Member states must adopt the measures by 18 October 2024.

NIS 2 Directive: strengthening cyber security and resilience in the EU

What does the NIS 2 Directive do?

The NIS 2 Directive aims to enhance the security of network and information systems within the EU by requiring organisations to implement security measures proportional to the size of their businesses and report any incidents to the relevant authorities. It also aims to improve resilience and incident response capacities by setting a coherent framework for all supervisory and enforcement activities and regulating companies and governments on cyber and information security.

Leadership will bear NIS 2 risk management responsibility

Senior management, boards of directors, and C-suite executives will be responsible for ensuring cyber security measures are in place and functioning effectively in their organisations. To fulfil this responsibility, they must possess the knowledge and skills necessary to evaluate cyber security risks, challenge security plans, discuss activities, formulate opinions, and assess policies and solutions that safeguard their organisations’ assets. Failure to maintain proper risk oversight can result in significant liability for the company, its officers and directors.

Revolutionising your technical, operational and organisational measures

As the EU’s cybersecurity threat landscape continues to evolve, the NIS 2 Directive will strengthen its cybersecurity posture through C-suite accountability, comprehensive resilience measures, swift incident notification and collaborative vigilance. Through compliance, trust will be built among customers, partners and shareholders. All entities will be subject to the following:

Security and reporting

Security and reporting requirements should be proportionate to each incident’s risk, size, cost, impact and severity. Technical, operational and organisational measures such as disaster recovery, crisis management, system acquisition security, vulnerability handling and disclosure are baseline requirements. The NIS 2 Directive introduces strict timelines for notifying the National Cyber Security Centre (NCSC).

Manage supplier risk

Organisations must conduct internal and coordinated risk assessments to establish vulnerabilities specific to suppliers, service providers and their cyber security solutions and processes.

Vulnerability disclosure

The NIS 2 Directive establishes a basic framework for coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU. It also creates an EU vulnerability database for publicly known vulnerabilities in ICT products and services, which will be operated and maintained by the European Union Agency for Cybersecurity (ENISA).

Who is in scope?

The NIS 2 Directive redefines the classification of what type of organisations are in scope, taking into account factors such as number of employees, sector and criticality.

NIS 2 replaces the Operators of Essential Services (OES) and Digital Service Providers (DSP) classification with two new categories: essential entities and important entities. Besides these, in exceptional circumstances, small enterprises or microenterprises are included within the scope of the NIS 2 Directive if they meet either of the following criteria:

They are the exclusive provider of a service that is essential for maintaining critical societal or economic activities within a member state.
They offer domain name registration services.

Essential entities

NIS 2 emphasises the critical role of essential entities, which are identified as organisations that have either 250 employees or more than €50 million in revenue.

Energy

The energy sector is broad and diverse from a NIS 2 perspective. It includes organisations providing energy, heating/cooling, oil, gas and hydrogen. The Directive requires organisations within this sector to fortify the security and resilience of systems playing a vital role in the production, supply, distribution, storage and transmission of energy. Essential entities within the energy sector must consider the type of customers they provide services to and implement measures that are both appropriate and proportionate to the risks posed to their infrastructure.

These measures could range from targeted training for management and key stakeholders in cyber security and physical security to conducting annual cyber and risk assessments. Additionally, robust incident response and disaster recovery plans are crucial to mitigate the impacts of potential cyber incidents.

Transport

Under the NIS 2 Directive, organisations within the air, rail, water and road sectors fall under the transport sector. They must identify and safeguard their critical infrastructure, report incidents promptly and collaborate with relevant governing bodies. Major interruptions to the transport sector have historically caused a ripple effect throughout society. Organisations must therefore protect their real-time data and overall security in their supply chain. Substantial investments are necessary to enhance operational technology security and overall long-term resilience.

Technologies used to facilitate transportation must meet a required standard, and it is the entity’s responsibility to ensure that all vendors involved in the supply chain maintain the same level of security, or better, to reduce the risk of cyber-attacks. Regular cyber security resilience testing is also vital, fostering a culture of continuous improvement in protective measures.

Finance

The finance sector has a wide range of compliance requirements, and the NIS 2 Directive is no exception. To avoid duplicating the obligations of entities operating in these sectors, the Directive states that where an entity is subject to sector-specific obligations that are “at least equivalent in effect” to the substantive cyber security or incident notification obligations under the NIS 2 Directive, those NIS 2 obligations will not apply. The Digital Operational Resilience Act (DORA) is considered a sector-specific act for financial entities in relation to the NIS 2 Directive. Consequently, the DORA provisions related to ICT risk management, incidents, reporting, resilience testing and information-sharing shall apply in place of those outlined in the NIS 2 Directive. From a NIS 2 perspective, the entities in scope include banks, investment firms, insurance companies and other organisations within the financial market infrastructure.

Public administration

The public administration sector manages vast quantities of sensitive data, which must be safeguarded at all times. Recognised as providing essential services, entities within social services, public safety, economic regulation and political representation are actively targeted by cyber-attackers. Successful cyber-attacks could cause significant operational disruption or data breaches with far-reaching societal impacts. Robust cyber security measures are critical in protecting information assets and personal data.

There are varying degrees of cyber security awareness across the sector, and the directive therefore mandates organisations to invest heavily in cyber security training. Alongside training, regular risk assessments and reports for continuous improvements are critical. These steps are essential in fortifying the sector against the ever-evolving cyber threat landscape, ensuring the protection of information assets and personal data.

Health

Under the NIS 2 Directive, the health sector encompasses healthcare providers, research laboratories, pharmaceuticals and medical device manufacturing. The potential for cyber incidents in places like hospitals and health centres could have life-threatening consequences, underscoring the importance of safeguarding patient data and ensuring its availability. Recent cyber incidents targeting the healthcare sector have had far-reaching effects, including on vulnerable populations.

Essential entities must adopt measures to mitigate such disruptions and ensure the continuous provision of essential services. Such measures include regular enhancement and testing of cyber security systems, training staff in cyber security practices, developing comprehensive incident response and reporting plans, and securing patient data through appropriate storage and handling procedures.

Space

Recognised as a vital entity under the NIS 2 Directive, the space sector supports various industries, including telecommunications, navigation and national security. The sophistication of cyber-attacks in this sector, often orchestrated by nation-state criminals and advanced persistent threat groups, requires organisations to comply with the strictest requirements as set out by the Directive.

The complexity of the space sector is amplified by the physical barriers associated with the remote locations their systems operate in (i.e. space), as well as the reliance on legacy systems manufactured without cyber security in mind. Entities in this industry must focus on supply chain security and collaborate closely with regulatory bodies to identify and mitigate cyber security risks. This includes rigorous supplier due diligence, effective supply chain risk management and vigilant monitoring of third-party interactions to enhance overall security.

Water

Providing safe, clean drinking water to society and managing wastewater is critical to ensuring public health and reducing environmental damage. The Directive places significant importance on protecting infrastructure, including water treatment and distribution centres, which rely heavily on operational technology (OT) systems for processes such as chemical dosing and pressure regulation. Implementing the controls required by the NIS 2 Directive will mean that entities in the water supply sector will have to invest significantly in cyber security protective measures.

Today’s water treatment systems were developed long before cyber security was a concern, and their legacy systems are inadequate from a cyber security perspective. Affected organisations must establish risk management processes for OT systems, regular security updates for systems and platforms, and comprehensive cyber security training for employees. They will also need to collaborate across sectors to develop cohesive security strategies.

Digital infrastructure

Entities within the digital infrastructure sector include telecoms, domain name systems, top-level domains, data centres, trust services and cloud services. Our reliance on digital infrastructure makes entities in this sector vital to everyday life, as any disruption could impact both technology providers and their users. The fully digitised nature of this sector amplifies its vulnerability to cyber-attacks. The digital and physical environments need to be considered in tandem. The NIS 2 Directive recognises these needs, emphasising physical security, incident response, recovery plans and regulatory oversight to safeguard this critical sector.

Important entities

Important entities are identified as organisations that have either 50-249 employees or more than €10 million in revenue.

Post

In line with other industries, the postal sector increasingly relies on digital technology for its operations, making it highly vulnerable to cyber threats. This sector, encompassing postal and courier services, is specifically targeted by cyber threat actors through phishing scams and various forms of social engineering, especially during peak periods. Cyber security under the NIS 2 Directive is crucial for the postal sector due to its widespread societal use.

The sector’s main challenges include inadequate cyber awareness and external actors targeting information and assets in transit. Adhering to NIS 2 requires protective measures, such as enhanced data security, supply chain risk management, and collaboration among postal operators for better risk mitigation and intelligence sharing.

Waste management

The waste management sector is critical in maintaining environmental and public health. It faces a transformative era under the NIS 2 Directive. Cyber threats capable of disrupting essential services like waste collection, transportation, treatment and disposal pose risks to public health and the environment. The NIS 2 Directive steers the sector towards a strengthened digital posture. It integrates cyber security into every aspect of the waste management lifecycle, fostering an environment where awareness of cyber threats is paramount. The sector must now conduct thorough cyber risk assessments and develop effective mitigation strategies.

Chemical

The chemical sector, integral to various industries, is a focus of the NIS 2 Directive due to the potential widespread impact of cyber-attacks. It encompasses entities in pharma, dyes, agrochemicals, food industry chemicals, catalysts and more. Cyber-attacks, particularly on industrial control systems, could halt critical manufacturing processes. The Directive emphasises supply chain security, requiring organisations to assess and mitigate risks, maintain supply chain oversight and budget for compliance costs—including their own security infrastructure and that of their suppliers.

Research

The research sector is a bastion of sensitive and confidential information, making it an attractive target for cybercriminals. This sector includes organisations that work with pharmaceuticals, semiconductors and technology, where the value of the data involved heightens the stakes of cyber-attacks. Threats such as data breaches, insider espionage and various forms of cyber theft can occur given the potential for exploiting sensitive research data for financial, personal or state-sponsored enrichment.

The decentralised nature of the research sector can complicate the establishment of consistent cyber security policies and practices. Under the NIS 2 Directive, there is a pressing need to heighten cyber security awareness among employees, enabling them to recognise and respond to cyber threats more effectively. Research organisations must navigate and comply with multiple regulations to safeguard their data, including the General Data Protection Regulation (GDPR), the Artificial Intelligence Act and the NIS 2 Directive.

Food

The food sector includes animal food, grain and oilseed, sugar and confectionery, fruit and vegetables, speciality food and dairy. This sector has increasingly digitised its supply chain processes, expanding its vulnerability to cyber-attacks that could disrupt various operations, from farming to food processing, packaging, transportation and retail sales.

The Directive encourages better collaboration with EU member states to improve the food safety supply chain and use threat intelligence to understand and better prepare for industry-specific threats. Conducting risk assessments and managing information system security during acquisition, deployment, maintenance and decommission is critical in identifying vulnerabilities. This is further enhanced by ensuring that critical infrastructure is identified and cyber security standards are adhered to.

Manufacturing

The manufacturing sector, which includes organisations from small-scale production to large-scale industrial processes, faces significant risks due to the interconnectivity of digitised machines. The sector is susceptible to various cyber threats, including Internet of Things (IoT) attacks, equipment sabotage, ransomware and supply chain attacks. Emphasising supply chain security, the NIS 2 Directive urges manufacturers to focus on assessing and mitigating supply chain risks. This is crucial for maintaining stringent security controls and minimising vulnerabilities.

Organisations must implement comprehensive cyber security measures and regularly evaluate their security posture. Improving risk management is critical for the manufacturing sector and may require investment in new tools and processes to comply with the regulation and enhanced collaboration with IT providers.

Digital providers

The digital providers sector, a dynamic and ever-expanding field, encompasses various services, including search engines, online markets and social networks. Recognised by the NIS 2 Directive as critical entities for regulatory oversight, these organisations bridge the gap between innovation and cyber security.

This sector has revolutionised how businesses and individuals communicate, transact and access information. However, its inherent online connectivity also creates a playground for cybercriminal activities. In response to these challenges, the Directive stipulates stringent requirements for digital providers. They must report all significant security incidents and maintain detailed records of their security systems, enhancing accountability and transparency. Compliance with regulatory frameworks like the NIS 2 Directive and GDPR could, in specific cases, be accompanied by compliance with the Digital Services Act (DSA) and the Digital Markets Act (DMA). Given the global nature of their operations, including partnerships outside the EU, digital providers must also consider the implications of the NIS 2 Directive for their international business engagements.

Supervision

NIS 2 empowers supervisory authorities in EU member states with enforcement capabilities to regulate cybersecurity and information security across both private and government entities. The following supervisory measures are introduced for essential and important entities:

Essential: ex-ante and ex-post supervision, onsite inspections and offsite supervision, regular and targeted security audits, security scans and information requests, and ad hoc audits.

Important: ex-post supervision, onsite inspections and offsite ex-post supervision, targeted security audits, security scans and information requests.

Compliance deadline

The NIS 2 Directive entered into force on 16 January 2023. Member states must adopt and publish the measures necessary to comply by 17 October 2024, which will apply from 18 October 2024.

The National Cyber Security Centre (NCSC) is the competent authority in Ireland for ensuring compliance oversight and enforcing the national law.

Penalties

Administrative measures are in place that encourage entities to follow cybersecurity practices and protect their critical systems, which include:

binding instructions: if entities violate cybersecurity rules, they may receive specific instructions to rectify the situation;
security audit recommendations: entities might be required to implement recommendations from a security audit;
aligning with NIS requirements: orders can be issued to ensure that security measures comply with NIS requirements; and
administrative fines: for essential entities, the maximum fine is either €10 million or 2% of total worldwide annual turnover and for important entities, the maximum fine is either €7 million or 1.4% of total worldwide annual turnover.