From NIS to NIS 2: How to navigate the updated directive

The Network and Information Security 2 (NIS 2) directive is a successor to the original NIS directive. Its purpose is to strengthen the cybersecurity posture of the businesses and organizations it covers across different sectors. 

‍

NIS 2 expands on the original directive with notable changes and updates aimed at consolidating and strengthening cybersecurity practices in EU Member States.

‍

With the directive’s new and expanded scope, organizations face more internal responsibilities and stricter enforcement to stay compliant. The increased complexity of NIS 2 and its looming implementation deadlines have put pressure on in-scope entities to act quickly to achieve and maintain compliance, making clear guides on the changes invaluable.

‍

This guide will cover the information needed for the transition from NIS to NIS 2, focusing on the following topics:

• The notable NIS vs. NIS 2 differences you need to be aware of
• The potential challenges of NIS 2 compliance
• Strategies for simplifying NIS 2 compliance

‍

The original NIS directive at a glance

The NIS Directive, developed by the European Union Agency for Cybersecurity (ENISA) and adopted in 2016, was the first EU-wide cybersecurity legislation. 

‍

The goal of the NIS directive was to create and strengthen common cybersecurity practices for operatives of essential services (OES) and digital service providers (DSPs) across both public and private sectors throughout the EU. Examples of OES covered by NIS include energy, transport, banking, and healthcare, while search engines, online marketplaces, and cloud computing services are categorized as DSPs.

‍

The directive's scope was a step in the right direction in creating a more unified cybersecurity network, but it was limited and left several unaddressed security gaps.

‍

Despite effective guidance, the NIS guidelines and definitions lacked clarity and specificity regarding which organizations should comply with the directive. This led to uneven interpretation and application, creating disparate security levels between EU Member States and reducing the directive's effectiveness.

‍

Over time, the drawbacks of the first-generation NIS became more pronounced as the frequency and complexity of cyber threats evolved. This led to a need for more effective measures to deal with the evolving threat landscape, which resulted in the transition from NIS to NIS 2.

‍

NIS vs. NIS 2: Key changes and updates

Introduced in 2022, the NIS 2 directive is a more exhaustive update to the original NIS, designed to address the main shortcomings of its predecessor. The updates brought by NIS 2 bridge several gaps left by the previous directive, including:

• Systemizing cooperation and cybersecurity practices among EU Member States
• Improving the security posture of supply chains 
• Creating a higher level of accountability for cybersecurity among top management of in-scope entities

‍

The new directive came into force on January 16, 2023, with a deadline of October 17, 2024, for Member states to incorporate it into national law when it becomes fully enforceable. Since NIS 2 is still relatively new, some affected organizations may still be getting up to speed on the changes it introduced. 

‍

The most important changes that NIS 2 brings are:

1. Clearer security requirements
2. Expanded scope
3. More precise governance and oversight
4. Stricter incident reporting requirements
5. Higher penalties

‍

Update 1: Clearer security requirements

While the original NIS directive proposed broad cybersecurity measures, outlining the minimum requirements for in-scope entities was largely left to individual EU Member States. The lack of guidance meant that Member States applied the requirements differently, and about 35% of the organizations covered by the directive found the expectations set by it unclear.

‍

To rectify this, the NIS 2 directive clarifies the minimum requirements that entities across Member States must meet. The 10 minimum requirements stated by NIS 2 are:

1. Policies on information system security and risk analysis
2. Incident handling
3. Business continuity, such as backup management, crisis management, and disaster recovery
4. Supply chain security, including the relationships between entities and their service providers or direct suppliers
5. Security in the acquisition, development, and maintenance of network systems, which includes the handling and disclosure of vulnerabilities
6. Policies and procedures for evaluating the measures of cybersecurity risk management
7. Basic cybersecurity training and cyber hygiene practices
8. Policies and procedures related to the use of cryptography and encryption, where applicable
9. Asset management, access point policies, and human resource security
10. The use of multi-factor or continuous authentication solutions, secure voice, video, and text communications, and emergency communication systems

‍

The updated requirements set by NIS 2 are a step in the right direction, but from a practical standpoint, there is still room to improve. For instance, the directive could benefit from more prescriptive guidance on implementation and specific security controls to further reduce ambiguity.

‍

{{cta_withimage22="/cta-blocks"}}

‍

Update 2: Expanded scope

NIS 2 expands beyond the scope covered with the initial NIS by accounting for additional sectors that need to comply with it, such as waste management, public administration, and space.

‍

With the increased scope, NIS 2 also introduced a new categorization of entities, dividing them into essential and important. These two categories are defined as:

• Essential entities are large organizations that provide services in critical sectors like water, healthcare, finance, and public administration. Because of their significance, these entities are subject to stricter regulations than important entities. 
• Important entities are organizations whose services are not as critical to overall functioning as those provided by essential entities. Examples include sectors such as waste management, space, food, postal and courier services, public administration, digital services (e.g., social networking platforms, service providers, data centers), manufacturing, and public electronic communications networks and services.

‍

NIS 2 takes a risk-based approach, meaning that while the directive primarily focuses on large organizations, it can also apply to medium and smaller organizations, depending on the criticality of the services they provide.  

‍

This shift in focus toward critical services is particularly evident in the case of small and micro organizations. For these entities to fall under the scope of NIS 2, they need to either provide services like domain name registration or be categorized as providers of services whose disruption could have a significant impact on societal and economic functioning.

‍

Update 3: More governance and oversight

To strengthen governance and oversight in Member States, NIS 2 requires each to establish three entities:

1. National Computer Security Incident Response Teams (CSIRTs), whose responsibility is to handle, review, and report on cybersecurity incidents
2. A Nation Competent Authority (NCA), which the Member State appoints to audit and ensure compliance for in-scope entities
3. A single point of contact (SPOC) that serves as a channel of communication for relevant authorities between Member States

‍

While the original NIS directive required these same entities, NIS 2 further defines the role of NCAs in supervising and ensuring compliance for in-scope entities.

‍

Another significant addition introduced by NIS 2 is the European cyber crisis liaison network (EU-CyCLONe). EU-CyCLONe is a secretariat comprised of members from each EU Member State's crisis teams, whose purpose is to ensure better situational awareness and communication and build an ecosystem of cybersecurity resilience and knowledge management within the Union.

‍

Update 4: Stricter requirements for incident reporting

Although the original NIS required entities to report any significant incidents that could impact the operational continuity of essential service providers, it didn’t clearly define what constituted a significant incident.

‍

NIS 2 reduces the interpretation risk by clarifying that an incident is considered significant if:

• It has caused or can cause severe financial damage and operation loss for the entity
• It has affected or can affect other legal or natural persons by causing non-material or material damage

‍

NIS 2 also introduces a stricter timeline for reporting significant incidents to the CSIRT or competent authorities. The types, timeframes, and details of the reports are shown in the table:

‍

‍

Update 5: Higher penalties

Before the implementation of NIS 2, each Member State could determine its non-compliance penalties, and there were no clear steps for bringing entities into compliance. With the updates brought by NIS 2, all Member States have unified, clear penalties split into three categories:

1. Non-monetary penalties: These include binding instructions, compliance orders, orders for security audits, and threat notifications to a non-compliant entity's customers.
2. Administrative fines: The amount of the fine depends on whether the entity in question is essential or important. Essential entities face fines of up to €10,000,000 or 2% of their global annual revenue, whichever is higher. Important entities face fines of up to €7,000,000 or 1.4% of their global annual revenue.
3. Criminal sanctions: These are meant to hold C-level executives accountable. They include requiring companies to publicly disclose violations, issue statements detailing the nature of the violation and those responsible, and, in cases of repeated violations, temporarily banning individuals from management positions.

‍

{{cta_webinar9="/cta-blocks"}} 

‍

The potential challenges of shifting to NIS 2

NIS 2 is a significant step toward ensuring strong standardized cybersecurity practices across all EU Member states. Still, certain areas of the directive lack prescriptive guidance, which leaves room for misinterpretation. 

‍

If you already have an existing framework like ISO 27001, the transition should be more straightforward. While there are some differences between the two frameworks, they align broadly in terms of best cybersecurity practices. You can use the clear guidance of ISO 27001 to make the NIS 2 compliance process more practical.  

‍

Still, preparing for NIS 2 compliance requires a substantial investment of time and resources. Security and compliance teams may find it overwhelming to scope and implement the scattered requirements while keeping track of the entire compliance process. Organizations with fragmented systems will face the added challenge of integrating the necessary cybersecurity controls and maintaining verifiable evidence.

‍

The best practice here is to use an automation-enabled compliance management solution that can help you streamline the preparation process, minimize redundancies, and maintain compliance down the road.

‍

Simplify NIS 2 compliance with Vanta

As your team works toward achieving NIS 2 compliance, you need a reliable solution to track and maintain compliance requirements without overwhelming your resources.

‍

Vanta is a trust and compliance management platform that can help you automate up to 65% of your NIS 2 compliance workflows. The platform’s dedicated NIS 2 product comes with built-in functionalities that will help you boost efficiency in achieving and maintaining compliance, such as:

• 50+ technical controls to reduce ambiguity during implementation
• 100+ document templates
• 10+ policies aligned with NIS 2 requirements
• 600+ relevant tests to enable continuous compliance

‍

Many of the controls for NIS 2 overlap with other security frameworks, like ISO 27001 and DORA. Vanta automatically maps the controls you already have to existing frameworks, preventing duplicative work and helping you get compliance-ready faster. 

‍

See how much Vanta can streamline and automate your workflows by scheduling a custom demo.

‍

{{cta_simple30="/cta-blocks"}} 

‍

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.