NIS 2 compliance for EU businesses: Meet cybersecurity requirements before the deadline (October 17)

Introduction

If you work as an essential/ critical entity in Europe, you’re likely familiar with the NIS 2 (Network and Information Security Directive 2) and its definitive cybersecurity requirements for businesses in the region. With the compliance deadline set for October 17, 2024, there’s no time to waste.

An EU-wide initiative to make the digital infrastructure cohesively secure and robust, NIS 2 comes into effect this year, creating high-level cybersecurity across the region. This comes as a defensive measure, giving the number of disruptive threats in the region almost doubled from the fourth quarter of 2023 to the first quarter of 2024.  To know more about the top threats targeting the EU, view Group-IB’s Hi-Tech Crime Trends 23/24 infographic for a clear overview.

Although NIS 2 compliance checks are critical for strengthening business-wide cybersecurity, their proper implementation and oversight require a clear strategy and well-defined process. Realistically, achieving NIS 2 compliance takes 12 months or more, depending on a business’s size and scale of operations. However, with less than three months left to adhere to NIS 2, businesses can leverage the expertise of compliance and audit professionals not just to become compliant on paper but to establish effective enterprise-wide measures.

Here, we provide all the details to help you navigate the requirements of the issued NIS 2 mandate — the new and improved successor to NIS. Learn if your business is obligated under NIS 2 and discover the steps to achieve compliance effectively.

This new mandate has more stringent financial and legal implications than its predecessor. Non-compliance could result in a fine of 10 million euros or 2% annual turnover, suspension of business activities, legal charges, and more. Ensure your business is not the one to bear the brunt of non-compliance.

What is the NIS 2 directive? 

The European Union has signed the NIS 2 (Network and Information Security Directive 2) to enforce better cybersecurity and resilience within organizations across the region. A step up from its predecessor, NIS 2.0 covers more sectors and includes aggressive legal and financial implications for non-compliance.

This directive primarily targets organizations in the critical infrastructure supply chain. Key objectives include implementing safety measures, ensuring cooperation and information exchange, and mandating the reporting of cyber incidents.

• 2016: NIS1 came into force
• December 2022: NIS2 was signed
• October 17, 2024: Deadline for Member States to transpose NIS2 into national law
• January 2025: NIS2 comes in effect​ (The NIS2 Directive)​​

How do I know if I’m obligated to comply?

If you’re a business established in Europe and fall under these categories, please take necessary action in a timely manner to comply with NIS 2.

Different criteria are used to identify the Public Administrations within the scope, which allows the Member States to evaluate them more fully in the transposition phase.

Some specific categories of subjects, including small businesses, are added and identified more specifically in the Directive.

From NIS to NIS 2: What has changed?

With the second version of the NIS Directive, EU legislation and member states aim to promote a standard, consistent set of cybersecurity practices and measures across the region. They emphasize improved risk management, incident reporting, and essential cybersecurity information-sharing. The implications of failing to comply are more severe than under the previous NIS directive.

How can NIS 2.0 help you strengthen your business’s resilience?

Ten key measures for NIS 2 directive compliance

Article 21 of the NIS 2 Directive (Directive (EU) 2022/2555) contains all of these measures that the important and essential entities must implement.

1. Policies on risk analysis and information system security: Mentioned in Article 21(1)(a)
2. Incident handling: Mentioned in Article 21(1)(b)
3. Business continuity: Mentioned in Article 21(1)(c)
4. Supply chain security: Mentioned in Article 21(1)(d)
5. Security in network and information systems: Mentioned in Article 21(1)(e)
6. Policies and procedures on cybersecurity risk management: Mentioned in Article 21(1)(f)
7. Basic cyber hygiene practices and cybersecurity training: Mentioned in Article 21(1)(g)
8. Policies and procedures regarding the use of cryptography and, where appropriate, encryption: Mentioned in Article 21(1)(h)
9. Human resources security, access control policies, and asset management: Mentioned in Article 21(1)(i)
10. The use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communication: Mentioned in Article 21(1)(j)

Achieve NIS 2 compliance: Act now

Ensure your compliance measures are not just on paper but put into effective practice with Group-IB’s industry-standard audit and consulting services. With our team of certified auditors and compliance professionals, ensure you overcome the challenges of achieving NIS 2 compliance with effective controls and frameworks to:

• Upgrade your cyber strategy and governance.
• Establish control framework and implementation oversight
• Conduct a security risk and gap analysis and develop a remediation plan.
• Ensure compliance in practice with continuous monitoring, management, and reporting.
• Define and enforce continuous compliance measures.
• Establish reporting parameters to meet obligations.
• Reinforce cybersecurity across the business with well-defined IT practices and enhanced security awareness and hygiene.

Begin your compliance journey with Group-IB today!

Contact our experts here or connect with Leonardo Cappabianca, Group-IB’s Global Pre-Sales and Engineering Manager.