NIS2 Directive: Stronger EU Cybersecurity in the AI era

The NIS2 Directive goes live October 17 and builds on original 2016 Network and Information Systems Directive (NIS), with legislation designed to elevate the overall cybersecurity posture across member states.

EU member states will have to transpose NIS2 into national legislation, including defining “important” and “essential” entities. Essential entities will have to meet requirements from, and engage with, national supervisory authorities from the introduction of NIS2, whilst important entities will be subject to enforcement in the event of complaints or evidence of non-compliance.

Members states must identify which entities are deemed “essential” and “important” by 17 April 2025, including allowing entities to register themselves as being in-scope of the Directive and national implementing laws.

Organisations should therefore determine whether they consider themselves or their services in-scope of their national legislation, and ensure they cooperate with their national regulators to register before the applicable deadline in their country.

If your organisation is within scope, you must identify which national organisation will act as your country’s Cyber Security Incident Response Team (CSIRT) and ensure that you are able to contact them within 24 hours of any significant cybersecurity incident. 

Being able to report incidents within this shortened timeframe usually requires a robust cybersecurity incident team to be in place. A good team often involves collaboration between your incident response, business continuity management, IT, information security, legal and communication teams. If personal data is involved, your privacy team should, of course, be included too.

AI ethicist and digital regulation leader, Caro Robson, says:

“Having a clearly defined plan for security incidents, including allocating responsibilities to individuals for decisions and actions, is vital to cyber incident response. But having a plan is not enough; make sure your whole organisation is aware of the plan and knows what to do in the event of an incident.

“Carry out table top exercises and practice putting the plan into action. This is the best way to ensure everyone is aware of their responsibilities during an incident; and this is the only way to ensure that your response team can make the necessary reporting on time.”

Stringent new requirements will be applied to governance, risk management, security protocols, business continuity, and incident reporting for entities operating in critical sectors such as energy, transport, healthcare, banking, and digital infrastructure.

Key Components and Compliance Requirements

Effective Cyber Governance, Risk, and Compliance (Cyber GRC) will be imperative to meet compliance with NIS2 in a way that mitigates risk of financial and reputational damage.

More robust cybersecurity measures will be needed, in areas such as risk management policy, incident response protocols, enterprise continuity plans, and supply chain security. 

NIS2 also brings in more rigorous reporting obligations. Organisations will have to notify relevant authorities of significant cybersecurity incidents within 24 hours, and provide a detailed initial assessment due within 72 hours. A final comprehensive report, outlining an incident’s severity, impact, root cause, and mitigation measures, will be required within a month of the incident taking place.

Penalties for Non-Compliance

Non-compliance with NIS2 carries severe consequences. National supervisory authorities can issue compliance orders, conduct security audits, and mandate customer notifications of threats involved.

Financial penalties are substantial, with ‘essential entities’ facing fines up to €10 million or 2% of their total annual global turnover, and ‘important entities’ up to €7 million or 1.4% of turnover.

Associate Director of Cyber Risk with Aon, Jenni Parry, says:

“NIS2 provides direction on the required steps which must be taken by the in-scope entities. The goal of this is to improve the overall level of cybersecurity risk maturity. These entities need to take an appropriate and proportionate level of technical, operational and organisational measures to manage the risks faced by their industry.

“These include key activities such as assessing (including testing and auditing) their policies and procedures to ensure the effectiveness of their cybersecurity risk management measures.

“Being an essential entity will mean an increased level of cybersecurity risk-management measures, audit and assessment and reporting obligations are required to comply,” she adds.

Crucially, NIS2 introduces personal liability for corporate management. In cases of serious negligence, managers may face criminal penalties, including public disclosure of compliance breaches and temporary bans on holding managerial positions for repeated violations.

Strategising for NIS2 Compliance

Just as business communities have done with GDPR, firms will have to adapt and enhance their cybersecurity strategies to comply with the NIS2 Directive. This requires a comprehensive approach that integrates governance, risk management, and compliance (GRC) with cybersecurity measures.

Critical areas to address include:

Integrated GRC and De-siloisation

An integrated GRC and cybersecurity strategy must go hand-in-hand with a removal of silos within an organisation to ensure a unified, coherent approach to managing risk.

Businesses should establish robust information security management systems that encompass all aspects of cybersecurity. This includes conducting regular risk assessments, and implementing revised security policies.

Awareness and training programs will play a crucial role in educating employees about cybersecurity best practice and fostering a culture of security. By aligning GRC with cybersecurity in these ways, organisations can streamline their processes, improve communication, and enhance overall resilience.

Detection and Response

Businesses must develop and implement incident handling procedures to quickly identify and respond to cybersecurity incidents. This includes setting up systems for monitoring and detecting threats, as well as establishing clear protocols for incident reporting.

The NIS2 Directive mandates that significant cybersecurity incidents be reported within 24 hours, with a detailed assessment within 72 hours. Organisations should have robust business continuity and crisis management plans in place to minimise disruption and ensure swift recovery in the event of an attack. Regular drills and simulations can help test and refine these plans, ensuring readiness for real-world scenarios.

Infrastructure and Application Security

Ensuring the security of infrastructure and applications is another critical aspect of NIS2 compliance. Businesses need to implement stringent measures to protect their networks and systems from unauthorised access and attacks.

To this end, secure infrastructure through firewalls, intrusion detection systems, and regular vulnerability assessments. Additionally, organisations should adopt secure development practices to mitigate risk in software and application development. This includes conducting code reviews, implementing security testing, and following best practices for identity and access control. 

By prioritising infrastructure and application security, businesses can safeguard their critical assets and maintain the integrity of their operations.

Gira.Group CEO, Ira Goel, says:

“The NIS2 Directive expands the scope for its predecessor and is a comprehensive legislation. It is now very well aligned with critical infrastructure and SCADA requirements in the US and globally. 

“Many organisations, including our clients, map the requirements from the Directive with ISO standards with comprehensive risk management strategy – especially the ISO 27001 framework – allowing them to address many regulations across the EU and globally in one swoop. We have also put together a post comparing NIS 2 Directive with ISO 27001 for this purpose.”

Know the risks

Compliance with the NIS2 Directive necessitates a holistic approach to cybersecurity – a purposeful move away from silos and integration of GRC with proactive detection and response measures, and robust infrastructure security.

By focusing on these key areas, businesses can enhance their cyber resilience, effectively manage the evolving threat landscape and build momentum on the NIS2 Directive compliance journey.

The issues are examined in depth this October at #RISK London, where industry leaders explore the roles that data-driven strategy, business operations, and compliance play within building a resilient security posture