NIS2: Strengthening Cyber Security across Europe

At a time of growing digital dependence and increasing cyber threats, the European Union has revised the Network and Information Security Directive, resulting in the NIS2 Directive.

The NIS2 Directive, which will become part of local law transpositions across the EU by October 2024 at the latest, brings new rules and requirements for organisations and aims to strengthen the digital resilience of member states.
  

What is the purpose of NIS2?

The NIS2 Directive is a comprehensive European Union cyber security legislation aimed at boosting the overall level of cyber security within the EU through legal measures. It aims to harmonise and enhance the cyber security of member states across certain sectors and essential businesses within the EU. 

The NIS2 Directive, following up on its predecessor, aims to achieve the three following goals:
  1. Setting the bar for cyber security measures in critical industries through a significant expansion of the in-scope organisations compared to NIS1
  2. Ensuring that the cyber security posture across the different EU member states and national governments significantly improves
  3. Strengthen the EU cooperation between the cyber security authorities 
 

Who is subject to the Directive?

The Directive applies to businesses within EU borders or those providing their products or services within the Union. NIS2 significantly expands the scope of sectors, categorising the 18 sectors into ’Very Critical' and 'Other Critical' sectors based on factors such as size, sector and criticality. Entities that exceed the threshold for medium-sized enterprises, i.e. those with 50 or more employees and an annual turnover of more than €10 million or an annual balance sheet total of more than €43 million, are generally covered by the directive. Small and micro businesses are not covered unless they are covered by an exemption. By December 2024, the national cyber security authorities of the EU member states will have defined and set the definitive requirements of organisations expected to comply with the Directive and will require registration of all Essential and Important entities.

 

Overlap with the Digital Operational Resilience Act (DORA)

To ensure a harmonious implementation, the European Commission has issued Guidelines clarifying the exemption of entities to which sector-specific legal acts apply from the NIS2 Directive (read our article about the relationship between DORA & the NIS2 Dirtective). These Guidelines explicitly state that DORA has priority over NIS2 provisions on ICT risk management, cyber incident reporting, digital operational resilience testing, information-sharing, ICT third-party risk, supervision, and enforcement. DORA incorporates a provision known as "lex specialis," granting it priority over the NIS2 Directive, which is considered a general law. This provision ensures that if there are any conflicts or overlaps between the two directives, DORA takes precedence. The "lex specialis" provision in DORA helps to avoid confusion and ambiguity in the regulatory landscape.


How does NIS2 affect your organisation?

If you are covered by NIS2, you must implement appropriate and proportionate technical, operational and organisational measures to manage the risks and prevent or minimise the impact of incidents associated with the systems supporting socially critical services. Regulations bring not only challenges and investment towards compliance but also opportunities:

NIS2 Compliance Challenges & Opportunities


Overall, organisations must establish effective processes for risk management, incident management, supplier management, governance and management involvement. Such measures shall be based on a risk-based approach aimed at protecting the network and information systems, as well as the physical environment of those systems, from incidents and shall include at least the following:

NIS2 Process & Procedures

NIS2 requirements for organisations

Management accountability
  • Management needs to be more involved in approving cyber security risk management measures. In addition, management must also oversee the implementation of measures and be accountable for the organisation's non-compliance. Management must also have the necessary training and knowledge to identify risks, assess actions and impact on the mission-critical service.
 
Reporting obligations
  • In connection with the NIS Directive, national Competent Authorities (CAs) and Computer Incident Response Teams (CSIRT) were established to be notified of significant incidents on a national level.
  • Organisations covered by NIS2 must report significant security breaches within 24 hours of discovery to relevant authorities. Within 72 hours, they must evaluate the severity of the incident and indicators of compromise. A final report with assessment and conclusion must be submitted within one month. 
  • An incident is considered material if the incident or cyber threat (i) has caused or has the potential to cause significant supply or operational disruptions or financial losses to the entity, or (ii) the incident has affected or may affect other natural or legal persons by causing significant material or immaterial losses.
 

What are the consequences of not complying with NIS2 requirements?

Covered entities can expect competent national authorities to conduct oversight through audits, on-site inspections and requests for evidence of NIS2 compliance. For essential entities, proactive supervision will be conducted, while for important entities, follow-up supervision will continue to be conducted if an incident occurs. If the entity does not fulfil the requirements of NIS2, the authorities may impose administrative fines, with critical entities being subject to a maximum of at least €10 million or at least 2% of the total global annual turnover of the previous financial year. In addition, management may be held accountable on bread where sanctions in the form of temporary bans on management functions or temporary suspension of services.
 

How can BDO help?

For many organisations, complying with the requirements of the NIS2 directive can seem like a daunting task Our cyber security experts not only assist you in becoming NIS2 compliant, but we also transform this challenge into an opportunity to enhance your overall security and resilience. We can support your organisation by: 
  • Leverage industry standards and best practices – we utilise renowned industry standards and frameworks to perform comprehensive assessments that are tailored to your specificities and needs.
  • Improved cyber resilience - together we strengthen your organisation’s ability to detect, respond, and recover from cyber incidents effectively, minimising the impact for to your operations. 
  • BDO brings a fresh and unbiased perspective to evaluate your cyber security infrastructure, ensuring a comprehensive and impartial analysis.
  • Our team of consultants are seasoned experts in cyber security, well-versed in the latest threats, vulnerabilities, and best practices.
 

What you can expect from us

  • Customised cyber security maturity assessment – our team conducts a thorough evaluation of your current cyber security posture based on and aligned with industry standards and sector-specific best practices.   
  • Gap analysis – identify weaknesses and vulnerabilities in your existing cyber security organisation, identifying ‘must have’s to ensure NIS2 compliance in your jurisdiction but also ‘nice to haves’ based on your desired security level.   
  • Customised action plan – together with you we create a tailored action plan with clear, concrete and actionable steps to improve your cyber security posture and resilience.  
  • Implementation support – our experts guide your team in implementing the recommended security measures to ensure better protect your organization and ensure NIS2 compliance. E.g.
    • Management accountability and training: define management responsibilities and awareness training to the Board.
    • Third Party Risk Management: identify relevant suppliers, assess potential security risks and exercise oversight on critical suppliers. 
    • Contingency planning: we can help you create a contingency plan and develop and test procedures in the event of a (simulated) incident.
    • Incident reporting: incident handling and reporting procedures

Want to know more?
Contact Us

NIS2 Timeline


  • July 6, 2016: NIS1 Directive Adopted.
  • May 9, 2018: Deadline for transposition of the NIS1 Directive into national law by EU member states.
  • December 16, 2020: NIS2 Directive Proposed by the European Commission.
  • November 28, 2022: NIS2 Directive Adopted.
  • October 17, 2024: Anticipated deadline for the transposition of the NIS2 Directive into national law.
  • October 18, 2024: NIS Directive1 is repealed with immediate effect
  • April 17, 2025: Member States shall establish a list of essential and important entities
  • October 17, 2027: and every 36 months thereafter, the Commission shall review the functioning of the NIS2 Directive


 

Draft law

National Cyber Security Authority

Monitoring Essential entities

Monitoring Important entities

Denmark

Expected February, 2024

Centre for Cyber Security (CFCS)

Public draft not yet available 

Public draft not yet available  

Belgium

Published September 1, 2023

Centre for Cyber Security Belgium (CCB)

Mandatory certification (ISO27001 or CyberFundamentals Framework)

Voluntary certification

Czech-Republic

Published (no publication date)

National Cyber and Information Security Agency (NUKIB)

Periodic self-assessment with a possibility of a standard follow-up inspection by the NUBIK

Periodic self-assessment with a possibility of a standard follow-up inspection by the NUBIK

Malta

Expected Q1-Q2 2024  

Critical Information Infrastructure Protection Unit (CIIP)

Public draft not yet available 

Public draft not yet available  

Germany

Fourth draft expected to be published Q1 2024

Bundesamt für Sicherheit in der Informationstechnik (BSI) 

Compliance to NIS2 UmsuC Referentenentwurf

Compliance to NIS2 UmsuC Referentenentwurf

Netherlands

Expected Q3 2024

National Cyber Security Center (NCSC)

Public draft not yet available  

Public draft not yet available  

Austria

The Federal Ministry of the Interior submitted a draft to Parliament. Public draft expected Q1 2024

The Operational NIS authority is the Federal Ministry of the Interior

Public draft not yet available

Public draft not yet available

 

Finland

Proposal expected spring 2024

National Cyber Security Centre (NCSC-FI)

Public draft not yet available 

Public draft not yet available 

Slovenia

Last amendment B in April 2023. Draft of new amendments expected Q1-Q 22024 

SI-CERT (Slovenian Computer Emergency Response Team) 

not yet defined

not yet defined

Croatia

Published on November 30, 2023

The Office of the National Security Council (Ured Vijeca za nacionalnu sigurnost - UVNS)

Not yet defined

Not yet defined

Slovakia

Not available

National Security Authority (NSA)

Public draft not yet available 

Public draft not yet available 

Luxembourg

Transposed but not seen in the official journal.

ILR.LU (Institue luxembourgeois de régulation)

not yet defined

not yet defined 

Bulgaria

Not available

Ministry of transport, Information Technologies and communications (MTCIT)

Public draft not yet available 

Public draft not yet available 

Cyprus

Public consultation ended on September 29, 2023 - Proposed amendments being reviewed

Digital Security Authority (DSA)

Public draft not yet available 

Public draft not yet available 

Estonia

Was expected at the end of 2023 – no further information

Information System Authority 

Public draft not yet available 

Public draft not yet available 

France

Consultation phase in 2023

National Cyber Security Agency of France (ANSSI)

not yet defined

not yet defined

Greece

Published in January 2024

The General Directorate of Cyber Security

not yet defined

not yet defined

Hungary

Transposed directive into national law in 2023

National Cyber-Security Center (NCSC)

The parliement enacted Act XXIII of 2023 on cyber Security certification 

The parliement enacted Act XXIII of 2023 on cyber Security certification 

Ireland

Draft expected at the end of 2023 – no further information

The National Cyber Security Centre of Ireland (NCSC)

Public draft not yet available 

Public draft not yet available 

Italy

Not available

National Cyber Security Agency (ACN)

Public draft not yet available 

Public draft not yet available 

Latvia

Final draft was expected in November 2023 – no furhter information

Ministry of Defence (MOD) Republic of Latvia

Public draft not yet available 

Public draft not yet available 

Lithuania

Not available

National Cyber Security Centre (NCSC)

Public draft not yet available 

Public draft not yet available 

Poland

Not available

Ministry of Digital Affairs

Public draft not yet available 

Public draft not yet available 

Portugal

Not available

Centro Nacional de Cibersegurança (CNCS)

Public draft not yet available 

Public draft not yet available 

Romania

Not available

Romanian National Computer Security Incident Response Team (CERT.RO)

Public draft not yet available 

Public draft not yet available 

Spain 

Not available

Departamento De Seguridad Nacional (DNS)

Public draft not yet available 

Public draft not yet available 

Sweden 

Porposal on legislative changes to be completed by February 23, 2024

Swedish Civil Contingencies Agency (Myndighet för samhällsskydd och beredskap - MSB)

Public draft not yet available 

Public draft not yet available 

NIS2 Sectors of high criticalityNIS2 Critical Sectors



Small and micro enterprises are generally excluded from the scope of the directive. In addition, member states may decide to exempt defence, national security and law enforcement entities from NIS2. However, there are some exceptions where size and turnover requirements are overridden in cases where:

  • the nature of the activities is critical
  • your organisation is the sole provider in a member state and/or
  • disruption to the service provided by the entity could lead to a significant systemic risk across borders.