Comprehensive Checklist for NIS2 Compliance Preparation

The 2nd EU Network and Information Security Directive (NIS2) is an advanced and extended version of the initial European Union (EU) cybersecurity directive, which was first introduced in 2016. Its main aim is to create a comprehensive framework for boosting safety across the EU with regard to digital service providers as well as operators of essential services.

As the NIS2 is a directive, EU countries must incorporate it into their national laws. Therefore, the wording of the NIS2 directive obliges ‘Member States’ to take specific measures to ensure compliance of essential and important organizations with the stated requirements.

In our new article, we will try to answer the questions: What is NIS2 compliance, and who should pay attention to it? We will also discuss all the fines and penalties for non-compliance and provide a comprehensive NIS2 compliance checklist.

From NIS1 to NIS2

Basically, NIS2 builds upon the foundation laid by NIS1 left. Whereas NIS1 outlined initial requirements for cybersecurity, NIS2 significantly extends these standards. It broadens the scope further to include new sectors and critical organizations thereby improving cybersecurity practices and obligations for reporting.

Changes and enhancements

• Broader scope. NIS2 includes additional sectors such as banking, health, digital infrastructure, postal services, and more (we will talk about them a little bit later). This wider scope ensures that more critical services are covered.
• Enhanced security measures. NIS2 compliance requirements are much more stringent as it mandates stricter cybersecurity governance and risk management measures. Organizations must comply with international frameworks such as the IEC 62443 series on Operational Technology (OT) security to meet the new standards.
• More accountability and more rigid penalties. NIS2 has stricter reporting obligations and harsher penalties for non-compliance. Financial sanctions akin to GDPR have been implemented, and senior company officials may be held back if they fail to comply with the directive.
• Unified cybersecurity practices. The directive’s scope is widened and its standards are elevated. NIS2 aims at eliminating the inconsistencies in cyber readiness across member states so as to ensure a high common level of cybersecurity throughout the EU.

Compliance timeline

• On May 3, 2022, co-legislators reached a provisional agreement on the text.
• On November 28, 2022, the NIS2 Directive was published in the Official Journal of the Europinion Union.
• On January 16, 2023, the Directive went into force.

The final NIS2 compliance date is October 17, 2024. By January 2025, the detailed requirements of this Directive will come into effect, giving companies time to enhance their cybersecurity postures and policies.

Who Needs to Comply with NIS2?

The NIS2 Directive divides companies into two main categories: 'essential' and 'important.' This classification helps specify the level of cybersecurity measures and reporting obligations required.

How to determine that you are classified under NIS2? Well, the list may include those directly mentioned and those in the supply chain of essential and important entities. The main targets for NIS2 are medium-sized companies and above. However, even some smaller companies may be required to comply if they meet certain conditions or are deemed as essential or important services.

From our experience,  the best way to understand whether you must comply with NIS2 or not is not to guess but to consult the legislation and seek assistance from experts.

Essential vs. Important Entities

Essential entities are those that are critical to the functioning of society and the economy. This list includes critical entities in the following sectors:

• Banking.
• Digital Infrastructure (e.g., DNS, IXP, TLD, ICT).
• Energy.
• Financial Market Infrastructures.
• Health.
• ICT Service Management.
• Public Administration.
• Space.
• Transport.
• Water and Sewage.

Important entities are those that are not as critical as essential ones but still play a significant role in the economy and society. Their list includes:

• Digital Providers.
• Manufacturing.
• Manufacture, Production, and Distribution of Chemicals.
• Postal and Courier Services.
• Production, Processing, and Distribution of Food.
• Research.
• Waste Management.

Examples of affected sectors

The NIS2 Directive impacts providers and operators in the energy sector, hospitals, clinics, and other healthcare facilities, as well as transport infrastructure, including railways, airports, shipping, and so on. Entities managing critical infrastructure and digital services, such as domain name systems (DNS) and internet exchange points (IXPs), also fall under the NIS2 scope.

NIS2 Requirements and Features

As you can see, the NIS2 Directive significantly changes cybersecurity regulations. Let’s take a closer look at the main requirements.

Enhanced cybersecurity requirements

NIS2 mandates entities to implement robust cybersecurity and risk-assessment measures (Article 21) to protect network and information systems. These include

• risk assessments;
• multi-factor authentication, continuous authentication solutions;
• secured voice, video, and text communications;
• secured emergency communication systems;
• security procedures for employees with access to sensitive data;
• focus on supply chain security (including security-related aspects in relationships between each entity and its direct suppliers or service providers);
• incident reporting protocols and management;
• business continuity: backup management, recovery plans, crisis management;
• policies: on the assessment of the effectiveness of cybersecurity risk-management measures, on risk analysis, on information system security, and access control policies;
• incident handling.

You must adopt appropriate and adequate technical, operational, and organizational measures to manage cybersecurity risks. It is also worth noting that the document requires that cybersecurity measures for high-risk AI systems be proportionate to the risks involved.

Stricter incident reporting obligations

NIS2 strengthens incident reporting, security, and notification requirements. It introduces stricter oversight measures for national authorities and prioritizes strict enforcement requirements (Article 23). Companies must report any significant cyber incidents to relevant national authorities without undue delay – in some cases, within 24 hours of becoming aware of the incident.

Here are some key points of this part of NIS2 directive compliance:

• Member States must ensure essential entities quickly notify their CSIRT (Computer Security Incident Response Team) or relevant authorities about significant incidents. They also should inform all the affected users.
• Entities must inform users about significant cyber threats and response measures. The incidents become significant if they cause severe disruptions, financial loss, or harm.
• Entities must issue an early warning within 24 hours of identifying a significant incident and a detailed notification within 72 hours. In this case, you’ll also have to update the status and a final report within one month. Ongoing incidents need progress and final reports after resolution.
• CSIRTs must respond to early warnings within 24 hours, providing feedback and guidance, and report to law enforcement if criminal.
• For cross-border incidents, CSIRTs or authorities must inform other affected Member States and ENISA (European Union Agency for Cybersecurity) while ensuring confidentiality.

Increased penalties for non-compliance

This directive imposes serious repercussions for non-compliance. Organizations that fail to meet the requirements face financial penalties similar to those under the GDPR.

Additionally, management bodies of essential and important public and private entities are held accountable, with potential legal liability and fines for breaches. This strict enforcement is designed to ensure that businesses take cybersecurity measures seriously and implement them effectively.

10 Minimum Measures for NIS2 Compliance

1. Regular risk assessments and security policies for information systems.
2. Implementing policies and procedures for using cryptography and encryption where necessary.
3. Creating a plan for handling security incidents.
4. Policies for secure procurement, system development, and operation.
5. Regular cybersecurity training and hygiene.
6. Data access security measures.
7. Plan for managing business operations during and after a security incident.
8. MFA and other authentication measures.
9. Security measures tailored to the vulnerabilities of each direct supplier.
10. Security policies around the procurement of systems, for handling and reporting vulnerabilities.

Checklist for NIS2 Compliance

Legal and Financial Implications for Non-Compliance with NIS2

The NIS2 Directive has a detailed framework of penalties aimed at ensuring compliance with cybersecurity standards in major and critical organizations. We will talk about each of the three types of them.

Non-monetary penalties

National supervisory authorities under NIS2 can enforce several non-monetary remedies to ensure compliance. The list includes:

• Compliance orders – mandates for organizations to comply with specific security requirements.
• Binding instructions – directives that entities must follow to enhance their cybersecurity posture.
• Security audit implementation orders – obligations regarding security audits.
• Threat notification orders – requirements for entities to notify their customers about specific cybersecurity threats.

Administrative fines

Administrative fines under NIS2 are significant. They directly depend on the type of entity.

Let’s take a closer look at them.

• Essential entities (EEs). You’ve already seen the list of essential entities, including public and private organizations in critical sectors. The fines for them are set at a maximum of at least €10,000,000 or 2% of the global annual revenue, whichever is higher.
• Important entities (IEs). For important entities, the fines are set at a maximum of at least €7,000,000 or 1.4% of the global annual revenue, whichever is higher.

As you can read by yourself in the directive, administrative fines are designed to enforce cybersecurity risk management and reporting obligations with specific levels set to ensure significant financial consequences for non-compliance. Simply put, nothing motivates you to pay attention to security like the potential loss of funds. Penalties are necessary to make organizations pay more attention to compliance and make real efforts to protect customers from cyber threats.

Criminal sanctions for management

NIS2 introduces harsh measures to hold senior management personally liable for gross negligence in the event of a cybersecurity incident. This is necessary to define clear areas of responsibility for cybersecurity in the organization and reduce the burden only on IT departments.

Criminal sanctions may include:

• Public disclosure of compliance violations.
• Public identification of responsible parties (the natural and legal persons responsible for the violation and its nature).
• Management bans for essential entities.

These measures aim to hold C-level management accountable for cyber resilience, ensuring that they take proactive steps to prevent cyber risks.

The directive holds top management accountable and imposes significant fines. It aims to create a culture of security that permeates the entire organization.

Resources and Support

• The NIS2 Directive
• Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive)
• Official Journal of the European Union

You can also read about SOC 2 Consulting & Readiness Services, as this compliance requires similar security measures, including security testing services and professional penetration testing.

Wrapping Up

As you may have noticed, it is better to start your compliance journey early to address issues and implement changes in time. In our own experience, constant risk assessment and regular penetration testing help to stay ahead of threats and update security measures in a timely manner. Actually, it is useful not only in the case of NIS2 but also within the framework of ISO 27001 Consulting Services and other regulatory documents.

Developing a comprehensive policy covering information systems, data access, incident handling, and supply chain security is also important. You can use special NIS2 compliance software, but in most cases,  this should be done together with cybersecurity experts who have experience in your sector and adequate expertise. Do not forget to maintain clear incident management and reporting protocols and ensure prompt notification of significant cyber incidents. NIS2 is very strict in this regard.

Finally, regularly train your staff on cybersecurity best practices. This is also very important for complying with the directive's requirements.

Getting started early and maintaining ongoing awareness within your organization is key to achieving and preserving NIS2 compliance. This will also help you save money by eliminating the consequences of data loss or theft.

FAQs

1. Who needs to comply with NIS2?

   NIS2 applies to essential and important entities within the EU. Essential entities include sectors like banking, energy, health, and transport. Important entities include digital providers, postal services, and food production. Medium-sized companies and above, as well as certain smaller companies meeting specific criteria, must comply.

2. What are the penalties for non-compliance with NIS2?

   Non-compliance with NIS2 can result in severe penalties. Essential entities face fines up to €10 million or 2% of global annual revenue, whichever is higher. Important entities face fines up to €7 million or 1.4% of global annual revenue. Senior management can also face legal liability and fines for breaches.

3. What tools and services are available to help with NIS2 compliance?

   Tools and services available for NIS2 compliance include cybersecurity risk assessments, incident reporting protocols, multi-factor authentication solutions, and secure communication systems. Consulting services, security testing, and professional penetration testing can also provide essential support.

4. What should management do to ensure compliance with NIS2?

   Management should prioritize cybersecurity, develop comprehensive security policies, conduct regular risk assessments, have security controls, and ensure all employees are trained in cybersecurity best practices. Engaging with cybersecurity experts and monitoring compliance through regular audits is also crucial.

5. When does the NIS2 Directive come into effect?

   The NIS2 Directive came into force on January 16, 2023. The final compliance date is October 17, 2024, with detailed requirements taking effect by January 2025.

6. How does NIS2 differ from the original NIS Directive?

   NIS2 builds on NIS1 by broadening the scope to include more sectors and critical organizations. It mandates stricter cybersecurity measures, enhances accountability with more rigid penalties, and aims to unify cybersecurity practices across the EU, eliminating inconsistencies.