We aim to outline the EU’s Network and Information Systems Directive (2022/2555), commonly known as NIS2, and how ISO/IEC 27001 (information security management systems, or ISMS) can address some requirements and smooth the compliance journey.
What is NIS2?
NIS2 is the most important cybersecurity legislation enacted across EU member states, dramatically reshaping the Union’s security landscape. It entered into force on January 16, 2023, replacing Directive (2016/1148), also known as NIS.
The EU wants organizations and national governments to prioritize cybersecurity to support national security. NIS2 will enforce basic cybersecurity standards across in-scope organizations, sectors and countries (entities), and improve EU cyber readiness.
NIS2 replaces and expands on NIS concerning the entities covered and the requirements governing them. The new directive breaks from old EU-wide cybersecurity regulations because it mandates personal liability for corporate executives, specific requirements for covered entities and requires unparalleled coordination between national governments.
It is set to become law in member states by October 2024, expanding the number of entities required to comply while creating additional penalties for noncompliance.
Why was NIS2 created?
Although NIS was a crucial evolution in cybersecurity regulation, much has changed, including the number and variety of cyberattacks.
In 2016, cybersecurity was considered an issue for individual organizations. Modern cybercrime can threaten entire industries and the digital economy’s stability. The public sector, governments and critical national infrastructure (CNI) are particularly vulnerable. Escalating geo-political hostilities have increased the chances of CNI being targeted, which could cause a large cyber incident. Protecting these is challenging, particularly when faced with tight budgets and a technical skills shortfall.
To keep pace, NIS2 enforces complex cyber resilience demands and has been extended from 7 to 15 industry sectors, including numerous digital infrastructures. Organizations in member states must implement more advanced risk management and controls across systems, as well as improve incident management. One of the toughest challenges is furthering supply chain security, largely considered a major potential weakness.
What does NIS2 contain?
NIS2 includes:
- Creating the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe)
- Increasing harmonization between security and reporting requirements
- Encouraging member states to introduce new interest areas, such as supply chain, vulnerability management, core internet and cyber hygiene national cybersecurity strategies
- Novel ideas like peer reviews for enhancing member-state collaboration and knowledge sharing
- More coverage of the economy and society by including more sectors
Like its predecessor, NIS2 is broad and requires all EU member states to implement their version of the directive. However, NIS2 requires member states to acknowledge how exact the requirements have become, with specific operational-level information indicated. Further requirements for digital service providers will be investigated and incorporated later.
Who does NIS2 apply to?
NIS had two main categories of covered entities – operators of essential services (OESs) and relevant digital service providers (RDSPs) – with the latter having more requirements. NIS’s framework helped member states identify both. Annex II listed covered entities:
- Electricity, oil and gas companies
- Air, rail and road transport
- Healthcare
- Banking
- Financial markets
- Drinking and water supply
- Digital infrastructure
NIS2 significantly extends this list with a new category of Important Entities that must meet key requirements. This new category includes:
- Waste management
- Manufacturing
- IT and security service providers
- Postal and courier services
- Chemical companies
- Food processing
- Research organizations
- Social networks and digital providers
Some entities supplying to the EU, such as suppliers to organizations covered by the directive, might also be affected. Their compliance may therefore be necessary.
What must an entity do?
An entity must:
- Assess the impact on their systems
- Meet specific operational security requirements
- Report incidents to their national Computer Security Incident Response Team (CSIRT)
- Consider how their security might impact organizations they interact with
- Continuously improve security procedures
NIS2 is a different approach to cybersecurity, avoiding the “best we can do” approach and optimistic notions of the past. Cyber threats are a point of national security. Entities must conduct cyber resilience risk assessments and analyze their ability to continue operating during high-risk situations.
How does NIS2 concern supply chain risk management?
Supply chain risk management is a crucial part of NIS2. The new directive exceeds other cybersecurity regulations by mandating entities to evaluate their extended supply chains and identify certain third-party supplier vulnerabilities.
In-scope entities are also mandated to consider downstream supply chain risks, but are not required to identify specific weaknesses.
How does NIS2 impact EU member states?
NIS2 aims to ensure that member states improve their national cybersecurity levels. It has several requirements for member states focused on creating a more collective defense.
What is the penalty for noncompliance?
The directive requires member states to enforce penalties for noncompliance, including:
- For Essential Entities – a EUR 10 million fine or at least 2% of global annual turnover for the previous fiscal year, whichever is higher
- For Important Entities – a EUR 7 million fine or at least 1.4% of global annual turnover for the previous fiscal year, whichever is higher
How does NIS2 incorporate corporate management liability?
Corporate management liability is a key feature of the directive. This approach directly involves entities’ management bodies. The EU is attempting to create a legal practice that requires the CEO, board of directors and top management to be directly involved in their entity’s cyber risk management plan.
What are NIS2’s incident reporting requirements?
NIS2 includes extended incident reporting. Entities must report incidents within 24 hours and provide a more detailed report no later than three days afterward.
Are there mandates for CSIRT teams?
EU Nation CSIRT teams are pivotal to NIS2. They will be a central repository for covered entity incident reporting and guide entities that report an incident.
What is the EU vulnerability database?
As NIS2 focuses on improving organizations’ cybersecurity and EU cyber readiness, it directs the EU to create a vulnerability database containing data that is shareable between numerous national governments.
Can ISO/IEC 27001 help with NIS2?
NIS2 compliance will not be easy, but ISO/IEC 27001 can help entities fulfill the requirements. If an entity already has ISO/IEC 27001 certification, NIS2 compliance is easier. The global standard can provide the necessary overview, while certification means an entity already complies with some NIS2 requirements.
Obtaining certification can smooth the transition process but, firstly, an organization needs a maturity assessment to determine its current situation. It must then implement an information security management system (ISMS). This is one of the standard’s key strengths because it has a framework for cybersecurity ISMS implementation. Both NIS2 and ISO/IEC 27001 also emphasize management-led governance.
ISO/IEC 27001 allows an organization not directly subject to NIS2 to prepare for future requirements and customer and partner expectations. The standard is also valid internationally, so improves the parts of an organization unrelated to the EU.
Compliance takes time, so obtaining or strengthening your ISO/IEC 27001 stance is important. We always suggest preparing for a forthcoming regulation or legislation sooner rather than later. Finally, as NIS2 indicates that cybersecurity must evolve, an organization must regularly review procedures and policies to ensure their relevance.
How can SGS help?
With decades of information security, cybersecurity and privacy protection experience, we have a vast certification and training portfolio, including ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 42001 and Europrivacy.
Our global network of experts is ready to help you adopt a robust cybersecurity initiative that demonstrates proactive compliance with NIS2.
Ready to navigate or enhance your NIS2 journey? Contact us for more information.
About SGS
We are SGS – the world's leading testing, inspection and certification company. We are recognized as the global benchmark for sustainability, quality and integrity. Our 99,600 employees operate a network of 2,600 offices and laboratories, working together to enable a better, safer and more interconnected world.