Review of the NIS2 Directive: What Your Organization Needs to Know

The NIS2 directive is the most extensive European cybersecurity regulation to date. It introduces stricter risk management and incident reporting requirements, expands the scope to include more sectors, and imposes tougher penalties for non-compliance. As a result, hundreds of thousands of organizations across the EU and any companies doing business in the EU will need to re-evaluate their cybersecurity strategies. This blog is a vendoragnostic review of NIS2 from our expert security consultants and will hopefully provide you with everything you need to know to ensure you’re prepared and ready for the directive. 

The key changes in NIS2

There are six key changes in NIS2 that organizations need to understand. Don’t think of the new directive as a just regulatory requirement. Preparing for NIS2 is a call to action to harden security postures.

1. Broadening the scope and stricter requirements

NIS2 has significantly expanded its scope compared to the original NIS directive. While the original directive applied primarily to operators of essential services (OES) and digital service providers, NIS2 now broadens its range of sectors to including medium-sized companies in sectors like manufacturing, waste management, postal, and many more. 

NIS2 introduces more rigorous requirements for an organization’s cybersecurity risk management, incident reporting, and supply chain security. Organizations are now required to adopt a more comprehensive approach to managing their cybersecurity risks while including these risks into their overall enterprise risk management framework. 

The directive emphasizes the importance of securing supply chains and recognizing that third-party vendors and suppliers can pose a significant source of risk. Organizations are required to manage those vendors and ensure they also adhere to strong cybersecurity best practices. 

Incident reporting requirements have also come under the microscope and stricter practices are now being introduced, such as reporting cybersecurity incidents with 24 hours instead of the original 72 hours. Due to this key requirement, organizations must have strong incident detection and response plans in place. 

Lastly, if organizations fail to adhere and implement the required changes, they could face harsher fines of up to €10 million or two per cent of their global annual turnover.  

2. Reviewing current coverage, assessing your current compliance state and identifying gaps

Once an organization confirms it is within the new scope for the NIS2 directive, it is imperative to compare its current security posture against the directive requirements. This should involve intensive reviews of all existing policies and procedures, identifying gaps from the reviews, and forming a baseline to identify the important steps required to rectify gaps and achieve a full state of compliance. 

3. Reviewing and improving risk management and effective governance

The NIS2 directive aims to change the way we view cybersecurity. Instead of treating cybersecurity as a single entity within an organization’s various components, NIS2 promotes integrating cybersecurity into every thought and framework. This could mean reviewing policies that may not be linked to cybersecurity but still applying the same mindset and methodology to extend best security practices across the business. 

Good governance defines key roles, from the board through to the various operational teams, and is critical to enabling your organization’s compliance with NIS2.  

The board should set cybersecurity direction for the organization, leaving senior managers to execute the strategy, and operational teams to manage it on a day-to-day basis with the tools and resources necessary to keep threats to an acceptable level. Effective cybersecurity relies on clear communication and accountability pathways to ensure that everyone in the organization understands what they’re responsible for. 

The supply chain is another critical area under the microscope for NIS2, and organizations must take steps to secure it. This involves implementing rigorous vendor risk management practices, including due diligence when selecting suppliers and regular monitoring of their cybersecurity practices. Organizations can address this through contractual obligations and clauses that force suppliers to remain accountable for their own cybersecurity while also following and complying with regulatory best practices. 

4. Incident detection, response and reporting

Under NIS2, organizations must report cybersecurity incidents within 24 hours. This reduction from 72 hours means it is more important than ever to have the right tools in place to detect these incidents as quickly as possible. 

Now is the perfect time to review the effectiveness of your current incident response framework and plan. This includes assessing the tools currently in place to detect potential threats, which steps must be taken to reduce fallout if a breach occurs, and how the root causes of the breach will be identified, mitigated in the future, and reported. 

Consider reviewing and implementing a security information and event management (SIEM) solution that can aggregate and analyse data from across your network effectively to detect potential threats. Additionally, threat intelligence services can provide valuable information about emerging threats, helping you stay one step ahead. 

5. Update and implement technical controls

Regularly review access management and ensure only those with a legitimate need can access sensitive networks and data. Role-based access control (RBAC) is an effective tool for identifying permissions and managing and limiting access where possible. 

Regular audits and vulnerability checks are also key and contribute heavily to compliance with the NIS2 directive. This can be done either internally or through the help of external boards and resources specializing in strict compliance audits, and who can provide a fresh perspective and feedback on the current environment and practices in place. 

6. Maintaining compliance, continual improvement and looking to the future

Cybersecurity is a dynamic field, and threats will continue to evolve. To maintain NIS2 compliance, organizations must implement ongoing monitoring of their cybersecurity practices through continuously tracking network activity, regularly reviewing security controls, and staying informed about the latest threats and vulnerabilities.  

It is imperative to perform regular reviews and audits to highlight areas of improvement so your organization will remain ahead of the curve and complaint. 

Lastly, always be ready for change. You can remain up to date with potential revisions or further requirements in the future by staying in contact with regulatory authorities and boards. 

Conclusion

The NIS2 directive represents a significant stride forward and improvement in cybersecurity across the EU, while also introducing new challenges for organizations to solve and achieve. 

NIS2 compliance is not only about avoiding fines. It is a framework that helps organizations remain resilient, secure and able to withstand the challenges of the modern cybersecurity landscape. Start preparing now. 

To find out how Snare can help with your organizations with NIS2 compliance read our blog: How Snare Can Support Your NIS2 Compliance

Book a Demo
Snare’s ISO 27001 Certification & Commitment to Cyber SecurityHow Snare Can Support Your NIS2 Compliance