Who does NIS2 apply to?

What is NIS2?

NIS2, also known as the second version of the Network and Information Security Directive, is a comprehensive framework designed to enhance the cybersecurity measures and protection of essential services and critical infrastructure across the European Union. It applies to a wide range of organizations and entities, including essential entities, public administrations, financial market infrastructures, digital service providers, and digital infrastructure providers. The directive aims to establish a common level of cybersecurity across member states by requiring entities to implement robust cybersecurity risk management measures, conduct security audits, and effectively respond to and report any security incidents. Additionally, NIS2 places an emphasis on the cooperation between competent authorities and mandates the establishment of security incident response teams. The directive also extends its scope to key sectors like healthcare, transportation, energy, water, and waste management, recognizing their critical role in maintaining essential services and the need for robust cybersecurity practices.

Who does NIS2 apply to?

NIS2, or the Network and Information Security Directive, applies to a wide range of sectors and organizations. These include essential service providers such as energy, transportation, health, and financial sectors, as well as important service providers like digital service providers, cloud computing service providers, and online marketplaces. The directive also covers public administrations, including national and regional authorities, as well as organizations involved in postal and courier services.

In terms of compliance monitoring, there is a distinction between essential and important organizations. Essential service providers, which are critical for the functioning of society, are subject to stricter monitoring and obligations. They are required to assess the level of cybersecurity risks they face, implement appropriate security measures, notify incidents, and take necessary steps to ensure business continuity.

Important service providers, on the other hand, are subject to a less stringent compliance regime. They are required to take appropriate cybersecurity risk management measures but with a more flexible approach, taking into account the size and nature of their business. Compliance monitoring for important service providers focuses on self-assessment, the adoption of security measures, and regular reporting.

Essential services covered by NIS2

Essential services covered by NIS2 are critical for the functioning of society and are subject to stricter compliance monitoring and obligations. These services include sectors such as energy, transportation, banking, financial market infrastructures, healthcare, water supply, and digital infrastructure. Essential service providers are required to assess the level of cybersecurity risks they face, implement appropriate security measures, notify incidents, and take necessary steps to ensure business continuity. This includes having security incident response teams, conducting security audits, and having crisis management and reporting obligations in place. The NIS2 directive aims to enhance the cybersecurity of these vital sectors and ensure their resilience against cyber threats, operational disruptions, and potential crises. It also emphasizes the importance of cooperation and information sharing among essential service providers, competent authorities, and national authorities to effectively address cybersecurity risks and protect the critical infrastructure of member states.

Electricity sector

The NIS2 directive applies to various sectors, including the electricity sector, in order to strengthen cybersecurity across critical infrastructure. Entities within the electricity sector are required to implement robust cybersecurity risk management measures to mitigate cyber threats and ensure the continuity of essential services.

According to NIS2, essential entities within the electricity sector are those whose operational disruption would have a significant impact on economic and social activities. Important entities, on the other hand, are those whose operational disruption would have a noticeable impact on economic and social activities. The criteria for determining these entities are based on factors such as their role in the supply chain, their annual turnover, and their level of cybersecurity.

Entities in the electricity sector have specific cybersecurity requirements and reporting obligations. They are required to establish security policies, implement appropriate cybersecurity measures, and conduct regular security audits. Additionally, they must provide a detailed description of their cybersecurity practices and incident notification procedures. Any security incident must be reported to the competent authorities without undue delay.

The competent authorities and national regulatory authorities play a crucial role in overseeing the cybersecurity of the electricity sector. They are responsible for enforcing the NIS2 directive, evaluating the cybersecurity risk-management measures implemented by entities, and ensuring compliance with the national legislation. These authorities work towards enhancing the overall resilience of the sector and ensuring the security of digital infrastructure.

Drinking water and waste water sectors

The drinking water and waste water sectors are considered essential services under NIS2. These sectors play a critical role in maintaining public health and ensuring the overall well-being of society. Any disruption to these services can have significant impacts on economic and social activities, making them essential entities that require special attention to cybersecurity.

Given the potential cybersecurity risks and the need to protect critical infrastructure, cybersecurity risk-management measures are of utmost importance within these sectors. It is essential for drinking water and waste water entities to implement robust cybersecurity measures to safeguard their systems and prevent any potential cyber threats.

Specific cybersecurity requirements apply to entities within the drinking water and waste water sectors. These requirements include the establishment of security policies to guide cybersecurity practices, the implementation of appropriate security measures, and conducting regular security audits to assess vulnerabilities and ensure compliance.

Furthermore, these entities are obligated to have incident notification procedures in place to report any security incidents to the competent authorities promptly. Such incidents must be reported without undue delay to enable swift response and effective crisis management.

By adhering to these cybersecurity requirements and implementing robust risk-management measures, the drinking water and waste water sectors can ensure the security and continuity of their essential services, contributing to the overall resilience of critical infrastructure.

Transport sector

The transport sector plays a vital role in the functioning of any country, and ensuring the security and resilience of its infrastructure is crucial. In light of this, the NIS2 (Network and Information Systems Directive) directive includes provisions that apply to various organizations and services within the transport sector.

The NIS2 directive encompasses a wide range of organizations and services within the transport sector, such as courier services, postal services, and even financial market infrastructures that support the sector’s operations. These organizations are required to adhere to specific cybersecurity measures to protect their networks and information systems effectively.

Implementing robust cybersecurity measures in the transport sector is essential for several reasons. Firstly, the reliance on digital infrastructure and technology in this sector makes it vulnerable to cyber threats. By having appropriate security measures in place, transport organizations can detect and prevent potential threats, minimizing the risk of operational disruption and ensuring the continuity of essential services.

Secondly, the transport sector often handles sensitive data, both from within the organization and from customers. Cybersecurity measures safeguard this data and mitigate the risk of unauthorized access or data breaches, protecting the privacy and trust of individuals and organizations using transport services.

Digital service providers (DSPs)

Digital service providers (DSPs) encompass various online platforms and services that are covered under the NIS2 directive. This includes popular platforms such as social networks, search engines, and online marketplaces. These platforms play a significant role in the digital economy and are considered essential entities due to their widespread use and impact on users.

The NIS2 directive also recognizes that size or criticality are not the only determining factors for an entity to be considered essential or important. Even if a DSP does not meet the size criteria, it may still be classified as essential or important if it is the sole provider of a critical service within a Member State. This ensures that even smaller DSPs that provide essential services are held accountable for their cybersecurity practices.

By including DSPs within the scope of the NIS2 directive, it aims to enhance the level of cybersecurity in the digital landscape. It establishes measures such as security audits and incident notification requirements to strengthen the resilience of digital service providers against cyber threats. In doing so, it helps protect user data, ensure the integrity of online platforms, and maintain trust in the digital ecosystem.

Health services

Health services are among the essential entities that fall under the scope of the NIS2 directive. This means that healthcare organizations, including hospitals, clinics, and other healthcare providers, have certain obligations and cybersecurity requirements to adhere to.

Under NIS2, entities in the health sector are required to implement measures and safeguards to ensure the security of health services. This includes conducting security audits and risk assessments to identify and address vulnerabilities. Additionally, entities are expected to establish incident notification procedures and maintain incident response teams to promptly react to and mitigate any security incidents that may occur.

To enhance cybersecurity measures, healthcare organizations should implement appropriate technical and organizational controls. This can include ensuring secure access controls, regularly updating and patching systems, encrypting sensitive data, and monitoring network traffic for potential threats. Organizations are also encouraged to provide cybersecurity training to staff members to help them identify and respond to cyber threats effectively.

By complying with these obligations and implementing robust cybersecurity measures, entities in the health sector can better protect patient data, maintain the integrity of health services, and contribute to the overall cyber resilience of the sector.

Supply chain security

Supply chain security plays a crucial role in mitigating cybersecurity risks within the framework of the NIS2 Directive. The NIS2 Directive aims to enhance the overall cybersecurity posture of critical sectors, essential entities, and digital service providers. In order to achieve this, a comprehensive understanding of supply chain security is necessary.

The NIS2 Directive places certain security obligations on organizations to safeguard their supply chains. Firstly, organizations are required to conduct thorough risk analyses to identify potential vulnerabilities in their supply chain networks. This helps in assessing the overall cybersecurity risks involved and taking appropriate measures to mitigate them.

Furthermore, organizations must develop robust business continuity plans to ensure the resilience of their supply chains. This involves developing alternative strategies to maintain operations during cybersecurity incidents or disruptions. Additionally, regular cyber security testing and audits are crucial to assess the effectiveness of security measures implemented within the supply chain.

Encryption also plays a vital role in ensuring supply chain security. Organizations must implement encryption measures to protect sensitive information transmitted across the supply chain network. This helps in safeguarding against unauthorized access and data breaches.

Another important aspect in supply chain security within the NIS2 framework is the concept of classifying entities as 'essential' or 'important'. Such classification has a significant impact on cybersecurity risk management and reporting obligations. Essential entities are subject to stricter cybersecurity requirements and must adhere to more stringent security measures, as they play a critical role in maintaining essential services and critical infrastructure.

Management bodies of essential entities (MBEEs)

The NIS2 Directive places significant responsibilities and obligations on the management bodies of essential entities (MBEEs) to ensure the security and resilience of their organizations. MBEEs are tasked with approving and overseeing the implementation of cybersecurity risk management measures within their entities.

One of the primary responsibilities of MBEEs is to assess the level of cybersecurity risks that their organization faces and develop appropriate risk management measures. This includes conducting regular risk assessments, implementing security policies and procedures, and monitoring the effectiveness of the implemented measures. MBEEs are also responsible for ensuring that their organization complies with national legislation and the requirements outlined in the NIS2 Directive.

Failure to fulfill these obligations can result in significant liability for MBEEs. If an essential entity suffers a cybersecurity incident or breach due to inadequate risk management measures, the MBEE and its members may be held accountable. This emphasizes the importance of taking cybersecurity seriously and implementing robust measures to mitigate risks.

To enhance the cybersecurity capabilities of MBEEs and their organizations, the NIS2 Directive mandates cybersecurity training for the members of MBEEs. This training ensures that they have the necessary knowledge and skills to understand and address cybersecurity risks effectively. Additionally, the Directive encourages regular cybersecurity training for all employees within essential entities to foster a culture of cyber awareness and preparedness.

By prioritizing cybersecurity risk management measures, overseeing their implementation, and providing adequate training, MBEEs play a crucial role in safeguarding the security and resilience of essential entities and the critical services they provide.

Initial report on MBEEs’ competence authority requirements

The NIS2 Directive outlines specific competence authority requirements for the management bodies of essential entities, also known as MBEEs. These requirements aim to ensure that MBEEs have the necessary expertise and knowledge to effectively oversee and approve cybersecurity risk management measures.

The competence authority requirements mandate that the management bodies of essential entities possess the necessary skills and competencies in the field of cybersecurity. This includes a deep understanding of cyber threats, security measures, and cybersecurity practices. The management bodies must have individuals who are knowledgeable about the specific risks facing the organization and the sector in which it operates.

In terms of specific responsibilities and obligations, the management bodies of essential entities are tasked with approving and overseeing cybersecurity risk management measures. This involves evaluating the level of cybersecurity risks faced by the organization and developing appropriate risk management measures. The management bodies must ensure that these measures are effectively implemented and monitored for their efficiency.

Additionally, the NIS2 Directive requires MBEEs to provide cybersecurity training to their members. This training helps to enhance their understanding of cybersecurity risks and equips them with the necessary skills to address and mitigate these risks effectively. The Directive also encourages regular cybersecurity training for all employees within essential entities to foster a culture of cyber awareness and preparedness throughout the organization.

Regarding reporting obligations, MBEEs are required to follow a two-stage approach. The initial report must be submitted to the competent authority within a specified timeframe after the detection of a security incident. This report must contain a detailed description of the incident, including the impact and any measures taken to mitigate it. The final report, which provides additional information and updates, must be submitted within a specified timeframe after the initial report.

Cybersecurity requirements of NIS2

Introduction:

The NIS2 Directive imposes important cybersecurity requirements on essential entities, aiming to strengthen the overall cybersecurity posture of critical sectors. These requirements focus on the competencies and responsibilities of management bodies, the provision of cybersecurity training, and reporting obligations. By enforcing these measures, the directive aims to enhance the level of cybersecurity preparedness, response, and resilience across essential entities, ultimately safeguarding critical infrastructure, digital service providers, and other vital sectors from cyber threats. Let's explore these requirements in more detail.

Competent authorities and national regulatory authorities

Competent authorities and national regulatory authorities play a crucial role in overseeing and enforcing NIS2 compliance. These entities are responsible for ensuring the implementation of cybersecurity risk management measures and holding entities accountable for non-compliance.

Competent authorities are typically designated by each EU member state to oversee the implementation of NIS2 requirements within their respective countries. They are responsible for approving cybersecurity risk management measures proposed by entities in critical sectors and ensuring their effective implementation.

National regulatory authorities, on the other hand, are the authorities responsible for supervising and enforcing NIS2 compliance within their specific sectors. They are tasked with monitoring the adherence to cybersecurity measures and assessing the level of cybersecurity implemented by entities within their sector.

Both competent authorities and national regulatory authorities have the power to enforce compliance with NIS2 regulations and take appropriate measures when non-compliance is identified. This can include imposing fines or penalties, conducting security audits, or requiring certain entities to improve their cybersecurity practices.

Cybersecurity risk management measures for essential entities

Under NIS2, essential entities are required to implement cybersecurity risk management measures to ensure the security and resilience of their network and information systems. These measures encompass various aspects of cybersecurity to effectively mitigate potential risks and ensure business continuity.

One important measure is conducting a thorough risk analysis to identify and assess potential vulnerabilities and threats. This analysis helps essential entities understand their cybersecurity risks and implement appropriate measures to address them.

Incident handling is another critical aspect of cybersecurity risk management. Essential entities should establish robust incident response procedures to detect, respond to, and recover from security incidents in a timely and effective manner. This includes incident reporting, analysis, and documentation.

To maintain uninterrupted business operations, essential entities should implement business continuity measures. This involves developing backup strategies, disaster recovery plans, and ensuring redundancy in critical systems and infrastructure.

Supply chain security is also a focal point. Essential entities need to evaluate and monitor the cybersecurity measures of their suppliers and partners to prevent potential vulnerabilities and data breaches through the supply chain.

Finally, essential entities should prioritize security in network and information system acquisition. This means assessing the cybersecurity capabilities of products and services before procurement and ensuring that security requirements are met throughout the lifecycle of these systems.

Assessing the effectiveness of these measures, implementing basic cyber hygiene practices, and providing cybersecurity training to employees are key factors in ensuring the efficiency and adequacy of cybersecurity risk management measures for essential entities.

Annual turnover requirement determination

The annual turnover requirement for NIS2 is a significant factor in determining which companies and organizations are subject to the directive. To calculate the annual turnover, several factors are taken into account.

The determination of the annual turnover requirement involves considering the worldwide turnover of the entity in question. This means that the turnover generated by the company from all its operations worldwide within a specific period is considered. The turnover calculation includes revenue from the provision of goods or services, as well as any other income generated by the entity.

The annual turnover requirement serves as a criterion to identify companies and organizations that fall within the scope of NIS2. It helps ensure that only relevant entities, which have a significant economic impact and potential to cause operational disruption, are subject to the directive.

For companies, the annual turnover requirement is important as it determines their obligations and responsibilities regarding cybersecurity risk management and reporting obligations. It also reflects the level of cybersecurity measures and practices expected from them.

On the other hand, relevant authorities use the annual turnover requirement as a means to identify and prioritize essential entities operating in critical sectors. This enables them to allocate resources and regulatory efforts effectively to enhance cybersecurity in the most critical areas.