The European Union’s (EU’s) Network and Information Systems 2 (NIS2) Directive marks a critical advancement in the EU’s digital regulatory policy. Expanding and improving on its predecessor legislation, NIS2 sets out to implement a consolidated, harmonized, and enhanced cybersecurity regime for EU member states. Here’s what you need to know.
The new NIS2 Directive, developed following vulnerabilities in various sectors during the pandemic, is another step forward in providing a holistic legal framework for cybersecurity. NIS2 dramatically extends the types of entities required to comply with increased cybersecurity standards to reflect the dominant role digital infrastructure plays in modern economies.
Unlike the original NIS Directive adopted in 2016, NIS2 does not confine regulatory oversight to a narrow range of sectors – and especially not to energy or telecommunications – but instead covers virtually all industries and smaller organizations that play a critical role in people’s lives. It does this by covering firms that are ‘interdependently’ critical to at least one other critical entity.
Another key difference is that while NIS retained seven sectors as targets, NIS2 went into effect with 18 sectors. NIS2 has much broader coverage, meaning that it will affect almost every element of Europe’s identity. The cybersecurity mandate under NIS2 will cover many more industries that contribute to the functioning of society—economic as well as social.
The decree divides these into two tiers: Essential Entities and Important Entities, each of which has different regulatory measures.
The Essential Entities comprise sectors of the European economy and society that underpin the functionality of the wider market and provide fundamental services that are indispensable to society as a whole. If these organizations were to suffer a cybercrime incident that had a demonstrable effect of hampering their ability to provide critical functions, a knock-on effect could have significant implications throughout the wider economy. NIS2 places greater cybersecurity obligations on these organizations to ensure their resilience.
Key sectors classified as Essential Entities include:
These sectors are all highly interconnected, and a breach in one can ripple across the rest. Hence, NIS2 imposes strict cybersecurity obligations on these Essential Entities.
While the Important Entities may not have the same level of criticality as the Essential Entities, they are still vital to the economy and societal well-being. Cyberattacks on these sectors can cause significant disruptions, financial losses, or risks to safety. Consequently, NIS2 applies specific cybersecurity standards to these sectors to ensure their protection.
Important Entities under NIS2 include:
NIS2 requires operators in critical sectors to comply with a set of binding and robust obligations for cybersecurity mitigation measures. Such measures are geared towards preventing and limiting security incidents; minimising the damage caused if they occur; restoring systems’ resilience in case of failure; and promoting the sharing of information and support between businesses. In other words, NIS2 ensures that operators in critical sectors focus on anticipation and proactively manage cybersecurity risks.
One core tenet is that organizations should be mandated to conduct regular risk assessments to identify vulnerabilities and evolving threats so that entities can implement appropriate security controls commensurate with the level of risk. Thus, cybersecurity strategies align with the operating environments of institutions and resist attempts by nation states, cybercriminals, and terrorists to wreak havoc on society.
Beyond this internal risk, NIS2 places a lot of focus on supply chain security. Because the modern economy is so interdependent, an organization’s cybersecurity is as strong as the weakest link in its chain, and that chain is typically all the third-party providers downstream. Although the bill doesn’t use this terminology, entities will have to be able to demonstrate their ability to manage cybersecurity risks across the entirety of their supply chain. This means that moving forward, organizations must demonstrate that external partners and vendors are securing their networks in a robust manner. This involves, at a minimum, evaluating the security readiness of suppliers, and buyers should be able to include cybersecurity regulations in their contracts.
A second important requirement is encryption. For organizations that process and store sensitive data, NIS2 specifies that modern encryption technology should be used, when appropriate, to protect data both in motion and ‘at rest’. Encryption helps to lock down information so that, even if it is stolen or intercepted in flight, the thief doesn’t benefit.
Access control measures are also in the spotlight, and NIS2 requires that operators ‘design and implement identity and access management processes appropriate to their needs and size to define, record, verify, and control who is authorized to perform tasks on their key systems and have access to their key data.’ This means that, for example, only authorized persons will be able to shut down a nuclear power station or turn off the lights in a city, and only authorized ‘admin’ personnel will be allowed to modify certain network settings. If designed and implemented properly, access management will help eliminate the problem of attacks from inside a network.
Incident response is another area addressed in NIS2. For example, an organization that operates essential services must develop and maintain tools and documentation that enable it to promptly detect, respond to, and repair cybersecurity incidents before they adversely impact the service’s functioning.
Business continuity, however, is related to incident response. NIS2 requires entities with critical functions to ensure operational continuity in the event of a cyberattack or technological disruption, including through what are called business continuity and disaster recovery measures. These measures comprise the means of ensuring the availability of backups as well as the specific processes and procedures that can be activated to ensure continuity in an emergency.
As far as the technical requirements are concerned, NIS2 requires organizations to apply a number of specific and general technical and organizational measures to protect their networks and information systems—from firewalls and intrusion detection systems to security policies related to how information is processed within the organization. These controls aim to impede unauthorised access, malware infections, and other system-threatening events.
Physical asset security is also an important part of NIS2. Organizations must ensure the safety of data centers, offices, and other important premises and prevent the physical access of ‘unauthorized persons’ to critical systems and hardware.
Integrating security into the design of new systems is part of NIS2 also. The regulations put in place ‘require entities to apply security-by-design principles to their systems’ (and procurement processes relating to the development of new systems), noting that ensuring the adequate consideration of security in a system’s development or procurement process ‘should enable the entity to avoid vulnerabilities which are harder and more costly to address later’.
Finally, vulnerabilities must be managed under NIS2, with provisions for detection and remediation. A vulnerability management programme must enable an administrator to proactively identify, prioritise and mitigate flaws within software, hardware and network configuration. Vulnerability management is a key principle of proactive cybersecurity, reflecting the notion that organisations should patch software in advance of attempts to hack it – ‘patch first, hack later’ approaches represent inept cybersecurity.
NIS2 ramps up incident reporting obligations to make sure that serious cybersecurity incidents are quickly notified to the relevant authorities so that concerted, timely response measures can take effect. Entities now have to report serious incidents within 24 hours of becoming aware of them, and prompt action can be taken to eliminate the immediate threats to the availability, integrity, confidentiality, or accessibility of the essential services concerned. This initial notification should be followed within 72 hours by a full report providing a more detailed picture of what is going on. This should include a summary of the initial impact assessment involved, such as indicating the scope of the incident and any indications of compromise that have been identified. It must also confirm details of the mitigation measures taken or planned to prevent further degradation of the services. All these requirements are enacted within the framework of rapid reporting with the aim of enhancing transparency and enabling faster recovery from the cybersecurity incident before critical services are severely disrupted.
NIS2 builds on this by offering more comprehensive governance and oversight through a sturdier EU-wide cybersecurity framework. This includes the creation of the new European Cyber Crises Liaison Organisation Network (EU-CyCLONe), which ensures coordinated management of large-scale cybersecurity events across member states. If a large-scale cyber incident were to occur in multiple EU member states, there would now be a coordinated plan in place according to which multiple countries could provide expertise and capabilities to help respond. The level of collaboration between member states is also increased through enhanced information-sharing within the EU. Another key part of this enhanced governance involves the identification of competent national authorities in each member state who are responsible for ensuring that entities comply with the rules set forward by NIS2. This includes the development of harmonized national regulations and implementation of potentially elusive or novel requirements of the NIS2 directive, such as Demand Logging. This governance structure allows for national cybersecurity efforts to be appropriately aligned with EU-wide strategies and helps to provide a robust counter to attacks on digital infrastructure.
NIS2 imposes significantly higher penalties for non-compliance, underscoring the EU’s commitment to enforcing robust cybersecurity measures. For essential entities, the fines can reach up to €10 million or 2% of their global annual turnover, whichever is higher, reflecting the critical nature of the services they provide. Important entities face penalties of up to €7 million or 1.4% of their global annual turnover, signaling that even sectors with less immediate impact on societal functioning are still expected to maintain strong security standards. Beyond financial penalties, NIS2 introduces the potential for personal liability for C-level executives, including the possibility of temporary bans from holding managerial positions if their negligence contributes to non-compliance. This combination of financial and personal consequences is designed to ensure that cybersecurity is treated as a top priority at all levels of an organization.
Key dates for NIS2 implementation:
From a cyber threat intelligence perspective, the NIS2 Directive introduces several critical elements that reshape how organizations must approach both cybersecurity and threat intelligence. One of the most impactful changes is the emphasis on proactive threat intelligence and information sharing. Organizations covered by NIS2 are now required to participate in information sharing networks, fostering a stronger ecosystem for collective defense. This mandatory sharing ensures faster dissemination of emerging threats and improved situational awareness, not only within sectors but also across national borders. The directive implicitly encourages proactive threat hunting by pushing for advanced security monitoring, which enables organizations to detect sophisticated cyber threats early and identify previously unknown vulnerabilities. These measures also allow for more effective incident response planning, providing a clear framework for organizations to remain ahead of potential risks.
NIS2 also broadens the scope of threat intelligence operations by expanding its coverage to 18 sectors, including new areas such as manufacturing and digital services. This wider sector inclusion leads to a more comprehensive threat intelligence network that offers deeper insights into sector-specific risks and cross-sector threat patterns. Furthermore, the directive’s focus on supply chain security compels organizations to adopt a more holistic view of threat intelligence, as they must assess and mitigate risks not only within their own systems but throughout their entire supply chain. The requirement for rapid reporting of incidents within 24 hours further challenges organizations to enhance their threat detection and analysis capabilities. With incident reports required within 72 hours, companies are pushed to perform swift forensic analyses and quickly generate actionable intelligence, making the NIS2 Directive a transformative framework for how threat intelligence operations are conducted in the EU.
ThreatMon can provide organizations with mission-critical cyber threat intelligence (CTI) solutions that will help them meet NIS2 requirements, including real-time risk and threat monitoring and incident reporting, comprehensive sector-based threat hunting, enhanced vulnerability management, automated threat analysis, and third-party collaborations to ensure sector-wide security defenses. ThreatMon’s comprehensive, advanced security framework can identify and prevent any potential security gaps that leave organizations exposed. This proactive approach to cybersecurity aligns with NIS2’s focus on prevention measures that protect organizations before, during and after a cyber event. ThreatMon.io will take organizations through these impactful steps, ensuring full compliance with all the NIS2 requirements. To learn more about ThreatMon and how they are helping organizations meet NIS2 obligations, visit our website.