Introduction:
The Network and Information Systems Directive 2 (NIS2) is a directive enacted by the European Union (EU) to bolster cybersecurity across member states. The directive supersedes the earlier NIS Directive (NIS1) and extends its scope to cover a broader range of sectors, including energy, transport, banking, healthcare, digital services, etc. This white paper offers a comprehensive understanding of NIS2, its compliance requirements, and the implications of non-compliance.
I. Sectors Affected by NIS2:
NIS2 categorizes entities into essential entities, each having different compliance obligations. The sectors covered include energy, transport, banking, healthcare, digital infrastructures, digital services, space, postal and courier services, waste management, chemicals, food, and manufacturing, among others[1][2][3].
II. NIS2 Compliance Controls:
Compliance controls for NIS2 are organized into four main objectives: Governance Structure, Built-in Cyber Control Framework, Complete Security Policy Library, and Compliance and Evidence Tracking. Other focus areas include governance, incident detection and response, and securing and testing perimeters and assets[4][5][6].
III. Guidance on NIS2:
Various national and international bodies guide NIS2 compliance. ENISA, for example, offers support for implementing NIS2 by assisting member states, identifying good practices, and publishing an annual report on the state of cybersecurity in the EU. Similarly, the German BSI provides support to companies through Mobile Incident Response Teams (MIRTs) and has expanded its supervisory and enforcement powers to comply with NIS2[7][8].
IV. Penalties for Non-Compliance:
Non-compliance with NIS2 can result in substantial penalties. Monetary fines can reach up to €10 million or 2% of the global turnover for non-compliant organizations, with stricter penalties of up to 10% of annual turnover for certain entities. Non-monetary penalties include administrative fines, criminal sanctions, reputational damage, legal action, and revocation of operating licenses[9][10][11].
V. Preparing for NIS2 Compliance:
Organizations are advised to adopt a formal cybersecurity framework, engage with legal and cybersecurity experts, and liaise with relevant regulatory authorities to ensure full compliance with NIS2. The Compliance Assessment Framework (CAF) by the National Cyber Security Centre is a valuable resource for detailed compliance controls[12].
Conclusion:
NIS2 is a comprehensive directive aimed at enhancing cybersecurity across the EU. Its wider scope and stricter penalties underscore the importance of compliance for organizations operating within the EU. Through adherence to NIS2 compliance controls and engagement with relevant authorities, organizations can mitigate cybersecurity risks and contribute to a safer digital environment within the EU.
References:
[1] Sector Coverage by NIS2, EDPB, [source](https://edpb.europa.eu/our-work-tools/our-documents/letters/edpb-letter-ec-regarding-review-nis-directive_en).
[2] NIS2 Affected Sectors, Inside Privacy, [source](https://www.insideprivacy.com/international/european-union/eu-cybersecurity-the-commission-proposes-a-revised-nis-directive/).
[3] Directive on Security of Network and Information Systems (NIS Directive), European Commission, [source](https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive).
[4] NIS2 Directive: Step-by-Step Guide to Compliance, Yogosha, [source](https://yogosha.com/nis2-directive-step-by-step-guide-to-compliance/).
[5] Compliance with NIS 2 Directive Cyber Security, Information Shield, [source](https://www.informationshield.com/nis-2-compliance/).
[6] NIS2 Directive Compliance, Ivanti, [source](https://www.ivanti.com/blog/nis2-directive-compliance).
[7] NIS Directive – ENISA, [source](https://www.enisa.europa.eu/topics/nis-directive).
[8] NIS Directive Implementation in Germany, German Federal Office for Information Security (BSI), [source](https://www.bsi.bund.de/EN/Topics/Law-Regulations/NISDirective/nisDirective_node.html).
[9] How to Prepare for the NIS2 Directive, EY, [source](https://www.ey.com/en_gl/cybersecurity/how-to-prepare-for-the-nis2-directive).
[10] NIS2 Compliance: What You Need to Know, CyberTalk, [source](https://www.cybertalk.org/2021/06/03/nis2-compliance-what-you-need-to-know/).
[11] NIS2 Compliance, EY, [source](https://www.ey.com/en_gl/cybersecurity/how-to-prepare-for-the-nis2-directive.