threshold
- Postal and Courier Services
- Waste Management
- Chemical manufacturing, productions, and distribution
- Digital providers
- Research organizations
If an entity doesn’t meet these requirements but is a critical societal or economic “sole provider” within a member state, it may be designated as an essential or important entity. However, member states need to finalize their list of essential and important entities by April 2025.
What are the major differences between NIS and NIS2?
Aside from significantly expanding the scope of companies who need to comply with NIS2, the new directive also carries much more steeper fines and has detailed stricter rules and enforcement measures regulators have in order to ensure companies are complying with NIS2.
This includes investigative and supervisory powers such as:
- On-site inspections
- Security audits
- Requesting more information to assess an organization’s cybersecurity measures
- Security scanning
- Requesting evidence and information to measure risk management and cybersecurity policies, data, documentation, and other information.
Essential entities are subject to audits and inspections at any time. Important entities, on the other hand, can only be investigated after an incident occurs.
Should I care about NIS2 even if I’m not part of the EU?
While amendments to NIS2 are still expected to be made, we believe that NIS2 may apply to any company doing business within the EU.
What are the fines or sanctions if my organization doesn’t follow the NIS2 directive?
Organizations that don’t comply with the NIS2 directive can face heavy fines.
- Essential entities face up to € 10 million or 2% of global turnover.
- Important entities face up to € 7 million or 1.4% of global turnover.
For all entities, the higher number of the two will be selected. Additional non-monetary impositions may be levied against non-compliant organizations. This includes orders to comply, binding instructions, notice and reporting requirements to affected parties, and implementations that may stem from security audit findings.
When will the NIS2 directive be implemented?
NIS2 was officially published on December 27, 2022 and entered into force on Jan 16 2023. EU member states are required to incorporate NIS2 into their national law by October 18th 2024. Impacted organizations must also comply with this directive by October 18th 2024.
How can I make sure I’m adhering to the NIS2 directive?
While amendments are still being made to NIS2, we don’t expect much will change and companies should start mobilizing their departments to be able to comply with this new directive. Here are some recommended steps.
- Identify what business units, departments, and subsidiaries fall within the scope of NIS2.
- Assess your organization’s current risk management and cybersecurity posture to discover gaps that need to be addressed in order to achieve compliance.
- Speak to your legal department in order to put together a timeline and strategy for NIS2 compliance.
- Reach out to your supply chain and critical third parties to ensure they’re also aware of this NIS2 directive and that you’ll have to work together to address the new supply chain and third-party risk management elements of NIS2.
- Work with department heads and key stakeholders to ensure they’re aligned on the strategy and can mobilize their departments, systems, and resources in time.
NIS2 directive compliance
How organizations achieve compliance will vary by environment, existing security controls and policies, and current risk management strategy. You may find that little may need to change if you already have a robust cybersecurity and cyber resiliency strategy. However, for smaller organizations or departments with fewer resources, this might be a larger undertaking.
Our research and analysts are as up to date on any new regulatory frameworks and our various solutions and available partnerships can help ensure companies will be compliant with NIS2 with time to spare.
To learn more about how you can ready your organization for NIS2 Directive compliance, reach out to Bitdefender.