Answering the most common questions about the NIS2 directive
Find Answers To The Most Common NIS2 Questions
Below you can find a collection of industry-sourced answers to the most common NIS2-related questions .
The NIS Directive is the EU’s first cybersecurity law, aimed at improving network and information systems’ resilience against cyber risks. However, the COVID-19 crisis has expanded the threat landscape, requiring new solutions.
The Commission identified deficiencies in the NIS Directive, including:
- insufficient cyber resilience of EU businesses
- inconsistent resilience across Member States and sectors
- lack of common understanding of threats
- and lack of joint crisis response
In December 2020, the Commission proposed new rules to strengthen cyber resilience in the EU, which were adopted in November 2022.
The NIS2 directive builds on the three main pillars of the NIS1 directive, including:
- The NIS1 strategy on the security of network and information systems, the requirement for Member States to adopt a national cybersecurity strategy.
- The requirement for designated national CSIRT, acompetent national cybersecurity authority.
- And a single point of contact (SPOC) to ensure cross-border cooperation.
The NIS2 directive also continues the NIS1 framework by establishing the NIS Cooperation Group and CSIRTs Network to support strategic cooperation and the exchange of information among Member States. In addition to these elements, the NIS2 directive expands the scope of sectors and introduces a size threshold to define which entities must report significant cybersecurity incidents to national competent authorities.
The NIS2 Directive aims to address the deficiencies of the previous rules, matching it to the needs of the times and making it future proof. To this end:
- The NIS2 Directive expands cybersecurity rules to new digitalized and interconnected sectors.
- It eliminates the distinction between operators of essential services and digital service providers.
- The directive streamlines security and reporting requirements with a risk management approach and more precise incident reporting provisions.
- It addresses cybersecurity risks in supply chains and strengthens supply chain cybersecurity for key information and communication technologies at the European level.
- The directive enhances supervisory measures and cooperation between Member States, including harmonizing sanctions regimes and establishing a basic framework for coordinated vulnerability disclosure.
- It enhances operational cooperation within the CSIRT network and establishes the European cyber crisis liaison organization network (EU-CyCLONe).
- NIS2 creates an EU vulnerability database to be operated and maintained by the EU agency for cybersecurity (ENISA).
The NIS2 directive covers entities from the following sectors:
- Energy (electricity, oil, gas, district heating and cooling, and hydrogen).
- Transport (air, rail, water, and road).
- Water supply (drinking water, wastewater).
- Digital infrastructure (telecom, DNS, TLD, cloud service, data centres, trust service providers).
- Finance (banking, financial market infrastructure)
- Public administration
- Digital providers (online markets, search engines, social networks)
- Postal services
- Waste management
- Manufactoring (medical devices, electronics, machinery, transport equipment)
- Chemicals (production and distribution
The NIS2 Directive places supervision and enforcement at the core of competent authorities’ responsibilities and layouts a coherent framework for supervisory and enforcement activities across Member States.
To this end, itprovides a minimum list of supervisory measures for competent authorities to strengthen their oversight on essential and important entities for effective compliance. These measures include:
- regular and targeted audit
- on-site and off-site check
- request for information
- access to documents or evidence.
On top of this, NIS2 establishes a differentiation of supervisory regimes between essential and important entities to ensure a fair balance of obligations.
NIS2 also introduces a consistent framework for sanctions across the Union to make enforcement effective. In extenion of this, it presents a minimum list of administrative sanctions for breach of cybersecurity risk management and reporting obligations, including:
- Binding instructions.
- Order to implement the recommendations of a security audit.
- Order to bring security measures in line with NIS requirements.
- Administrative fines.
Furthermore, NIS2 distinguishes between essential and important entities for administrative fines:
- Essential entities: maximum of at least €10,000,000 or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
- Important entities: maximum of at least €7,000,000 or at least 1.4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Competent authorities should consider the specific details of each case when exercising enforcement powers, including the nature and severity of the breach and any damages or losses incurred. The NIS2 Directive also holds natural persons in senior management positions within covered entities accountable for cybersecurity measures.
The NIS2 Directive interacts with the CER Directive and the DORA, two other EU policies.
The NIS2 and CER Directives have been aligned to address the physical and cyber resilience of critical entities comprehensively. The critical entities identified under the CER Directive will also be subject to the cybersecurity obligations of the NIS2 Directive.
National competent authorities under both directives must cooperate and exchange information regularly on risks and incidents.
The NIS2 Cooperation Group will meet regularly with the Critical Entities Resilience Group. The DORA applies to the financial sector’s cybersecurity risk management and reporting obligations, and allows for participation in the NIS Cooperation Group and for consultation and information sharing with NIS2 SPOCs and CSIRTs.
The NIS2 Directive proposes to improve cyber risk management by introducing clear responsibilities, appropriate planning, and increased EU cooperation.
NIS2 requires Member States to appoint national authorities responsible for cyber crisis management, introduces national large-scale cybersecurity incident and crisis response plans, and establishes the European cyber crisis liaison organization network (EU-CYCLONe) to support the coordinated management of large-scale cybersecurity incidents and crises.
The EU-CYCLONe network is a key component of the EU cyber crisis management framework outlined by the Commission in 2017, contributing to a coordinated response to large-scale incidents and crises.
NIS2 will strengthen and streamline cybersecurity requirements for covered entities by requiring all companies to address a core set of 10 minimum requirements in their cybersecurity risk management policies.
These elements include incident handling, supply chain security, vulnerability handling and disclosure, and the use of cryptography. The NIS2 Directive also includes a multiple-stage approach to incident reporting, which strikes a balance between swift reporting to prevent the spread of incidents and in-depth reporting to draw valuable lessons learned.
Affected companies have 24 hours to submit an early warning, 72 hours to submit an incident notification, and one month to submit a final report. This will help to reduce the additional burden for companies operating in multiple Member States and ensure that all companies are addressing the necessary cybersecurity requirements.