NIS 2: Everything you need to know about the EU directive.
4 November 2024
Reading time: 22 minutes
According to a recent report by Microsoft – Poland is among the three European countries most at risk of cyberattacks from groups sponsored by foreign countries, mainly Russia. The European Union is taking increasingly decisive steps to ensure effective protection against cyber threats that threaten not only individual organizations, but entire sectors of the economy and key services such as energy, health, finance, transportation and communications. In response to the rapidly evolving threats, the EU adopted an updated version of network and information security legislation in 2022 – the Network and Information Security Directive 2 (NIS2), which continues and expands on the original 2016 NIS Directive.
The first NIS Directive was a milestone in establishing a common legal framework for cyber security at the European level. It covered key sectors such as energy infrastructure, water, transportation and the financial sector, requiring member countries and companies to take measures to secure information systems and continuity of services. However, in the face of new, more advanced threats and an increase in cyber attacks, particularly during the COVID-19 pandemic, there has been a need to update and tighten regulations. NIS2 responds to these challenges by introducing a more comprehensive approach to cyber risk management, expanding the scope of regulations, and introducing stricter penalties for non-compliance.
Importance for business and society
The NIS 2 directive is of great importance to both business and society, emphasizing improved cyber security and more effective cyber risk management. For companies and institutions, it introduces new, more stringent requirements for protecting information systems that must be met to maintain compliance. This includes, among other things, implementing measures to prevent attacks, responding more quickly to incidents, and mandatory reporting of all threats. Compliance with NIS 2 is not only a legal obligation, but also a key step in raising the level of digital security at companies, helping to protect data, critical infrastructure and ensure business continuity.
For companies, failure to comply with these regulations can result in serious financial and reputational consequences, including severe fines. For the public, on the other hand, the introduction of NIS 2 is a guarantee of better security for key services such as energy, health, transportation and Internet providers, making them more resilient to cyber threats. In the long term, increased awareness and more effective risk management contribute to building trust in the digital world, which is fundamental in an era of digital transformation.
Legal background and reasons for the introduction of NIS 2
History of the NIS Directive
The first NIS Directive was adopted by the European Union in 2016. It was a pioneering initiative to create a legal framework for cyber security at the EU level. In the face of growing cyber threats, NIS aimed to improve the security of networks and information systems in key economic sectors. Its main thrust was to introduce minimum requirements for risk management and enhance cyber security incident response capabilities.
The NIS required member states to establish national cyber security authorities and cooperation mechanisms at the EU level. Organizations operating in key sectors, such as critical service operators (e.g., energy providers, water utilities) and digital service providers, were obliged to meet certain requirements related to the protection of their information systems.
Although the NIS Directive was an important step toward enhancing digital security in Europe, new challenges have emerged in the few years since its introduction that have necessitated updated regulations. Above all, the dynamic evolution of technology, the increase in the scale and complexity of cyber attacks, and the development of new digital sectors have rendered the original NIS Directive inadequate.
The context of evolving cyber threats and the need to update regulations
Since the adoption of the NIS directive in 2016, the world of cyber threats has undergone a significant transformation. The increase in the number of internet-connected devices, the rapid growth of cloud services, and the growing number of organizations and users dependent on digital technologies have made cybersecurity a key element in the functioning of economies. Digital transformation, including process automation and widespread data digitization, has increased not only the operational efficiency of businesses, but also exposure to new threats.
Cybercriminals have begun to use increasingly sophisticated tools and techniques to launch attacks, putting many businesses and institutions under pressure to protect their IT systems. Modern threats such as ransomware, phishing and advanced DDoS attacks have forced the European Union to revise its regulations to accommodate the new realities.
In response to these challenges, an updated NIS 2 directive was introduced in 2022 to better prepare Europe for modern cyber threats and improve its ability to respond to incidents on a European scale.
Increase in cyber attacks
One of the main reasons for the introduction of NIS 2 was the rapid increase in the number and scale of cyber attacks, especially on critical infrastructure and key services. In recent years, increasingly sophisticated ransomware attacks have been observed, with public institutions, hospitals, energy providers, as well as large enterprises as victims. Examples of notable incidents, such as attacks on hospitals in Ireland or Germany, as well as on the U.S. Colonial Pipeline, have shown how great an impact cyber attacks can have on public health, the economy and citizen security.
Ransomware, or malware that encrypts victims’ data and demands a ransom to recover it, has become one of the most common tools used by cybercriminals. These attacks have often led to the paralysis of entire institutions, particularly affecting the health care sector, the energy sector and public service providers. In addition, cybercriminals have increasingly begun to use attacked vulnerabilities in IT infrastructure to blackmail companies and extort millions of euros in ransom.
Significant incidents that have affected the perception of cyber security in the EU
- Ransomware attacks on hospitals – In 2020, hospitals across Europe were targeted by ransomware attacks that disrupted IT systems responsible for serving patients. The incidents revealed how vulnerable the healthcare sector is to cyber attacks.
- Attack on Colonial Pipeline in the U.S. – Although not directly in Europe, this attack demonstrated how devastating a cyberattack on critical infrastructure can be, leading to the temporary paralysis of energy supplies in the United States.
These events, along with many other incidents, have made cyber security a priority for European governments and institutions. As a result, NIS 2 aims to strengthen protection against such threats.
New challenges in the area of security
One of the most important challenges facing the European Union is how to ensure protection in the context of dynamic digital transformation. Modern technologies such as the Internet of Things (IoT), cloud computing, artificial intelligence, and the growing number of networked devices are increasing the complexity of IT systems and exposing them to new forms of attacks.
Impact of digital transformation on cyber security
Digital transformation has significantly impacted the cyber security landscape, introducing both new opportunities and threats. The growing number of smart devices and Internet of Things (IoT) systems creates additional entry points for cybercriminals who can exploit weak security features of these devices for attacks. While IoT makes everyday life easier, many devices are not adequately protected, increasing the risk of cyber attacks. In addition, the increased use of cloud computing, which involves moving data and systems to external data centers, requires the development of new methods to protect data privacy and security. Companies need to adapt their cybersecurity strategies to protect themselves from increasingly sophisticated threats in the changing digital ecosystem.
The importance of critical infrastructure protection
Critical infrastructure, i.e. systems and services critical to the functioning of society (such as energy, transportation, health care), is increasingly vulnerable to cyber attacks. Any disruption in the operation of these sectors can lead to catastrophic consequences – from power outages to endangering the lives of patients in hospitals. NIS 2 therefore places particular emphasis on securing critical infrastructure and key digital service providers.
Protection of technology suppliers
Digital delivery companies, such as cloud service providers, IT companies and IT system operators, play a key role in ensuring security across the digital ecosystem. NIS 2 imposes new obligations on these companies, including requirements for incident reporting and ensuring adequate security features in their products and services.
Key changes in NIS 2 compared to NIS
Expanding the scope of the directive
One of the most significant changes in NIS 2 is the expansion of the scope of regulated entities. While the original NIS directive mainly covered key sectors such as energy, transportation and the financial sector, NIS 2 expands that scope to include additional industries, including healthcare, research and ICT (Information and Communication Technology) service providers. This means that more organizations, including companies in sectors such as healthcare and cloud providers, will have to adapt their procedures to the new security requirements.
What’s more, NIS 2 now covers both larger and medium-sized companies operating in key sectors, regardless of their size. Unlike the previous version of the directive, which placed more emphasis on large entities, the new rules also apply to smaller companies that may be crucial to the operation of critical infrastructure. This move is aimed at minimizing security gaps in smaller organizations, which often fall victim to cyber attacks due to weaker security measures.
Strengthened risk management requirements
NIS 2 introduces more stringent requirements for cyber risk management. One of the key elements of the new regulations is the obligation for all covered organizations to develop risk management plans. These plans are designed to systematically identify, assess and control risks associated with the security of information systems. Companies and institutions will have to invest in tools and procedures that will help them monitor potential threats and respond to them more quickly.
Another new feature is the introduction of stricter cyber incident reporting requirements. Organizations will be required to report any major cyber security incident within 24 hours of detection. This dramatically shortens the response time compared to previous regulations, which gave more time for reporting. The shorter reporting time is aimed at faster detection and mitigation of the effects of cyber attacks, as well as better sharing of threat information at the European level.
Better cooperation at the EU level
NIS 2 also introduces new mechanisms for cooperation among EU member states to better coordinate cyber security activities. In response to increasingly complex and cross-border threats, the EU is emphasizing enhanced cooperation, which will enable a more coordinated response to cyber attacks that can affect multiple countries simultaneously.
A key element of this cooperation is the creation of the European Cyber Security Network. This network aims to improve information sharing, incident monitoring, and coordination in preventing and responding to cyber attacks. Under this network, member states and organizations will be able to work together to respond quickly and effectively to incidents and exchange best practices in protecting against cyber threats. This initiative underscores that international cooperation is key to effectively combating global cyber threats.
Impact of NIS 2 on businesses
The NIS 2 directive will significantly affect businesses, both operationally and financially. The new regulations are designed to make companies more resilient to cyber threats, requiring advanced security mechanisms, process restructuring, and investments in technology and human resources. Below, I outline the most important changes that companies need to consider in order to comply with NIS 2.
Obligations of companies to adapt to NIS 2
The introduction of NIS 2 means that companies that operate in key covered sectors will have to invest in advanced cybersecurity mechanisms. The requirements include not only network monitoring and threat detection, but also the implementation of advanced data protection measures. This means that companies must install network behavioral analysis tools, data leakage prevention (DLP) systems, and security incident monitoring and management tools.
NIS2 also mandates the development of comprehensive risk management strategies, which will include regular testing of systems, conducting security audits and training employees on cyber security. Increased requirements also include an obligation to report cyber incidents, which forces companies to be ready to respond quickly and report incidents within 24 hours of detection.
Another new feature is the mandatory appointment of a Chief Information Security Officer (CISO) in larger companies. This function will be key to coordinating digital security activities and responsible for implementing NIS 2 compliant procedures. In many organizations, the CISO will become the central figure responsible for identifying threats and implementing preventive measures.
Penalties for non-compliance with the directive
One of the most important elements of NIS 2, which will certainly force companies to comply more scrupulously, are new sanctions for non-compliance with the directive’s requirements. Severe financial penalties will be introduced, which can be as high as €10 million or 2% of a company’s global annual turnover, whichever is higher. The sanctions are intended to discourage companies from negligence in the area of cyber security and motivate them to take appropriate steps to avoid serious violations.
Companies that fail to comply may also face additional restrictions, including the possibility of being banned from certain activities or having their services suspended. In practice, this means that companies will have to make NIS22 compliance a priority to avoid not only financial losses, but also damage to reputation and customer trust.
Impact on IT service providers and cloud computing
NIS 2 will also have a significant impact on technology service providers, such as cloud computing, communications services and IT infrastructure providers. These companies, which are key elements of the digital ecosystem, will be subject to more stringent security and risk management requirements. For cloud providers, this means that they will have to bring their services up to NIS 2-compliant standards, as well as obtain certifications confirming compliance with security requirements.
Certification will become a key element in verifying that IT service providers meet appropriate security standards. Companies that provide digital technologies will have to prove that their systems are adequately secured, allowing customers to make informed decisions when choosing services. The increased requirements for IT providers are aimed at minimizing the risks posed by the use of external resources that could become targets of cyberattacks.
For many companies, working with IT and cloud providers will become more formalized and based on tighter compliance controls. Technology providers, in turn, will have to engage more in the security of their services, which may increase costs, but also increase trust across the digital ecosystem.
Actions required of member states and institutions
With the introduction of the NIS 2 Directive, member states and their institutions will be required to take a series of measures to strengthen cyber security at the national and European levels. The directive places responsibility on governments to create an appropriate legal and organizational framework to effectively protect key infrastructure and strategic sectors from increasingly sophisticated cyber threats.
New tasks for national authorities
One of the key elements of NIS 2 is to strengthen the role of national cybersecurity oversight authorities. Member states must create strong institutions that will be responsible for monitoring and controlling companies’ compliance with the directive. These institutions will not only oversee the implementation of NIS 2 requirements, but also play an active role in responding to cyber incidents.
In practice, this means setting up oversight bodies with the resources and competencies to effectively monitor companies’ compliance. These authorities will be able to conduct security audits, introduce risk assessment mechanisms and impose financial penalties on non-compliant entities. Member states will also have to ensure that these authorities have the necessary technical and operational support to efficiently detect, analyze and counter cyber threats.
As part of the measures required by NIS 2, member states must also create mechanisms to enable companies to report cyber incidents quickly and effectively. The rapid communication of threat information is key to coordinating efforts at the national and European levels, so the NIS 2 regulations require the establishment of clear procedures and platforms for incident reporting.
European cooperation on cyber security
Enhanced cooperation at the European level is one of the cornerstones of NIS 2. The directive emphasizes the need for a more integrated approach to cyber security across the European Union, with the aim of better protecting against threats that are increasingly cross-border in nature.
In this context, one of the key actions is the creation of a European NIS Cooperation Group to coordinate cyber security activities at the EU level. The group will be responsible for monitoring the implementation of NIS 2 in individual member states and for sharing best practices in protecting digital infrastructure. The European Cooperation Group will also be a key element in the rapid response process to cyber threats that may affect more than one member state.
The importance of sharing information between member states and international organizations in the context of detecting and combating threats is also one of the priorities of NIS 2. The directive places great emphasis on EU countries sharing information on incidents, threats and protection tools. In this way, it will be possible to better anticipate threats and respond more quickly to cyberattacks that can affect different sectors and regions.
Cooperation at the European level will also include the creation of common mechanisms for responding to threats, such as cyber-attack warning systems, which will enable the immediate exchange of data on emerging threats. In this way, EU countries will be able to more effectively counter cyber attacks and minimize their effects.
Guidance for companies: How to prepare for NIS 2
To meet the requirements of NIS 2, companies need to implement a number of procedures to strengthen their ability to protect themselves from cyber threats. Below I outline the key steps companies should take to adequately prepare for NIS 2 implementation.
Risk assessment and internal audit
One of the cornerstones of an effective cyber security system is continuous risk assessment. In the context of NIS 2, companies are required to conduct regular internal audits to identify potential security gaps and assess vulnerabilities.
The need for internal audits
An internal audit is a process of systematic review of IT systems that allows a company to detect existing vulnerabilities and assess compliance with applicable regulations. This audit should cover both technological infrastructure and operational procedures. The results of the audits will provide valuable information on the current state of security, as well as help develop a remediation plan.
Implement a policy of continuous assessment and monitoring of risks
For effective protection against threats, it is necessary to adopt an approach based on continuous risk assessment. This policy should include both the identification of new threats and the monitoring of changes in technology or the organization that may affect security. Regular risk assessment allows for faster response to changing conditions and real-time adaptation of security systems.
Employee training
Technology is not the only line of defense against cyber attacks. In the context of NIS 2, the human factor plays a huge role, so regular employee training is an essential part of a security strategy.
Education on the dangers of phishing, ransomware and other attacks
Employees should be aware of threats such as phishing, ransomware, social engineering attacks, and malware. They are often the targets of attacks – cybercriminals take advantage of human error to bypass technical security measures. Training should therefore focus on educating people to recognize suspicious messages, links and attachments, as well as developing habits for safe use of e-mail and the Internet.
The role of employee awareness in minimizing risk
Aware employees are the first line of defense against cyber threats. If everyone in an organization understands what threats can arise in daily work and how to respond to them, the risk of a successful attack decreases. Companies should regularly organize workshops and simulation exercises to give employees practical skills in dealing with real-life crisis situations. In addition, introducing security awareness programs as part of the daily organizational culture will greatly increase the effectiveness of prevention efforts.
Develop a cyber security strategy
One of the most important steps in preparing for the implementation of NIS 2 is the creation of a comprehensive cybersecurity strategy that includes not only defense against threats, but also emergency response.
Prepare an incident response plan and create crisis management procedures
Even with the best precautions, security incidents can happen. That’s why it’s crucial for every company to have an Incident Response Plan (IRP) that outlines what steps should be taken in the event of a security breach. This plan should include processes for detecting incidents, notifying the appropriate teams, minimizing the impact of an attack, recovering from an attack, and reporting incidents to the appropriate regulators. As part of crisis management, it is also worthwhile to develop business continuity plans that will enable the company to function even in the face of major disruptions.
Adaptation of security systems to NIS 2 requirements
NIS2 introduces detailed requirements for IT security systems. Companies must ensure that their infrastructure complies with these requirements. Systems should therefore be updated regularly to prevent exploitation of known software vulnerabilities. It is also important to implement mechanisms to encrypt data both at rest and in transit to prevent unauthorized interception. In addition, regular backups are crucial to protect against ransomware and other attacks that can prevent access to critical data.
Benefits of implementing NIS 2
The implementation of the NIS 2 directive brings a number of benefits for both companies and consumers. Thanks to this EU legislation, companies can better protect their IT assets and critical infrastructure, while gaining an edge in the competitive market. What are the main benefits of implementing NIS 2?
Increased resistance to cyber attacks
One of the key goals of the NIS 2 directive is to make companies more resilient to cyber attacks. The requirements that companies must meet focus on strengthening security and preparing for potential cyber threats.
NIS 2 mandates the implementation of security standards that aim to protect critical infrastructure. As a result, companies are better prepared to defend against external attacks that could disrupt the continuity of systems and services. Enhanced protection includes, among other things, threat monitoring, faster incident response and regular risk assessments. As a result, companies’ IT assets, such as servers, networks and applications, become less vulnerable to cyber threats.
Better protection of IT infrastructure makes European systems more reliable for business partners and customers. As a result, both businesses and users can use digital services with a greater sense of security. This increase in trust is crucial in the context of international cooperation, as companies operating within the European Union can be seen as more stable and trustworthy. This, in turn, translates into the ability to attract more customers and business partners.
Improving consumer safety
NIS 2 focuses not only on the security of companies, but also on protecting end users. This allows consumers to feel safer using digital services and entrusting their data to companies.
The directive requires companies to implement stricter data protection measures, which in practice means better protection of customers’ personal and financial information. This makes data such as payment card numbers, addresses, and other sensitive information less vulnerable to leaks and unauthorized access. Companies must ensure the security of stored data at every stage of processing, which translates into greater protection of consumer privacy.
Increased awareness and better data security management procedures reduce the number of data breach incidents. This means that consumers are less likely to have to worry about their data being stolen or used in an unauthorized manner. Fewer incidents also mean less reputational risk for companies and lower costs associated with handling and mitigating potential breaches.
Increasing the competitiveness of companies
The NIS 2 directive places high demands on companies, but at the same time opens up the opportunity to gain a competitive edge. Companies that successfully implement the new regulations can gain in the market by offering more secure and reliable services.
Customers are increasingly paying attention to digital security, choosing providers that care about their data. Companies that fully implement NIS 2 standards will be able to offer better security, which can become an important competitive differentiator. Security becomes an added value that can be promoted as part of a marketing strategy. These companies will be able to convince customers that choosing their services is also a choice for security and protection, which is crucial in an era of growing digital threats.
Summary
NIS 2, or the Network and Information Security Directive, is a key piece of legislation that will significantly shape cyber security in the European Union in the coming years. It follows on from the first NIS Directive, adopted in 2016, but introduces significant changes to better adapt the legislation to the rapidly changing digital environment and growing cyber threats. With attacks on critical infrastructure on the rise and cybercrime on the rise, NIS 2 is a step toward a more integrated and consistent security policy across the European Union.
Importance of NIS 2 for Cyber Security
The NIS 2 directive is fundamental to strengthening the protection of both EU companies and citizens. The main goals of NIS 2 include increasing resilience against cyber attacks, improving the protection of personal and financial data, and strengthening international cooperation on cyber security. By expanding the scope of regulation and tightening requirements for protecting IT assets, NIS 2 puts a premium on prevention and rapid response to security incidents. Incident reporting and risk assessment obligations are intended to help companies better prepare for potential threats and effectively minimize their impact.
One of the most important aspects of NIS 2 is the extension of the regulations to a broader spectrum of business sectors, including many new industries that were not previously obligated to apply such security standards. This includes the telecommunications, water supply, energy, transportation and digital service providers, among others. This approach is aimed at securing critical infrastructures whose operation is crucial to the functioning of entire societies and economies.
With NIS 2, the European Union aims to create a more unified approach to cybersecurity, with standards and regulations uniform across member states. This means that companies will have greater legal certainty and clear guidelines on what actions they need to take to secure their IT systems.
The Future of Cyber Security in Europe
The implementation of NIS 2 is a major step forward in building a more secure digital ecosystem in Europe, but it is also part of a broader vision of a future in which cyber security will become an indispensable part of any digitization process. As technologies evolve at a pace unprecedented in history, and innovations such as artificial intelligence, the Internet of Things (IoT) and cloud computing become standard, it is essential to ensure that digital infrastructures are resilient to increasingly sophisticated threats.
NIS 2 is just one component of the EU’s new cyber security strategy, which also includes other initiatives such as the European Cybersecurity Act and the planned creation of a European Cyber Security Unit. In the future, we can expect even greater integration of activities related to the protection of critical infrastructure and digital systems across the European community. International cooperation in the face of global threats that often transcend national borders will also be crucial.
Looking ahead, building awareness of cyber threats among businesses and citizens also remains a key challenge for Europe. NIS 2 requirements are forcing companies to invest in employee training, develop risk management strategies and implement advanced protection tools. In the long term, such measures will not only increase the organization’s resilience to attacks, but also influence the development of the labor market, where cyber security specialists will become even more in demand.
NIS 2 compliance audit with summ-it
October 17 marks the formal deadline for implementing the provisions of the EU’s NIS 2 directive into the legislation of EU countries. We will have to wait a little longer for the implementation of the regulations in Poland. Until when?
It could be at least six months. The Ministry of Digitization announces that the draft amendment to the law on the National Cyber Security System will go to the Parliament “later this year.” However, given the nature and length of the legislative process, it is expected that the amendment to the law will not be passed by the Parliament earlier than the first quarter of 2025.
Despite the fact that the entry into force of the legislation is delayed, we recommend that every organization take immediate action to prevent cyber attacks. A side effect of these actions will be faster NIS 2 compliance for companies once the final national regulations are published.
Do you know if the upcoming regulations apply to you, what your company needs to prepare for, and how to ensure comprehensive protection of your data?