Want to speak with sales?
If you’re an EU-based business or a UK organisation with clients or partners in Europe, you may need to comply with NIS2. But what is NIS2? How do you know if it applies to your business? And how do you go about complying with it?
According to research, many businesses are ‘unsure’ of the answer to these questions. So, to help your organisation avoid being one of them, here’s everything you need to know.
What is it?
NIS2 is the updated Network and Information Security Directive introduced by the European Union to strengthen cybersecurity across its member states. It builds on the original 2016 NIS Directive by expanding its scope to include more sectors. These sectors include public administration, digital service providers (DSPs), space, and waste management.
NIS2 mandates stricter cybersecurity risk management, supply chain security, incident reporting within 24 hours, and holds company leadership accountable for cybersecurity measures. The directive also enhances cooperation between EU countries and introduces tougher penalties for non-compliance.
What is the goal of NIS2?
Barely a week goes by without some news of an attack or attempt on critical national infrastructure (CNI) and services. Indeed, there are a few things more likely to keep policymakers up at night. For example, think of the chaos caused by the Colonial Pipeline cyber attack in the US or the 2017 WannaCry attack’s impact on the NHS.
NIS2 is the European Union’s attempt to counter potentially devastating CNI attacks. It’s designed to improve resilience against a broad range of cybersecurity threats and develop a unified EU-wide approach to protect critical infrastructure and services.
What does NIS2 include?
NIS2 has a number of key focus areas, each of which contributes to an organisation’s cyber resilience in the face of attack. The areas are:
- Incident handling
- Supply chain risk
- Policies on risk analysis and information security
- Business continuity and crisis management
- Security in systems acquisition, development, and maintenance
- Policies to assess the effectiveness of measures
- Basic cyber hygiene practices and training
- Cryptography and encryption
- Secure communications
- Human resources security, asset management, and access control policies
- Use of multi-factor authentication (MFA)
Is NIS2 mandatory?
For EU member states, yes. NIS2 is an EU directive, which means that member states were required to transpose it into their national laws by no later than the 17th October 2024. However, even non-EU states like the UK are enacting similar legislation. For example, the UK’s Cyber Security and Resilience Bill, currently passing through parliament, is likely to be very similar in content to NIS2.
But what about businesses?
Well, the directive targets two types of organisation or ‘entities’, to use the legalese. These are ‘Essential Entities’ and ‘Important Entities’, and they span a wide range of sectors. For example, energy, transport, banking, health, digital infrastructure, public administration, and space are all defined as ‘essential’. Meanwhile, manufacturing, food, postal services and digital providers are all defined as ‘important’.
There's also a question of size. NIS2 really only covers medium and large enterprises in the listed sectors. Micro and small enterprises (fewer than 50 staff and more than €10 million turnover) are generally exempt unless they operate in certain high-criticality areas.
What are the consequences of non-compliance with NIS2?
Unlike previous legislation, which was perhaps a little softer on non-compliance, NIS2 comes with pretty stringent penalties.
Financial
NIS2 comes with some real financial clout. Authorities can impose fines for non-compliance of up to €10,000,000 or 2% of global annual turnover for "essential entities," and up to €7,000,000 or 1.4% of global annual turnover for "important entities.”
Administrative sanctions
NIS2 also gives national authorities the power to apply administrative sanctions such as mandatory audits, operational bans, and restrictions on the ability to provide services.
Personal liability for senior management
Perhaps most worryingly for business leaders, senior management may face personal liability for non-compliance. This could lead to disqualification from executive roles, civil lawsuits, and even criminal prosecution if major negligence is involved.
GDPR implications
We’ve yet to see this play out in the real world, but some legal professionals believe that non-compliance with NIS2 could also be considered a breach under GDPR. If this is the case, further penalties and legal consequences could apply.
All in all, failing to comply with NIS2 is a big risk. EU legislators have learned lessons from previous, poorly adopted regulations and frameworks and, due to the potential seriousness of CNI breaches, have clearly decided the stick is more likely to motivate organisations.
How do you know if your business is in scope for NIS2?
Checking whether you need to comply with NIS2 is a relatively simple process. The following checklist should help you determine whether it applies to your organisation.
1. Identify your sector
Check if your organisation falls under any NIS2-defined essential or important sectors. For example, hospitals and utilities are essential, whereas digital services and certain manufacturers may be important.
2. Check the size thresholds
Confirm if your organisation exceeds the micro and small size exemption. If you have more than 50 employees or turnover greater than €10m, NIS2 likely applies (unless explicitly exempted by sector rules).
3. Review exceptions or special cases
Some organisations are in scope regardless of size, such as certain critical providers. Also, if a more specific sector law applies, it might override NIS2 for your case. For example, financial institutions may fall under the Digital Operational Resilience Act (DORA) instead of NIS2.
4. Check your non-EU business isn’t in scope
It’s also important to note that if your business works with EU organisations, you’ll likely need to comply with NIS2, even if you’re based outside the union. For instance, many UK companies with EU clients, partners, or suppliers fall within its scope.
What does NIS2 mean for MSPs?
Quite a lot. NIS2 specifically refers to managed service providers (MSPs) as one of the entities:
“Providing services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration, carried out either on customers’ premises or remotely.”
Again, you’ll need to run through the industry, size and location criteria to determine whether your organisation applies. However, most large EU MSPs are going to find themselves in scope, along with those in the UK that work across borders. If you’re unsure, we recommend reading this excellent summary of applicability.
An opportunity as well as an obligation
However, while many MSPs need to comply with NIS2, it isn’t just an obligation. It’s also an opportunity.
In the UK alone, a fifth of businesses are unsure whether NIS2 applies to them. And, 10% of organisations that are in scope admit to non-compliance. Meanwhile, while compliance has generally been a little better across the EU, many businesses remain confused.
For MSPs who’ve been through their own journey to NIS2 compliance, this is a golden opportunity to offer clients a service. Much the same as they do for Cyber Essentials and other frameworks, clients are going to look to MSPs to help them navigate NIS2 and maintain compliance. After all, who better than MSPs who’ve been through the process and are well-equipped to provide guidance?
How can your organisation comply with NIS2?
If you’re unsure about where to start with NIS2 compliance, remember you’re not alone.
At CyberSmart, we offer a structured, scalable route to achieving and maintaining NIS2 compliance. We’ll help you identify any gaps through our auditing process, provide a compliance report with actionable recommendations, and help you obtain and maintain NIS2 compliance.
Check out our NIS2 maturity pathway to find out more.