By the International Cyber Threat Task Force (ICTTF), 11 November 2024
What is NIS2 and why should you care?
The Network and Information Security (NIS) Directive was introduced in 2016 to bolster the cybersecurity frameworks of critical sectors across the EU.
However, as cyber threats evolved and the digital landscape became more complex, the need for an updated and more robust directive became clear. Enter NIS2, the updated version of the directive, which came into effect on 18 October 2024.
This update broadens the scope, bringing more sectors and entities into the fold and mandating stricter cybersecurity requirements.
Why is NIS2 important?
Cyber threats are more pervasive than ever, targeting not only IT systems but the very heart of critical operations and infrastructures. The NIS2 Directive aims to provide a unified approach to cybersecurity, ensuring that essential services and digital infrastructures remain resilient.
For business leaders, NIS2 compliance is not just an IT issue; it is a strategic imperative. The directive places legal obligations on organisations, and failure to comply can result in severe financial penalties, reputational damage, and even criminal liability.
Who is in scope?
NIS2 dramatically expands the list of sectors that fall under its remit. These sectors are split into two categories [1]:
- Sectors of High Criticality (Annex 1): These include Energy, Transport, Health, Banking, Financial Market Infrastructure, Digital Infrastructure, and Public Administration, among others.
- Other Critical Sectors (Annex 2): Covering areas such as Postal and Courier Services, Digital Providers, Manufacturing, Waste Management, and Research.
Under NIS2, entities are classified as either essential or important, and according to their size, from large entities (over 250 employees or more than €50 million revenue) to medium entities (50–249 employees or more than €10 million revenue).
Small and micro entities are largely excluded, though there are exceptions within digital infrastructure and public administration.
At the ICTTF, we have produced overviews of how NIS2 applies to sub-sectors within both Annex 1, Sectors of High Criticality [2] and Annex 2, Other Critical Sectors [3], depending on the entity size.
What are the penalties for non-compliance?
The consequences of non-compliance are severe and wide-ranging:
- Financial penalties: Fines can reach up to €10 million or 2% of global turnover, whichever is higher.
- Criminal liability: Individuals responsible for cybersecurity within their organisation may face personal legal consequences.
- Reputational damage: Failure to meet NIS2 obligations could lead to public sanctions, severely damaging your organisation’s reputation.
How to achieve compliance
Compliance with NIS2 requires more than just an IT upgrade. It demands a comprehensive, top-down approach where senior leadership takes responsibility for embedding cybersecurity into the organisation's governance and risk management framework.
Here’s how to start:
- Risk management: Conduct regular cybersecurity risk assessments and implement robust mitigation strategies.
- Incident reporting: Major incidents must be reported within 24 hours to relevant authorities.
- Supply chain security: Ensure that third-party suppliers meet the cybersecurity standards set by NIS2.
- Cybersecurity training: Equip all levels of staff, from executives to technical teams, with the knowledge and skills needed to stay compliant.
Ready to take the next step?
Navigating the complexities of NIS2 compliance can seem daunting, but it doesn't have to be. The Certified NIS2 Professional (CN2P) training course is designed to equip professionals with a comprehensive understanding of the NIS2 Directive and the practical skills needed to implement it within organisations.
Covering crucial topics like risk management, supply chain security, incident response, and cybersecurity governance, this course ensures participants are fully prepared to meet NIS2 requirements and foster a robust cybersecurity posture.
Whether you're in senior management or directly involved in IT security, this course provides the tools and knowledge necessary to effectively handle NIS2 compliance and strengthen your organisation's cybersecurity.
Don’t wait – become a Certified NIS2 Professional (CN2P) and ensure your organisation is ready.
Learn more and enrol on the Certified NIS2 Professional [CN2P] course