Updates NIS2 Directive: What Does Your Organization Need to Know?

What is NIS2?

If you're here, you've likely heard about NIS2. This European Union directive aims to strengthen cybersecurity across the community by establishing clear requirements for protecting networks and information systems. NIS2 is an update of the previous NIS Directive, and its goal is to create a common level of cybersecurity across all Member States. Similar to the General Data Protection Regulation (GDPR), this legislation harmonizes the necessary measures and approaches to safeguard digital infrastructure against the growing threat of cyberattacks.

NIS2: History, context, and shortcomings

There is no doubt that in just over thirty years, information networks and systems, particularly the Internet, have acquired a crucial role in society worldwide. They have decisively facilitated the cross-border flow of products, services, and people, becoming essential elements for economic and social activities. However, alongside this, information security incidents, as well as malicious actions and associated crimes, have continuously increased in magnitude, frequency, and large-scale harmful effects.

The significant impact of these incidents on economic activities at the international level, along with the associated financial losses, has led to a focus, especially in the last decade, on the reliability and security of information networks and systems becoming a priority for various countries and the supranational organizations. These entities have advocated for the development and strengthening of regulatory and legal requirements that establish security criteria and encourage organizational capabilities to protect these essential elements of society.

In this context, in 2016, the European Union, aware of the disparities in the levels of preparedness of different Member States and the varying security approaches that existed until then, approved the Directive (EU) 2016/1148, commonly known as the NIS Directive. This directive became an important driver for harmonizing information security across the EU.

Among its main objectives, the NIS Directive sought to improve cybersecurity in sectors key to the economy and society, as well as among digital service providers. Additionally, it aimed to ensure the resilience of essential service operators, establish an optimal cooperation framework between EU Member States to reduce the risk of cross-border cyberthreats, implement effective security measures, and develop an incident notification framework, in addition to promoting public-private collaboration.

However, the lack of specific criteria, which left interpretation open to different countries; its limited scope to specific sectors; insufficient coverage of the supply chain and risks for SMEs; and the absence of deterrent sanctions, among other aspects, undermined the directive's effectiveness. This, along with the need for updates to address new cyberthreats and the rapid digital transformation, has led to its revision and update.

NIS2 Directive: Key changes and obligations

The NIS2 Directive was introduced to overcome the obstacles that limited the effectiveness of its predecessor and to broaden its scope, enhancing information security in a more extensive context. Below are the main changes:

Designation Nomenclature

NIS2 introduces a significant change in how organizations required to comply with its cybersecurity obligations are classified. While the original NIS Directive differentiated between operators of essential services and digital service providers, leaving it up to Member States to decide which entities fell into these categories, NIS2 seeks greater uniformity and clarity.

Now, organizations are divided into two main categories: essential entities and important entities, using objective criteria such as the sector they operate in, their size, and their annual turnover. This classification is much clearer and more consistent across Europe, reducing inconsistencies between Member States in the application of the regulation.

Additionally, NIS2 acknowledges that while micro and small businesses are often exempt from many regulations due to their size, in some cases, these companies can play a crucial role in society or the economy. For example, if a microenterprise provides an essential service to a critical sector, it will also be required to comply with the directive. This ensures that any organization with a strategic impact in certain sectors is not left outside the regulatory framework.

Scope and Reach

The NIS2 Directive significantly expands its scope compared to the previous version, mainly by identifying new "Highly Critical" or "Critical" sectors for the functioning of society and the economy. These sectors are vital for everyday activities, and their disruption could have a severe impact on economic and social life. Sectors such as energy, transportation, healthcare, finance, digital infrastructure, and others that play a key role in the security and stability of the European Union are included.

This broader and more detailed approach considerably extends the reach of the Directive, meaning that a much larger number of organizations are now subject to complying with security measures.

Security Requirements and Risk Management

The primary goal of the NIS2 Directive is to raise security levels across the European Union. To achieve this, it not only introduces specific risk assessment criteria but also increases the demands for security measures and risk management that organizations must meet within its scope.

One of the key aspects is the focus on supply chain security, as any vulnerability within this chain can compromise the security of the entire ecosystem. The Directive also strengthens incident management, requiring stricter procedures for incident reporting. Affected organizations are obligated to report incidents promptly and accurately to the competent authorities if an event occurs that may compromise their systems or services.

This approach encourages the development of a solid framework for incident notification and promotes greater public-private collaboration, enhancing response capabilities and resilience against potential cyber threats.

Sanctions

The NIS2 Directive promotes the imposition of severe financial penalties as a deterrent for organizations that fail to comply with cybersecurity risk management measures or incident notification obligations.

For essential entities, administrative fines of up to 10 million euros or 2% of total global annual turnover, whichever is higher, are foreseen. For important entities, sanctions can reach up to 7 million euros or 1.4% of total global annual turnover, following the same criteria.

NIS2 in Spain: Transposition of the Directive and its implementation

While Spain quickly adapted to Directive (EU) 2016/1148, NIS, through its transposition into Royal Decree-Law 12/2018 of September 7 on the security of networks and information systems, and its subsequent development through Royal Decree 43/2021, this was largely possible because the country already had a strong level of maturity in this area, stemming from the ecosystem created by Law 8/2011 on measures for the protection of critical infrastructures.

However, regarding the transposition of the NIS2 Directive, Spain is lagging behind other European countries. Therefore, without a clearly defined national legal framework, Spanish organizations can only rely on the European Directive to begin implementing the necessary measures.

Nevertheless, certain indicators suggest the path that will be adopted at the national level to comply with NIS2. In this regard, the National Cryptology Center has taken the lead with the publication of the Specific Compliance Profile Guide CCN-STIC 892 for organizations within the scope of the NIS2 Directive (PCE-NIS2). This guide establishes that all public entities subject to the Directive, as well as many private entities, are also required to comply with the National Security Framework (ENS).

The guide clarifies that an organization whose information system is certified in the High category of the ENS (National Security Framework) and has a scope that aligns with the NIS2 requirements complies with the cybersecurity standards set by the Directive. For organizations certified in the Medium category of the ENS, the guide recommends adjusting their security measures to meet the NIS2 requirements, with a particular focus on areas such as business continuity, supply chain protection, and incident management and reporting, among others.

Additionally, the guide specifies that essential entities must comply with 72 of the 73 security measures defined in Annex II of Royal Decree 311/2022, while important entities are required to comply with 68 of these measures.

This approach provides a clear framework for both public and private organizations to prepare for the implementation of NIS2 at the national level, even before the Directive is fully transposed into Spanish law.

Given the current lack of transposition of the Directive, it seems likely that Spain will choose to adapt existing regulations on the matter and, based on Article 5 of the Directive, exercise its right to adopt or maintain provisions that ensure a higher level of cybersecurity. This will push organizations toward compliance with the National Security Framework (ENS).

NIS2 Webinar: Get Your Questions Answered

Don’t miss our webinar on NIS2, where we will discuss the latest changes in the transposition of the law, which companies will be affected, application deadlines, and the steps to take to protect your business against the new requirements.

Click the following link to register.

Free NIS2 test to assess your current compliance level

Working daily with the implications of the NIS2 Directive, I understand that adapting to its requirements can be a challenge for many organizations. Don't let time work against you: adapting to NIS2 is a process that encompasses multiple areas of the business and requires advance planning. The first key step is to identify your company’s current compliance status, which is why at SNGULAR, we offer a Free NIS2 Test. In a no-obligation 1-to-1 call, we will help you assess your organization’s compliance status.

This initial evaluation is completely informative and will provide you with an accurate view of your current situation, as well as guidance on the necessary steps to comply with the Directive. If you have questions or want to know more about your level of compliance, request your free test here and set your organization on the path to a higher level of security.