The NIS2 Directive marks a pivotal step toward a more secure digital future across the EU. It requires businesses to enhance the resilience of their IT infrastructure to withstand growing cybersecurity threats. Since January 16, 2023, the directive has been in effect across the EU. However, it must be transposed into national laws by each member state before NIS2 becomes practically enforceable. Most countries haven’t met the October 17, 2024, deadline for this process, and the progress of NIS2 implementation varies significantly among EU member states. Nonetheless, for businesses, NIS2 requirements are already, or will soon become, legally binding, making it essential to prepare thoroughly to avoid fines and other consequences of non-compliance.
In this blog post, explore what NIS2 means for businesses: which requirements must be met, which companies are affected, and what measures are necessary to ensure compliance.
Background of NIS2
Cyberattacks cause significant damage globally, costing €5.5 trillion in 20211 annually. While NIS2 won’t prevent all attacks, it sets minimum security requirements for EU countries to enhance resilience, mitigate risks, and reduce the impact of cybersecurity threats. National laws can expand but not weaken these requirements.
In Germany, a staggering 71% of companies have yet to implement the necessary measures for NIS2 compliance1, with similar alarming figures expected across other EU countries. The urgency to act cannot be overstated—failure to comply risks substantial fines, reputational damage and personal liabilities. NIS2 requirements are highly complex and demand extensive security measures, which can take up to 18 months to fully implement. Companies that have not yet begun must act immediately to avoid falling behind and facing severe consequences.
Which Companies Are Covered by the NIS2 Directive?
The NIS2 Directive significantly broadens its scope compared to its predecessor, NIS1, by targeting a wider range of sectors based on their level of digitalization, interconnectedness, and importance to the economy and society. Similar to the DORA Regulation, NIS2 follows the principle of proportionality, tailoring requirements to industry, size, and risk. The directive applies to companies classified as “essential” or “important” entities. This classification is based on factors such as sector, number of employees, and annual turnover.
The companies affected operate in critical sectors, including energy (including IT and Operational Technology, OT), transportation, finance, healthcare, water, digital infrastructure, or space. For “important entities,” the scope extends to additional sectors, including postal and courier services, waste management, production, manufacturing and trade of chemical substances, food production, manufacturing industries (e.g., medical devices or automobiles), digital service providers, and research.
Companies operating in these sectors and meeting the following criteria fall under the scope of NIS2:
- Essential Entities: Companies in critical sectors with at least 250 employees or an annual turnover exceeding €50 million. This includes operators of critical infrastructure and providers of digital infrastructure. Telecommunications providers are subject to the directive if they have at least 50 employees or an annual turnover exceeding €10 million.
- Important Entities: Companies in critical sectors with at least 50 employees or an annual turnover exceeding €10 million, as well as all telecommunications providers not already classified as essential entities.
Does your company fall into these categories? If so, you will be required to comply with the NIS2 Directive as soon as the corresponding national legislation comes into effect!
Are International Companies Affected by NIS2?
Companies from non-EU countries can also be indirectly affected by NIS2. If a business has significant operations or strong connections to an EU member state, it is highly likely that it will need to comply with NIS2 requirements. This is particularly relevant for companies in Switzerland or the United Kingdom, where the applicability of NIS2 depends largely on their market presence and ties to the EU. Since the specific impact on businesses outside the EU is determined by national laws, seeking legal advice is crucial to assess individual cases and mitigate potential risks.
When Does NIS2 Take Effect?
The status of NIS2 implementation varies significantly across the EU. In countries that have transposed the directive on time, such as Italy or Croatia, the national law took effect on October 18, 2024. Businesses in these countries must demonstrate compliance with NIS2 requirements as soon as they are registered as “essential” or “important” entities. Moreover, relevant authorities may proactively register “essential” and “important” companies themselves.
However, the majority of EU member states missed the October 17, 2024, deadline to transpose the NIS2 Directive into national legislation and are still working on their national implementations. This creates a legal gray area: While there is no official transition period for meeting NIS2 requirements, EU law is theoretically binding if it is clearly and precisely stated. In practice, NIS2 will only become enforceable for businesses once it is enacted into national law and the required registration process is completed.
It is crucial to stay informed about the implementation progress in your country by consulting the relevant authorities. Once NIS2 is enacted as national law, compliance with its requirements will become mandatory within a very short timeframe!
Why Act Now?
Authorities responsible for NIS2 compliance may carry out unannounced tests and inspections to verify that companies adhere to the NIS2 Directive. Delaying action could expose businesses to significant risks:
- Time Pressure and Delays: Companies that start implementing NIS2 too late may struggle to fully develop their IAM strategies and meet the requirements in time. This leaves them vulnerable to hefty fines, reputational damage, and other serious consequences.
- Underestimated Classification: Smaller businesses can also be classified as “essential” or “important” entities. These companies often lack sufficient resources or funding to implement the required measures. Additionally, authorities can intervene and enforce compliance measures, significantly limiting the flexibility of these organizations.
- Rising Cyber Threats: The risk of cyberattacks is higher than ever. Companies that fail to achieve NIS2 compliance not only face penalties but also expose themselves to much greater security risks due to inadequate protection.
Penalties for Non-Compliance
The consequences of non-compliance with the NIS2 Directive can be severe. In addition to substantial fines, additional penalties may be imposed, particularly in cases of data protection violations, which can significantly increase overall costs. In some instances, personal liability of management may also apply, especially if it can be proven that insufficient investments were made in a strategy to address the requirements.
Fines start at €100,000 for minor violations and, depending on the severity, can range from €1 million to €10 million or up to 2% of global annual turnover if the requirements are not correctly or fully implemented. Furthermore, civil liability consequences may arise. Companies should be aware of these risks and take early action to minimize them.
What Are the Requirements for NIS2 Compliance?
A well-structured Identity and Access Management (IAM) strategy provides an effective approach to fulfilling NIS2 requirements. Most of the directive’s obligations can be addressed through an IAM solution, covering critical areas such as risk management, incident response, and compliance. At the same time, IAM enhances the overall security architecture of a company. Here’s an overview of the key areas to focus on for NIS2 compliance:
- Cybersecurity Risk Management: Review and adapt your risk management processes and frameworks to detect and mitigate threats early.
- Incident Response, Reporting, and Recovery: Develop an effective strategy for threat detection and mitigation, including the integration of Identity Threat Detection and Response (ITDR) and Security Information and Event Management (SIEM) systems.
- Business Continuity and Crisis Management: Ensure your crisis management strategy is robust, enabling your organization to remain operational and respond quickly during security incidents.
- Supply Chain Security: Verify that your suppliers are NIS2- and ISO27001-compliant, and establish clear Service Level Agreements (SLAs).
- Security in Network and Information Systems: Regularly assess the security of your critical IT systems and address potential vulnerabilities.
- Access Controls, Policies, and Procedures: Implement Multi-Factor Authentication (MFA) and adopt a Zero Trust approach to prevent unauthorized access.
- Advanced Monitoring and Reporting: Set up real-time monitoring systems and use automated reporting to quickly detect and respond to security incidents.
- Compliance and Audits: Conduct regular audits, document your security measures, and ensure alignment with regulatory requirements.
- Cyber Hygiene: Train your employees on cybersecurity and best practices for IT systems to minimize human error.
What Additional Requirements Does NIS2 Introduce?
Reporting and auditing play a central role in achieving compliance with the NIS2 Directive. These requirements are critical to meeting regulatory standards and ensuring accountability.
Reporting
Reporting is one of the most significant new obligations introduced by NIS2, imposing strict reporting requirements on companies. Security incidents—whether or not the attack was successful—must be reported promptly. Companies must adhere to the following deadlines:
- Within 24 hours: Submit an early warning upon becoming aware of the incident.
- Within 72 hours: Provide a detailed report describing the severity, scope, and impact of the incident.
- Within 1 month: Deliver a final report outlining the incident, its causes, mitigation measures taken, and any potential cross-border effects.
In addition, authorities have the right to conduct random inspections, even in the absence of reported incidents. In some cases, companies may be required to notify their customers directly about security incidents. While this transparency obligation ensures accountability, it also poses reputational risks, as public disclosure of incidents can impact a company’s image.
Auditing
The NIS2 Directive mandates regular audits to verify compliance:
- Operators of critical systems are required to demonstrate NIS2 compliance through mandatory audits every three years, with the results submitted to the relevant authorities.
- Important and very important entities are not required to report audit results but may be subject to random inspections by authorities to ensure compliance.
Regardless of whether an audit is mandatory or conducted randomly, all affected companies must maintain comprehensive documentation of their NIS2 measures. This documentation serves as the foundation for audits and inspections, allowing businesses to quickly and transparently prove that they meet the requirements.
Achieving NIS2-Compliance with iC Consult
A sophisticated IAM strategy is the foundation for meeting NIS2 requirements effectively. It not only safeguards critical systems and data but also enhances overall security. Now is the perfect time to rethink your security strategies and invest in sustainable solutions.
iC Consult is here to support you every step of the way. Our experts closely monitor the regulations and requirements surrounding NIS2 and DORA and provide comprehensive guidance to help your organization achieve compliance successfully.
We offer a specially designed 3-day workshop package to help you evaluate the legal requirements of NIS2 and DORA. A combined solution of Privileged Access Management (PAM) and Identity Governance and Administration (IGA) covers the majority of NIS2 requirements. With an integrated strategy, you lay the foundation for effective and sustainable compliance.
The workshop includes:
- Analysis of regulatory requirements and their impact on your IAM landscape.
- Identification of security gaps through a detailed assessment of the current state of your PAM and IGA systems.
- Tailored recommendations for achieving compliance with NIS2 (and DORA), including solutions to address identified gaps.
- Answering specific questions to refine the analysis results in collaboration with your team
At the end of the workshop, you’ll receive a clear mitigation plan and a compliance roadmap to guide you toward NIS2 compliance effectively. Contact us today, and together we’ll ensure your organization successfully complies with NIS2!