The European Commission is proposing comprehensive legislation aimed at elevating cybersecurity standards across the European Union (EU). Network and Information Security 2 (NIS2) is the revised version of NIS, which was introduced in 2016 as the EU’s first cybersecurity directive.
What is the difference between the two? The scope of NIS2 has expanded its regulatory reach from seven sectors to include 15 sectors; it also has a new size-cap rule. This means companies with more than 50 employees and more than €10m in revenue must comply. Hence, the number of companies in the EU falling under NIS2 regulatory scope has significantly increased, bringing the number up to approximately 150,000.
NIS2 also encompasses a broader spectrum of industry sectors, requiring prescribed cybersecurity measures and establishing stringent incident reporting obligations to further enhance enterprise cybersecurity preparedness. The directive includes provisions for imposing sanctions and fines as a means of enforcement. By October 2024, when NIS2 is expected to be translated into a national law, companies will be required to implement suitable technical and organizational measures to manage risks that may affect the security of their network and information systems.
To ensure effective compliance, the directive empowers national authorities to supervise companies during regular and targeted audits, on-site and off-site checks, requests for information and access to documents or evidence. After the GDPR, NIS2 is the most stringent and extensive cybersecurity legislation passed by the European Commission.
Why Should Companies Act Now?
NIS2 imposes obligations on all large- and medium-sized critical infrastructure providers and digital service providers operating in the EU and companies that operate outside the EU but offer services in the EU. Non-compliance with NIS2 not only leaves organizations vulnerable to cyber threats but also to regulatory sanctions and fines. Management bodies are required to play a proactive role in overseeing and implementing the cybersecurity measures highlighted within the directive. What are the repercussions of non-compliance?
- Fines of up to €10m or 2% of the previous year’s global turnover
- Management liability including penalties and a potential temporary ban from management roles
While large companies may already have certain cybersecurity controls in place, medium-sized companies may not and may need to put in extensive effort to meet the October 2024 deadline.
How can companies know if they are within the scope of NIS2 and check their compliance status? Contact ISG to learn more.