NIS2 Compliance Guide: Navigating Europe's Most Extensive Cybersecurity Directive


The business landscape has experienced a surge in digital transformation initiatives, driven by the need to optimize operational functions. However, this reliance on digital technologies makes organizations vulnerable to cyber-attacks. With cyber threats on the rise, the European Union (EU) has proposed NIS2 for the Security of Networks and Information Systems (NIS), a comprehensive cybersecurity directive aimed at elevating cybersecurity standards across the EU.

What is NIS2?

NIS2 applies to critical infrastructure operators classified within 15 sectors including banks, energy, health, manufacturing, etc. and to digital service providers in the EU. More than 150,000 large and medium-sized companies are estimated to be affected by the directive. NIS2 expands on the previous NIS directive released in 2016, by defining clear cybersecurity requirements and incident reporting obligations while imposing sanctions for non-compliance.

The directive categorizes entities as "essential" or "important" based on the potential ramifications of service disruption. Both categories must adhere to the same security measures, but "essential" entities face proactive supervision. Organizations must implement specific cybersecurity measures, including risk analysis, incident handling, business continuity systems, supply chain security and more. It also establishes incident reporting obligations, requiring organizations to issue early warnings, conduct assessments, and submit comprehensive incident reports within defined timeframes.

Non-compliance with NIS2 exposes organizations to cyber threats and regulatory sanctions. Essential companies may face fines of up to €10 million or 2% of its worldwide annual turnover, while important companies could face fines of up to €7 million or 1.4% of worldwide annual turnover. Management would be held liable for risk management and are exposed to penalties and temporary bans from management roles.

NIS2 not only mandates public and private organizations to enhance their cybersecurity but also requires national governments to establish collaboration and vulnerability-sharing initiatives. The directive establishes the European Cyber Crisis Liaison Organisation Network (EU CyCLONe) to manage cybersecurity incidents at the EU level, fostering information exchange and cooperation.

Organizations must achieve NIS2 compliance by October 2024. Early adherence to the directive can enhance competitiveness, reputation and customer trust. Seizing the opportunity for proactive compliance with NIS2 is crucial for organizations aiming to establish robust cybersecurity measures and ensure long-term growth and profitability.

ISG offers comprehensive services to assist organizations in understanding NIS2 requirements and achieving compliance, including quick self-assessment, in-depth maturity evaluation, AI and ML based policy alignment, management training, incident response planning and cybersecurity strategy development.

What Is the Scope of NIS2?

NIS2 will establish a benchmark for cybersecurity risk management in the following sectors:

  • Essential sectors: Energy, Transport, Banking, Financial market infra, Health, Drinking Water, Wastewater, Digital infra (DNS service providers, TLD name registries, data centre service providers, cloud computing service providers, content delivery networks, trust service providers), ICT service management, Public Administration and Space.
  • Important sectors: Postal and Courier, Waste Management, Chemicals, Food, Manufacturing (Technology and Engineering), Research and Digital providers (search, social media, marketplaces)

Additionally, the directive extends its applicability to companies operating outside the EU but offering services within the EU such as companies offering cloud services, social media networks and search engines. Such companies are required to designate a representative in the EU.

Cybersecurity Requirements of the NIS2 Directive

Organizations are required to implement suitable technical and organizational measures to manage the risks that may affect the security of their network and information systems. The following measures will be addressed as part of the directive:

  • Risk analysis and information system security policies
  • Incident handling (prevention, detection and response to incidents)
  • Business continuity systems and crisis management
  • Supply chain security management measures
  • Security in the acquisition, development and maintenance of networks and information systems, including vulnerability management and disclosure
  • Policies and procedures for assessing the effectiveness of cybersecurity risk management
  • Training for members of management bodies and employees, as per Article 20
  • Policies and procedures regarding the use of encryption and cryptography
  • Measures for HR security, access control policies and asset management
  • Use of multi-factor authentication or continuous authentication solutions

NIS2 defines mandatory post-incident activities that are to be performed in a multiple-stage approach. Upon becoming aware of an incident, organizations are obligated to issue a warning to the relevant national authority within a 24-hour timeframe. They are then required to conduct an initial assessment of the incident within 72 hours. All incidents necessitate the submission of a comprehensive incident report within one month from the initial report.

What Is the Deadline for NIS2 Compliance?

All organizations falling under the purview of the directive are required to achieve NIS2 compliance by October 17, 2024. This timeline allows for the necessary preparations and adjustments to be made to ensure adherence to the requirements outlined in NIS2. Organizations must assess their cybersecurity posture in all aspects of security controls, covering people, process and technology to identify potential gaps and bridge these gaps.

How Can I Achieve NIS2 Compliance?

ISG provides comprehensive services tailored to assist organizations in gaining a deep understanding of how NIS2 applies to their unique circumstances. We guide organizations through the necessary steps to enhance their security measures and ensure robust compliance with the directive. We offer the following key services:

  • Access to free-of-charge, quick online self-assessment available in English, German and French to evaluate the applicability of and preparedness for NIS2 requirements and obtain customized results and recommendations.
  • Detailed maturity evaluation based on requirements highlighted within NIS2, such as risk analysis, incident management, vulnerability management, business continuity, supply chain security and cryptography; prioritized actionable plan for improvement
  • AI and ML-based comparison of a company's existing policies against the requirements of the NIS2 directive and upcoming translated laws to identify gaps and align policies to meet the requirements
  • Management trainings, cyber war games and information security awareness trainings for all employees
  • Assistance in developing an organizational cybersecurity strategy and robust incident response plans and capabilities
  • A robust vendor management program that includes stringent cybersecurity requirements for supply chain partners and external service providers

ISG is ready to help you to seize the opportunity for proactive compliance with NIS2. Contact us now to find out how to get started.