NIS2 Directive in practice: definitions and key insights

The NIS2 Directive is the basis of the new regulatory framework that the European Union has created and adopted on cybersecurity: these are legal measures that have the ambition of strengthening the overall level of cybersecurity in member countries in the coming years.

Published in the Official Journal of the European Union on Dec. 27, 2022, and entering into force on Jan. 16, 2023, the NIS2 Directive effectively replaces the previous one (which will be repealed on Oct. 18, 2024) with the specific aim of addressing a radical change in the threat landscape. The NIS2 Directive integrates and updates the rules introduced in 2016 with the first NIS, not only modernizing the legal framework with a view to keeping pace with the explosion of digitization processes and cyber risk scenarios, but also extending the scope of the framework to new sectors and entities.

The new corpus, in particular, emphasizes three aspects: 

• the maximization of the resilience of public and private organizations; 
• the ability to respond to cyber attacks and incidents in a timely manner;
• the strengthening of supply chains, both digital and non-digital.

Thus, the concept of detection becomes central, which for companies and public entities also means developing business continuity plans that can be put in place to mitigate the damage of initiatives gone wrong.

Differences between NIS2 and NIS Directive: areas and actors involved

The main changes introduced by the NIS2 Directive concern the nomenclature of companies covered by the directive and the broadening of the sectors included in the scope. First, the distinction between Essential Service Operators and Digital Service Providers gives way to that between Essential Entities and Important Entities: 

• companies designated as Essential Entities provide services considered vital to society and the economy as a whole;
• companies designated as Important Entities directly impact the economic and social fabric while not directly providing essential services. 

The sectors included in the first NIS Directive were only the following:

• energy;
• transportation;
• banking and finance;
• health;
• drinking water;
• digital infrastructure;
• digital service providers.

With the NIS2 Directive, the following are added to the previous:

• manufacturing;
• public communications providers;
• space;
• agribusiness;
• digital services;
• wastewater and waste;
• pharmaceuticals and chemicals;
• post and shipping.

Under the new logic, all large enterprises in the sectors identified by the legislature that meet at least one of these conditions are required to respond to the NIS2 Directive:

• more than 250 employees on staff;
• an annual turnover of more than 50 million euros;
• an annual balance sheet total of more than 43 million euros.

Medium-sized enterprises also fall within the scope of the NIS2 Directive. In this case the requirements are different:

• the number of employees must be between 50 and 250;
• annual turnover and balance sheet total must be between 10 and 50 million euros.

NIS2 Directive: what changes in case of a successful attack

In general, the purpose of the NIS2 Directive is to prepare EU member states for the worst cybersecurity scenarios by requiring adequate equipment and ad hoc skill building.

Each country, for example, must establish a Computer Security Incident Response Team (CSIRT) and a national authority responsible for networks and information systems. Within 24 hours of discovery, Entities must then notify their stakeholders and relevant authorities (including the CSIRT) of any cyber threat that may cause a significant incident.

In case of events that actually occurred, within one month the Entities must produce and submit a report that clarifies:

• the description of the incident, at the level of severity and impact;
• the type of threat or root cause related to the incident;
• the mitigation measures that have been applied and in progress.

The CSIRT provides response and support within 24 hours. If the threat involves more than one member state, the CSIRT must not only inform the states themselves and ENISA (European Network and Information Security Agency), but also cooperate with a specially established network for cyber crises, EU- CyCLONe, which is entrusted with a number of tasks:

• managing cybersecurity incidents in a coordinated manner across the EU;
• ensuring the regular exchange of information between parties;
• enhancing the flow of internal information by cooperating with the network of CSIRTs;
• measuring the cyber capabilities of individual member states based on the National Cyber Power Index (NCPI);
• establishing rules and procedures in the event of a large-scale crisis.

ENISA, in parallel, is then responsible for key activities to foster greater cyber awareness:

• producing a report every two years on the state of security in the European Union;
• maintaining the European register of vulnerabilities, indicated by Essential or Important Entities;
• updating the register showing the location of Entities in the European territory;
• assessing, together with the EU Commission, the level of risk to ICT supply chains.

The entire ecosystem thus designed aims to achieve two key outcomes:

• a coordinated EU-wide management of cyber security incidents and crises;
• a coordinated disclosure of all vulnerabilities discovered throughout the EU.

NIS2 Directive: what changes for governance, risk management and supply chain

The NIS2 Directive also addresses cyber resilience with even greater determination, acting on three strands: governance, risk management, and supply chain. In terms of governance, the NIS2 Directive requires the governing bodies of Essential and Important Entities to take action to:

• approve the risk management measures implemented by the company;
• participate in training courses provided on a regular basis;
• offer similar training to their employees.

Regarding risk management, the NIS2 Directive imposes an obligation to assess risks and take the necessary technical and organizational measures. This is where those risks related to the supply chain fall: organizations must ensure their security even at the supplier relationship level, taking into account specific vulnerabilities and the overall quality of products and cybersecurity practices.

By converging these three dimensions on a strategy that provides a unified view, all parties included in the framework will then need to consider the specific vulnerabilities of each partner, as well as the overall quality of vendors' cybersecurity products and practices. This is not just about providers of ICT services and products: the NIS2 Directive guidelines should be implemented with respect to all entities for whom a cybersecurity problem could cause an incident or disruption along the value chain.