NIS2 Directive: What it is and how to achieve compliance

In October 2024, EU member states will have to transpose the second EU Network and Information Security Directive (NIS2) into national legislation. Overcoming the 2016 NIS1 directive, NIS2 applies much stricter cybersecurity standards, with a tightening of penalties for non-compliance with local regulations. Companies classified as essential or important are required to implement these standards. In this article, we are going to take a closer look at what the NIS2 directive is, what it consists of, and how to make sure companies adhere to regulatory safety standards to avoid incurring onerous penalties or, in the worst case, interruption of operations.

What you'll find in this article

  • NIS2 Directive: a brief introduction
  • NIS2: What it is, when it comes into force, and differences with NIS1
  • Who does the NIS2 Directive apply to?
  • What does the NIS2 directive require?
  • NIS2 Directive: What are the benefits for companies?
  • NIS2 Directive: How to prepare and who to contact for compliance?
NIS2 Directive: What it is and how to achieve compliance

NIS2 Directive: a brief introduction

The growing interconnection and digitalization of society has made institutions, businesses and citizens increasingly exposed to cyber threats. Cyber attacks have reached unprecedented peaks, both in frequency and severity: in the last 5 years, the number of attacks recorded globally has grown by 60% according to data from Clusit 2023 report.

What has also worsened have been the social and economic consequences of incidents caused by cyber attacks: again according to Clusit, 80% of the attacks detected in 2022 had serious or very serious impacts, unlike five years ago when they amounted to a share of 52% of the total.

The NIS2 Directive (acronym for Network and Information Security Directive 2), also known as the Network and Information Security Directive, is significant legislation aimed at improving cybersecurity and protecting critical infrastructure across the European Union (EU).

It builds on the previous NIS Directive, addressing its deficiencies and expanding its scope to strengthen security requirements, reporting obligations and crisis management capabilities.

Whether your company is a large company or a medium-sized company that operates in sectors recognized as critical, the NIS2 Directive requires immediate attention. It introduces strict requirements for managing cybersecurity risks and ensures the continuity of essential services. It is therefore essential to understand what it consists of, how it is applied and how to adhere to it to avoid the risk of sanctions and obstacles for your operations. Let's go deeper into the topic in the next sections.

NIS2: What it is, when it comes into force, and differences with NIS1

In 2016, the NIS Directive was enacted, with the aim of achieving a high common level of cybersecurity among Member States. In 2020, the scheduled review of the effectiveness of the standard and its implementation, and the results revealed intrinsic deficiencies in the standard that prevented it from effectively dealing with current and emerging cybersecurity challenges, in particular in terms of uniformity of approach between different Member States and scope of application.

The NIS2 Directive, published in the Official Gazette of the European Union on December 27, 2022 and entered into force on January 16, 2023, maintains the objective of achieving a high common level of cybersecurity among Member States, improving the ability to ensure uniformity and effectiveness in the application, and therefore to guarantee effective protection for the social and economic life of the Union. The legislation imposes, in particular, stringent cybersecurity obligations on a wide audience of organizations operating in sectors considered critical to the functioning of European society.

The directive introduces new obligations for organizations in four main areas, which are respectively:

  • Risk Management: organizations must reduce cyber risks to comply with the new directive. Among the methods to be implemented are incident management, improving supply chain security, strengthening network security, cryptography and better access control.
  • Corporate Responsibility: NIS2 requires company management to oversee, approve and receive training on company cybersecurity procedures and on cybersecurity risk management. In the event of violations, managers may face penalties including criminal liability and temporary exclusion from management positions.
  • Communication obligations: essential and crucial individuals must have systems to communicate as soon as possible security events that have a significant impact on their service offering or on those who receive them. NIS2 specifies notification times, such as an 'early warning' within 24 hours.
  • Business continuity: Organizations must plan how to maintain business continuity in the event of serious cyber incidents. This strategy must consider system recovery, emergency procedures, and the creation of a crisis response team.

NIS2 pays particular attention to supply chain risks and supply chain compliance, especially with regard to the most critical suppliers. Compliance that the legislator has considered important not only as documentation certifying effective adherence to the Directive, but for the purpose of effective and effective implementation of security measures.

It is important to note that the NIS2 Directive intervenes (Article 16) also to bridge the differences in adoption by member countries in terms of reporting on incidents and subsequent strengthening actions.

In this sense, the new standard formally establishes the European Network of Cyber Crisis Liaison Organizations (or CyClone, acronym for Cyber Crisis Liaison Organization Network) that will support the coordinated management of large scale cybersecurity incidents.

Finally, it is also planned to set up a voluntary peer learning mechanism that offers member states and organizations within the EU the opportunity to exchange knowledge and learn from the experiences of others in the field of cybersecurity and makes it possible to increase mutual trust and learning from the good practices already adopted in the Union.

This is also thanks to the alignment of the NIS2 Directive with other specific sectoral regulations such as the one on digital operational resilience for the financial sector (DORA) And the Critical Entity Resilience Directive (CER), alignment that will ensure greater legal clarity and consistency between the different directives.

Protecting organizations with Microsoft AI-powered, end-to-end security

Differences with the 2016 NIS Directive

The NIS Directive, which identified its legal basis in Article 114 of the Treaty on the Functioning of the European Union (TFEU), had as its objective to establish and operate an internal market for cyber security through the strengthening of specific measures that would allow the approximation of national regulations.

To do this, the NIS Directive had imposed cybersecurity obligations on individuals who provide services or carry out economically relevant activities.

In the reality of the facts, however, they have been highlighted significant differences in the implementation of these obligations by Member States with significant changes in terms of the type of obligation, level of detail and supervisory method.

A series of disparities that, as it is easy to imagine, have entailed additional costs and application difficulties for entities that offer cross-border goods and services.

In addition, the review of the NIS Directive has also highlighted differences in the methods of its own implementation by member States, which have been left with discretion over the delimitation of the scope of application, as well as on the implementation of the same obligations in terms of safety and incident reporting.

Differences that, obviously, could expose the same Member States, making some of them even more vulnerable to cyber threats, with potential repercussions on the entire Union.

In the intentions of the European legislator, therefore, NIS2 will serve precisely to eliminate these differences by creating a more uniform and coordinated regulatory framework also thanks to greater cooperation between States and the updating of the list of sectors and activities subject to cybersecurity obligations.

With the new NIS2 Directive and with the consequent repeal of the NIS, in fact, these obligations are extended to a greater number of sectors and services considered vital for the main social and economic activities of the internal market, in fact overcoming the previous and obsolete distinction between operators of essential services and providers of essential services.

The NIS2 Directive will therefore replace the previous NIS Directive., which will repeal, as of October 18, 2024, with the aim of dealing with a radically changed threat landscape and, at the same time, overcoming the problems that have prevented the NIS Directive from obtaining the desired results.

Comparison between the NIS and NIS2 directives

Scope of the directive NIS NIS2
Security Program Essential and digital services must take appropriate technical and organizational measures to manage risks to the security of networks and information systems.
[NIS 1, Art. 14.1, 16.1]
Same overarching security risk management requirement as NIS 1.
[NIS 2, Art. 18.1]
Risk Assessment Measures taken for the security of networks and information systems must be appropriate to the risks and reflect the state of the art.
[NIS 1, Art. 14.1, 16.1]
Same as NIS 1, but risk analysis would also be a required security measure.
[NIS 2, Art. 18.2(a)]
Security Safeguards Virtually no detail on security requirements for essential services. Digital services' measures must include Security of systems and facilities, Incident handling, Business continuity, Monitoring and testing, Compliance with international standards.
[NIS 1, Art. 16.1]
Security measures for essential and important services shall include at minimum: Incident prevention, detection, and response, Business continuity and crisis management, Secure network and systems acquisition and maintenance, Testing and auditing safeguard effectiveness, Use of cryptography.
[NIS 2, Art. 18.2]
Supply Chain No specific requirements. Essential and important services must include supply chain in their security measures. They must consider specific suppliers' vulnerabilities and cybersecurity practices.
[NIS 2, Art. 18.2(d), Art. 18.3]
Workforce and Personnel Not explicitly mentioned. The management of essential and important entities must approve their respective cybersecurity risk management measures and follow regular cybersecurity training.
[NIS 2, Art. 17]
Incident Reporting Essential and digital services must notify authorities of incidents having significant impact on services.
[NIS 1, Art. 14.3-4, 16.3-4]
Notify the relevant competent authority and, where applicable, their customers of "any significant cyber threat" that "could have potentially resulted" in a substantial disruption or loss.
[NIS 2, Art. 20.1-3]

Did you know that we help our customers manage their Azure tenants?

We have created the Infrastructure & Security team, focused on the Azure cloud, to better respond to the needs of our customers who involve us in technical and strategic decisions. In addition to configuring and managing the tenant, we also take care of:

  • optimization of resource costs
  • implementation of scaling and high availability procedures
  • creation of application deployments through DevOps pipelines
  • monitoring
  • and, above all, security!

With Dev4Side, you have a reliable partner that supports you across the entire Microsoft application ecosystem.

Who does the NIS2 Directive apply to?

The NIS2 directive has expanded the scope of application compared to the previous NIS directive, including a wide range of sectors and organizations, both public and private, with the aim of strengthening cybersecurity within the European Union. The directive will be applied both at the level of individual nations and of the entire geographical area of the EU.

The directive indicates three macro-categories of subjects who are required to comply with the rules of the directive and they are respectively:

  • Essential sectors: these sectors are considered vital for the socio-economic functioning of the EU and, as a result, organizations that operate in these sectors are subject to strict requirements in terms of cybersecurity.
  • Important sectors: in addition, NIS2 identifies “other critical sectors”, which include an additional group of organizations required to comply with the security requirements imposed by the directive.
  • Digital service providers: obviously, digital service providers operating within the European zone will also be required to comply with the rules of the new directive.

At the directive level, they are not provided for differences between essential and important subjects from the point of view of the cybersecurity requirements to be met. However, in practice, not all organizations will be treated the same When will member states implement the directive in their national systems and the security measures that a company or entity must implement may be graduable, that is, adapted and proportionate according to the size of the organization and the role it plays within its sector to which it belongs.

This approach will avoid imposing burdensome obligations on less significant or smaller organizations, while at the same time ensuring that those that are larger or in more critical positions adopt high security standards.

To understand which sectors belong to which category, we propose a list of the latter divided by the category to which they belong.

NIS2 for Essential Sectors

  1. Energy:
    • Electricity
    • Petroleum
    • Gas
  1. Transportation:
    • Plane
    • Ferroviario
    • Water (maritime and fluvial)
    • Stradale
  1. Banks:
    • Banking services
  1. Financial market infrastructures:
    • Market infrastructures such as stock exchanges and payment systems
  1. Healthcare:
    • Hospitals and healthcare facilities
    • Medical laboratories
    • Online healthcare providers
  1. Supply and distribution of drinking water
  2. Wastewater Management
  3. Digital infrastructures:
    • Internet Exchange Point (IXP)
    • Data Center
    • Network service providers

NIS2 for Important Sectors

  1. Postal and courier services
  2. Waste management
  3. Food production, processing and distribution:
    • Companies involved in food production and distribution
  1. Industrial production:
    • Sectors with key products such as the production of chemical, pharmaceutical and electronic devices
  1. ICT (Information and Communication Technology) service providers:
    • Companies that provide IT solutions, security services, network infrastructures

NIS2 for Digital Service Providers

  1. Search engines
  2. E-commerce platforms
  3. Cloud service providers

It should be noted that it will in any case be up to the Member States to define, no later than 17 April 2025, a list of essential and important subjects who will be called upon to provide the necessary information. This list must then be reviewed and updated at least every two years, precisely to guarantee a more correct uniformity in the application of the NIS2 Directive.

What does the NIS2 directive require

The NIS 2 directive establishes a series of main requirements that organizations must meet to ensure a high level of cybersecurity. These requirements include:

  • Information systems risk analysis and security policies
  • Incident Management
  • Business continuity
  • Supply chain security
  • Secure acquisition, development and maintenance of computer and network systems
  • Strategies and procedures for evaluating the effectiveness of cybersecurity risk management measures
  • Practices of digital hygiene basic information and training in the field of cybersecurity
  • Policies and procedures related to the use of cryptography
  • Human resource security, access control strategies and asset management (hardware, software, data)
  • Use of multi-factor authentication or continuous authentication solutions

These requirements are designed to ensure that organizations are able to identify, prevent and respond effectively against cyber threats, thus protecting critical infrastructures and sensitive data.

Controls and sanctions provided for by NIS2

Obviously there are heavy penalties and measures for all those organizations that will be found not to comply with the rules imposed by the new directive.

The logic for applying sanctions is similar to that of other regulations, such as the GDPR: the amount of the sanction is established on the basis of a predefined minimum amount or a percentage of turnover depending on which of the two values is higher.

In the event of non-compliance, essential entities are subject to sanctions.”equal to a maximum of at least 10,000,000 EUR or a maximum of at least 2% of total annual world sales.” For important individuals, the penalties are milder: “a maximum of at least 7 000 000 EUR or a maximum of at least 1.4% of total annual worldwide sales.”

In addition, the non-compliance of an essential entity, in the most serious cases, may result ina temporary suspension or ban to any person who performs management functions (such as chief executive officer or legal representative) to carry out their duties within the organization.

NIS2 Directive: What are the benefits for companies?

The NIS2 directive offers numerous concrete benefits for companies, promoting a safer and more resilient digital environment. First, adopting cyber resilience strategies based on NIS2 requirements can help improve an organization's digital hygiene and security posture, with the goal of reducing the risk of cyber incidents, strengthen cyber resilience and promote business continuity.

Adopting risk management and cybersecurity governance practices, as required by the directive, can also contribute positively to the development of an internal culture oriented to cybersecurity. The spread of a cybersecurity corporate culture can increase staff awareness and preparation, potentially making the company more robust in the face of emerging threats.

In addition, when the provisions contained in the directive become law, the possible non-compliance of an organization Will it be sanctioned by the Italian State. It is therefore crucial that all organizations that fall within the scope of NIS2 obtain compliance with the directive to avoid sanctions from competent authorities.

NIS2 Directive: How to prepare and who to contact for compliance?

NIS2 builds on previous legislation such as NIS1 and GDPR, although it adds many new requirements. For example, organizations must now adopt a robust risk management strategy, timely incident reporting, the ability to assess the supply chain, and maintain a comprehensive inventory of all digital assets.

As mentioned, since this is a Directive, NIS2 must be transposed into national law by Member States. The obligations will become applicable for all intents and purposes from the day following the date established for the transposition of the Directive by Member States, set for October 17, 2024.

During the transposition process, Member States will be able to define in a more precise way some of the obligations imposed on organizations, taking into account the peculiarities of their respective national contexts. It is also conceivable that during the transposition phase, the adjustment times for the subjects in the perimeter are defined.

However,many areas in which organizations will be called upon to intervene with a view to adaptation They are already identifiable today.

It is therefore advisable for organizations to move immediately to verify whether or not they fall within the scope of applicability of the Directive and with reference to which sectors.

It will then be appropriate proceed with an assessment of your current level of compliance in order to plan the necessary adjustment actions in time. Interventions such as those on the supply chain, for example, may require a significant commitment and a significant amount of time, and it may be advisable to evaluate in due advance which actions are necessary and which can be initiated more effectively right away, so as not to find yourself operating in tight time and with greater difficulty.

The requirements of NIS2 are complex, but complying with its provisions may be easier than you think. As a technology partner specialized in security, we at Dev4Side assist companies like yours on a daily basis in implementing security solutions integrated into Microsoft 365 and we help to ensure end-to-end security coverage.

You may not be aware that compliance and data governance are already natively integrated into Microsoft 365 and that you may already have the ability to configure some useful functionality for this purpose. This means that we could assist you in implementing security solutions designed to prepare your organization to face the challenges imposed by the new NIS2 directive.

Microsoft 365 and Azure, with the support of Dev4Side, can provide you with tools to help you achieve NIS2 compliance.

Going into more detail, the technologies involved useful for this purpose are:

  • Enter: identity and access management to ensure security and compliance through multi-factor authentication and risk-based access control.
  • Defender (Cloud Apps, Endpoint, Identity, IoT, O365): advanced threat protection for cloud applications, endpoints, identity, IoT and Office 365, increases network security and incident management.
  • Defender XDR: extended detection and response solution that coordinates the response to attacks on multiple assets, improving incident management and business continuity.
  • Microsoft Sentinel: SIEM and SOAR platform that offers complete visibility and automation of incident response, essential for risk management and business continuity.
  • Pureview: data governance solution that helps protect sensitive information and ensure compliance with security regulations.
  • Pureview Compliance Mgr. & Insider Risk: tools for evaluating and managing compliance and internal risks, improving information security and incident management.
  • Intune: unified endpoint management that ensures device security and compliance through security policies and access control.
  • Azure Network Security (App Gateway, WAF, Front Door, Azure Firewall): advanced network protection with firewalls, application gateways, and WAF to mitigate threats and ensure network security.
  • Azure Backup and Recovery: backup and recovery solution that ensures business continuity and data protection through automated backups and recovery plans.
  • Azure Policy: governance tool that allows you to apply and monitor security and compliance policies on all Azure resources.
  • Azure Virtual Desktop: virtual desktop solution that offers secure and controlled access to business resources, improving security and business continuity.

Navigating NIS2 compliance requirements requires more than a simple tactical approach: you need a strategic partnership with a security vendor that understands the full scope and dimensions of today's cybersecurity challenges, and Dev4Side, with its 15 years of Microsoft experience and certified experts, can help you navigate the complex contemporary cybersecurity landscape with complete peace of mind.

Conclusions

Preparing for the changes brought by the NIS2 directive is an obligatory step for any company or company that operates within the EU and is part of the above-mentioned categories indicated by the new directive.

The challenges of the contemporary digital landscape in terms of cybersecurity are becoming increasingly complex and dangerous every day that passes and, in order to be addressed decisively and efficiently, they require the cooperation and commitment of all the organizations that carry out their operations on European borders. A framework, this, in which the NIS2 regulation will position itself as a solid guarantee of compliance and adherence to stricter and more equal safety standards for all member states.

In this complex scenario, Dev4Side can be the right partner to guarantee your company the smoothest possible navigation. If you decide to collaborate with us, we will be happy to share with you a more in-depth overview of how we can help you meet the requirements imposed by the new European directives in a simple and direct way.

FAQ on the NIS2 directive

What is NIS2?

NIS2 (Network and Information Security Directive 2) is a European Union directive aimed at improving cybersecurity across member states by setting strict security requirements for critical infrastructure organizations.

When does NIS2 come into effect?

NIS2 was published on December 27, 2022, and EU member states must implement it by October 18, 2024.

Who does NIS2 apply to?

NIS2 applies to organizations in essential sectors like energy, healthcare, and finance, as well as important sectors like ICT and food production.

What are the main requirements of NIS2?

Organizations must manage cybersecurity risks, report incidents within 24 hours, ensure business continuity, and secure their supply chains.

How does NIS2 differ from NIS1?

NIS2 expands the scope of NIS1, covers more sectors, and introduces stricter requirements, including supply chain security and uniform standards across EU member states.

What are the penalties for non-compliance with NIS2?

Organizations may face fines up to €10 million or 2% of global turnover. Managers may also face personal liability.

Find out why to choose the team

Infra & Sec

The Infra & Security team focuses on the management and evolution of our customers' Microsoft Azure tenants. Besides configuring and managing these tenants, the team is responsible for creating application deployments through DevOps pipelines. It also monitors and manages all security aspects of the tenants and supports Security Operations Centers (SOC).