The NIS 2 directive

In the digital world, cyber threats are becoming increasingly sophisticated, posing significant risks to businesses and individuals alike. The new Directive (EU) 2022/2555, also known as the NIS 2 Directive, aims to achieve a high level of cybersecurity and targets key sectors critical to the functioning of society. Are you interested in what NIS 2 means for you and your business? We bring you a comprehensive guide to this important legislation. We will discuss its key points, the affected sectors, and explain what steps need to be taken to achieve compliance with the new rules by the deadline of October 17, 2024. As with all areas of IT management, VNET offers its expertise to help you meet all legal requirements for NIS 2 compliance and cybersecurity in your company.

What is the NIS 2?

The NIS 2 Directive is a legislative act that establishes measures to achieve a high common level of cybersecurity across the EU. Its aim is to improve the existing cybersecurity framework by introducing stricter obligations for companies and organizations in critical sectors.

What are the key points of the NIS 2 Directive?

Expanded scope
The directive affects a wider range of sectors and entities, thereby strengthening overall cyber resilience. Cybersecurity obligations will now also apply to companies that were not previously regulated.
Enhanced protection against cyber risks
Stricter measures for managing cyber risks are being introduced. Businesses will need to implement and maintain adequate technical and organizational solutions to protect against cyber threats.
Implementation of security measures
Operators of critical infrastructure must implement strict security measures to protect their systems and data. This includes risk management, incident response plans, testing, and audits.
Mandatory reporting of cyber incidents
All entities covered by the NIS 2 Directive will be required to report cyber incidents to the relevant authorities. This is crucial for the timely identification of threats, coordination of response, and prevention of the spread of cyber attacks.
Establishment of national teams
Each member state must establish a national team for responding to cybersecurity incidents (CSIRT). These teams will coordinate the response to cyber attacks and share information with other member states.
Strengthened cooperation at the European level
The directive emphasizes strengthening cooperation among EU member states in the field of cybersecurity. This includes information exchange, mutual assistance in addressing cyber incidents, and joint development of tools and solutions to combat cyber threats.
Reducing Long-Term Risks
Investments in cybersecurity in line with the NIS 2 Directive are not just a short-term obligation but a foundation for reducing future risks and building resilience against cyber threats.

Who Does the NIS 2 Directive Apply To?

The directive applies to a wide range of entities and distinguishes them between two types of critical infrastructure:

Entities of Essential Importance

These entities, such as energy companies, hospitals, and banks, provide services that would have a serious impact on the functioning of the state, economy, or society in case of disruption. Therefore, they are subject to stricter cybersecurity requirements.

Examples

Energy

Transport

Financial markets

Healthcare

Water management

Digital infrastructure and services

Public administration

Space industry
Entities of Important Significance

This category includes organizations such as postal services, waste management, and manufacturing companies. While a disruption of their services would have a smaller impact, it still poses a risk to cybersecurity. Therefore, these entities also need to adhere to certain security measures.

Examples

Postal and courier services

Waste management

Chemical industry

Manufacturing industry

Did you find yourself in one of the affected areas?

or contact us by email at nis2@vnet.eu

What are the obligations for entities
of essential and important significance?

The cybersecurity requirements differ for these two types of entities.

Entities of Essential Significance are subject to stricter rules due to the potentially serious impact of disruptions to their services.

Obligations for entities of essential significance

Compliance with all requirements of the NIS 2 Directive.
Reporting all security incidents, regardless of severity.
Monitoring warnings from the National Cyber Security Centre (NCIB) and proactively responding to threats.
Subject to oversight by the NCIB.
Data and information must be processed on servers within the designated region.
Assessing the cybersecurity measures of critical suppliers is mandatory.

Obligations for entities of important significance

Compliance with selected requirements of the NIS 2 Directive.
Reporting only significant security incidents.
Monitoring warnings from NCIS is not mandatory.
Subject to oversight by a certified NUCIB inspector.
Data and information do not need to be processed on servers within the designated region.
Assessing the cybersecurity measures of suppliers is not a requirement.

Benefits of the NIS 2 Directive

The NIS 2 Directive offers extensive benefits for companies of various sizes and sectors in terms of cybersecurity protection in the EU:

Protection of Sensitive Information and Systems
NIS 2 establishes strict cybersecurity requirements, helping companies protect their sensitive data and systems from cyberattacks.
Resilience to Threats
By implementing the NIS 2 Directive, companies will strengthen their resilience to cyber threats and be better prepared to manage and respond to cyberattacks.
Compliance with Legislation
NIS 2 defines clear cybersecurity requirements that companies must meet. By adhering to these requirements, companies will avoid fines and penalties for non-compliance with legal obligations.
Enhanced Reputation
Compliance with the NIS 2 Directive demonstrates a company’s commitment to data protection and cybersecurity, thereby enhancing its reputation with customers, partners, and investors.
Prevention of Financial Losses
Cyberattacks can cause significant financial losses for companies due to operational disruptions, data theft, and ransom demands. Implementing NIS 2 will help companies prevent cyberattacks and minimize their financial impacts.
Government Support
The NIS 2 Directive also provides companies with state support in the form of access to national resources and expert knowledge in cybersecurity. In the event of a cyber incident, companies will not be alone and can seek help from governmental authorities.
Increased Trustworthiness
By adhering to the strict security measures of the NIS 2 Directive, companies will gain the trust of customers and partners, making them more willing to share sensitive information.
Level Playing Field
The NIS 2 Directive creates a unified cybersecurity framework for the entire EU. This levels the playing field for businesses and eliminates competitive advantages for companies that have previously avoided investing in cybersecurity.

Challenges of the NIS 2 Directive

While the NIS 2 Directive offers many benefits, its implementation is

also full of challenges, and that’s why it’s good to have a reliable partner like VNET by your side:

Obligations for Entities of Essential Significance

Complexity of Implementation
The requirements of the NIS 2 Directive can be challenging for companies, especially smaller ones with limited resources, to understand and implement.
Implementation Costs
Adhering to new security measures requires investments in technologies, personnel, and professional training.
Shortage of Experts
The cybersecurity market suffers from a shortage of qualified professionals. This can pose a problem for companies in implementing and maintaining the required security measures.
Need for International Cooperation
The success of the NIS 2 Directive also depends on effective cooperation between EU states in information sharing and coordinated responses to cyber threats.

NIS 2