In October 2024, EU member states will have to transpose the second EU Network and Information Security Directive (NIS2) into national legislation. Overcoming the 2016 NIS1 directive, NIS2 applies much stricter cybersecurity standards, with a tightening of penalties for non-compliance with local regulations. Companies classified as essential or important are required to implement these standards. In this article, we are going to take a closer look at what the NIS2 directive is, what it consists of, and how to make sure companies adhere to regulatory safety standards to avoid incurring onerous penalties or, in the worst case, interruption of operations.
The growing interconnection and digitalization of society has made institutions, businesses and citizens increasingly exposed to cyber threats. Cyber attacks have reached unprecedented peaks, both in frequency and severity: in the last 5 years, the number of attacks recorded globally has grown by 60% according to data from Clusit 2023 report.
What has also worsened have been the social and economic consequences of incidents caused by cyber attacks: again according to Clusit, 80% of the attacks detected in 2022 had serious or very serious impacts, unlike five years ago when they amounted to a share of 52% of the total.
The NIS2 Directive (acronym for Network and Information Security Directive 2), also known as the Network and Information Security Directive, is significant legislation aimed at improving cybersecurity and protecting critical infrastructure across the European Union (EU).
It builds on the previous NIS Directive, addressing its deficiencies and expanding its scope to strengthen security requirements, reporting obligations and crisis management capabilities.
Whether your company is a large company or a medium-sized company that operates in sectors recognized as critical, the NIS2 Directive requires immediate attention. It introduces strict requirements for managing cybersecurity risks and ensures the continuity of essential services. It is therefore essential to understand what it consists of, how it is applied and how to adhere to it to avoid the risk of sanctions and obstacles for your operations. Let's go deeper into the topic in the next sections.
In 2016, the NIS Directive was enacted, with the aim of achieving a high common level of cybersecurity among Member States. In 2020, the scheduled review of the effectiveness of the standard and its implementation, and the results revealed intrinsic deficiencies in the standard that prevented it from effectively dealing with current and emerging cybersecurity challenges, in particular in terms of uniformity of approach between different Member States and scope of application.
The NIS2 Directive, published in the Official Gazette of the European Union on December 27, 2022 and entered into force on January 16, 2023, maintains the objective of achieving a high common level of cybersecurity among Member States, improving the ability to ensure uniformity and effectiveness in the application, and therefore to guarantee effective protection for the social and economic life of the Union. The legislation imposes, in particular, stringent cybersecurity obligations on a wide audience of organizations operating in sectors considered critical to the functioning of European society.
The directive introduces new obligations for organizations in four main areas, which are respectively:
NIS2 pays particular attention to supply chain risks and supply chain compliance, especially with regard to the most critical suppliers. Compliance that the legislator has considered important not only as documentation certifying effective adherence to the Directive, but for the purpose of effective and effective implementation of security measures.
It is important to note that the NIS2 Directive intervenes (Article 16) also to bridge the differences in adoption by member countries in terms of reporting on incidents and subsequent strengthening actions.
In this sense, the new standard formally establishes the European Network of Cyber Crisis Liaison Organizations (or CyClone, acronym for Cyber Crisis Liaison Organization Network) that will support the coordinated management of large scale cybersecurity incidents.
Finally, it is also planned to set up a voluntary peer learning mechanism that offers member states and organizations within the EU the opportunity to exchange knowledge and learn from the experiences of others in the field of cybersecurity and makes it possible to increase mutual trust and learning from the good practices already adopted in the Union.
This is also thanks to the alignment of the NIS2 Directive with other specific sectoral regulations such as the one on digital operational resilience for the financial sector (DORA) And the Critical Entity Resilience Directive (CER), alignment that will ensure greater legal clarity and consistency between the different directives.
The NIS Directive, which identified its legal basis in Article 114 of the Treaty on the Functioning of the European Union (TFEU), had as its objective to establish and operate an internal market for cyber security through the strengthening of specific measures that would allow the approximation of national regulations.
To do this, the NIS Directive had imposed cybersecurity obligations on individuals who provide services or carry out economically relevant activities.
In the reality of the facts, however, they have been highlighted significant differences in the implementation of these obligations by Member States with significant changes in terms of the type of obligation, level of detail and supervisory method.
A series of disparities that, as it is easy to imagine, have entailed additional costs and application difficulties for entities that offer cross-border goods and services.
In addition, the review of the NIS Directive has also highlighted differences in the methods of its own implementation by member States, which have been left with discretion over the delimitation of the scope of application, as well as on the implementation of the same obligations in terms of safety and incident reporting.
Differences that, obviously, could expose the same Member States, making some of them even more vulnerable to cyber threats, with potential repercussions on the entire Union.
In the intentions of the European legislator, therefore, NIS2 will serve precisely to eliminate these differences by creating a more uniform and coordinated regulatory framework also thanks to greater cooperation between States and the updating of the list of sectors and activities subject to cybersecurity obligations.
With the new NIS2 Directive and with the consequent repeal of the NIS, in fact, these obligations are extended to a greater number of sectors and services considered vital for the main social and economic activities of the internal market, in fact overcoming the previous and obsolete distinction between operators of essential services and providers of essential services.
The NIS2 Directive will therefore replace the previous NIS Directive., which will repeal, as of October 18, 2024, with the aim of dealing with a radically changed threat landscape and, at the same time, overcoming the problems that have prevented the NIS Directive from obtaining the desired results.
We have created the Infrastructure & Security team, focused on the Azure cloud, to better respond to the needs of our customers who involve us in technical and strategic decisions. In addition to configuring and managing the tenant, we also take care of:
With Dev4Side, you have a reliable partner that supports you across the entire Microsoft application ecosystem.
The NIS2 directive has expanded the scope of application compared to the previous NIS directive, including a wide range of sectors and organizations, both public and private, with the aim of strengthening cybersecurity within the European Union. The directive will be applied both at the level of individual nations and of the entire geographical area of the EU.
The directive indicates three macro-categories of subjects who are required to comply with the rules of the directive and they are respectively:
At the directive level, they are not provided for differences between essential and important subjects from the point of view of the cybersecurity requirements to be met. However, in practice, not all organizations will be treated the same When will member states implement the directive in their national systems and the security measures that a company or entity must implement may be graduable, that is, adapted and proportionate according to the size of the organization and the role it plays within its sector to which it belongs.
This approach will avoid imposing burdensome obligations on less significant or smaller organizations, while at the same time ensuring that those that are larger or in more critical positions adopt high security standards.
To understand which sectors belong to which category, we propose a list of the latter divided by the category to which they belong.
It should be noted that it will in any case be up to the Member States to define, no later than 17 April 2025, a list of essential and important subjects who will be called upon to provide the necessary information. This list must then be reviewed and updated at least every two years, precisely to guarantee a more correct uniformity in the application of the NIS2 Directive.
The NIS 2 directive establishes a series of main requirements that organizations must meet to ensure a high level of cybersecurity. These requirements include:
These requirements are designed to ensure that organizations are able to identify, prevent and respond effectively against cyber threats, thus protecting critical infrastructures and sensitive data.
Obviously there are heavy penalties and measures for all those organizations that will be found not to comply with the rules imposed by the new directive.
The logic for applying sanctions is similar to that of other regulations, such as the GDPR: the amount of the sanction is established on the basis of a predefined minimum amount or a percentage of turnover depending on which of the two values is higher.
In the event of non-compliance, essential entities are subject to sanctions.”equal to a maximum of at least 10,000,000 EUR or a maximum of at least 2% of total annual world sales.” For important individuals, the penalties are milder: “a maximum of at least 7 000 000 EUR or a maximum of at least 1.4% of total annual worldwide sales.”
In addition, the non-compliance of an essential entity, in the most serious cases, may result ina temporary suspension or ban to any person who performs management functions (such as chief executive officer or legal representative) to carry out their duties within the organization.
The NIS2 directive offers numerous concrete benefits for companies, promoting a safer and more resilient digital environment. First, adopting cyber resilience strategies based on NIS2 requirements can help improve an organization's digital hygiene and security posture, with the goal of reducing the risk of cyber incidents, strengthen cyber resilience and promote business continuity.
Adopting risk management and cybersecurity governance practices, as required by the directive, can also contribute positively to the development of an internal culture oriented to cybersecurity. The spread of a cybersecurity corporate culture can increase staff awareness and preparation, potentially making the company more robust in the face of emerging threats.
In addition, when the provisions contained in the directive become law, the possible non-compliance of an organization Will it be sanctioned by the Italian State. It is therefore crucial that all organizations that fall within the scope of NIS2 obtain compliance with the directive to avoid sanctions from competent authorities.
NIS2 builds on previous legislation such as NIS1 and GDPR, although it adds many new requirements. For example, organizations must now adopt a robust risk management strategy, timely incident reporting, the ability to assess the supply chain, and maintain a comprehensive inventory of all digital assets.
As mentioned, since this is a Directive, NIS2 must be transposed into national law by Member States. The obligations will become applicable for all intents and purposes from the day following the date established for the transposition of the Directive by Member States, set for October 17, 2024.
During the transposition process, Member States will be able to define in a more precise way some of the obligations imposed on organizations, taking into account the peculiarities of their respective national contexts. It is also conceivable that during the transposition phase, the adjustment times for the subjects in the perimeter are defined.
However, many areas in which organizations will be called upon to intervene with a view to adaptation They are already identifiable today.
It is therefore advisable for organizations to move immediately to verify whether or not they fall within the scope of applicability of the Directive and with reference to which sectors.
It will then be appropriate proceed with an assessment of your current level of compliance in order to plan the necessary adjustment actions in time. Interventions such as those on the supply chain, for example, may require a significant commitment and a significant amount of time, and it may be advisable to evaluate in due advance which actions are necessary and which can be initiated more effectively right away, so as not to find yourself operating in tight time and with greater difficulty.
The requirements of NIS2 are complex, but complying with its provisions may be easier than you think. As a technology partner specialized in security, we at Dev4Side assist companies like yours on a daily basis in implementing security solutions integrated into Microsoft 365 and we help to ensure end-to-end security coverage.
You may not be aware that compliance and data governance are already natively integrated into Microsoft 365 and that you may already have the ability to configure some useful functionality for this purpose. This means that we could assist you in implementing security solutions designed to prepare your organization to face the challenges imposed by the new NIS2 directive.
Microsoft 365 and Azure, with the support of Dev4Side, can provide you with tools to help you achieve NIS2 compliance.
Going into more detail, the technologies involved useful for this purpose are:
Navigating NIS2 compliance requirements requires more than a simple tactical approach: you need a strategic partnership with a security vendor that understands the full scope and dimensions of today's cybersecurity challenges, and Dev4Side, with its 15 years of Microsoft experience and certified experts, can help you navigate the complex contemporary cybersecurity landscape with complete peace of mind.
Preparing for the changes brought by the NIS2 directive is an obligatory step for any company or company that operates within the EU and is part of the above-mentioned categories indicated by the new directive.
The challenges of the contemporary digital landscape in terms of cybersecurity are becoming increasingly complex and dangerous every day that passes and, in order to be addressed decisively and efficiently, they require the cooperation and commitment of all the organizations that carry out their operations on European borders. A framework, this, in which the NIS2 regulation will position itself as a solid guarantee of compliance and adherence to stricter and more equal safety standards for all member states.
In this complex scenario, Dev4Side can be the right partner to guarantee your company the smoothest possible navigation. If you decide to collaborate with us, we will be happy to share with you a more in-depth overview of how we can help you meet the requirements imposed by the new European directives in a simple and direct way.
NIS2 (Network and Information Security Directive 2) is a European Union directive aimed at improving cybersecurity across member states by setting strict security requirements for critical infrastructure organizations.
NIS2 was published on December 27, 2022, and EU member states must implement it by October 18, 2024.
NIS2 applies to organizations in essential sectors like energy, healthcare, and finance, as well as important sectors like ICT and food production.
Organizations must manage cybersecurity risks, report incidents within 24 hours, ensure business continuity, and secure their supply chains.
NIS2 expands the scope of NIS1, covers more sectors, and introduces stricter requirements, including supply chain security and uniform standards across EU member states.
Organizations may face fines up to €10 million or 2% of global turnover. Managers may also face personal liability.
The Infra & Security team focuses on the management and evolution of our customers' Microsoft Azure tenants. Besides configuring and managing these tenants, the team is responsible for creating application deployments through DevOps pipelines. It also monitors and manages all security aspects of the tenants and supports Security Operations Centers (SOC).
