Security Solutions

6 mins

The EU’s new NIS2 cybersecurity directive: Everything you need to know

As businesses have seen the number of digital tools available to them grow rapidly, they have also had to manage increasingly stringent compliance demands. These demands vary by industry and geography, of course, but the direction of travel is clear. However, even with regulatory demands increasing, recent findings by ENISA state that 37% of essential services lack a Security Operations Center (SOC). At the same time, cybersecurity expenditure is falling in many companies. This makes it especially challenging to meet new compliance demands.

One of the recent regulatory shifts that businesses have had to get used to concerns the European Union’s (EU) NIS2 Directive. Issued on January 16th, 2023, organizations in member states have until October 17th, 2024, to comply. But what will this compliance involve? 

The NIS2 directive explained

The EU is well known for taking a pioneering stance on cybersecurity regulations. This was evident in 2016 when it introduced the Directive on security of network and information systems (NIS Directive). Aimed at establishing a high-level cybersecurity standard across all member states, the NIS Directive focused on the operators of essential services and digital service providers (DSPs). Essential services included organizations connected to energy, transport, banking, and health. DSPs, meanwhile, mainly targeted cloud service providers, online marketplaces, and search engines.

The original NIS Directive now has a successor. Looking to further strengthen cybersecurity across the EU, NIS2 introduces a cyber crisis management structure (CyCLONe) to harmonize security requirements and extend its reach into new areas like supply chain, vulnerability management, core internet, and cyber hygiene. NIS2 also boasts a more tangible framework with minimum basic security standards that apply to a broader range of businesses. There is also heightened supervision and enforcement of those standards.

As well as simply introducing new rules, NIS2 also hopes to foster greater collaboration among member states through the establishment of a voluntary peer review group. This demonstrates that the establishment of NIS2 is not just a legal evolution but a strategic one. 

What NIS2 means for your business

There are a number of sectors that now fall under the scope of the NIS2 Directive. These include food, manufacturing, waste management, public administration, and more. This is on top of several industries that were already covered by the original NIS Directive, such as energy, health, and banking. Below, we’ve provided a more detailed breakdown of what NIS2 means for certain sectors: 

  • Energy: 

The vital role that the energy sector plays within national economies means that it represents a highly prized target for cybercriminals. It also means that it has received specific guidelines under NIS2. These include technical and organizational measures for incident prevention, detection, and response. Mandates around the protection of personal data processed by energy companies and the reporting of data security incidents are also imposed. It’s hoped that these regulatory changes will help strengthen consumer confidence in the sector while fostering competition, sustainability and market growth.

  • Digital infrastructure:

In terms of digital infrastructure, NIS2 also represents a cybersecurity evolution. Encompassing telecoms, DNS, TLD, data centers, trust services, and cloud solutions, the new legislation emphasizes the importance of physical security upgrades, as well as incident response and recovery planning. For example, compliance with NIS2 requires the installation of physical safeguards like security cameras and asks that businesses develop robust incident response and recovery plans. The measures acknowledge the importance of the sector to the modern economy, with digital infrastructure expected to contribute €85.4 billion in revenue across the bloc.

  • Food:

While the connection between the food industry and cybersecurity may not initially appear obvious, a quick look at the sector’s supply chain complexity makes things a little clearer. This supply chain, involving millions of small organizations, faces a number of risks, including vulnerable IoT devices, ransomware attacks, a dependence on legacy systems, and threats stemming from third-party access. The NIS2 Directive addresses specific risks in the food sector across the EU by encouraging robust supply chain management. Organizations must now ensure suppliers and partners meet cybersecurity standards through a more rigorous vetting process and increased collaboration.

  • Health:

The healthcare sector, including public and private healthcare providers, medical equipment, medicine manufacturers, and medical insurance providers, is a cornerstone of European society and the economy. However, there is a lack of standardization in security measures here, an ongoing use of outdated technology, limited resources and understaffed IT teams. The essential nature of the healthcare sector means it is subject to some of the most stringent NIS2 mandates. Organizations will now have to conduct regular testing and updates of their cybersecurity systems, as well as provide staff training on cyber hygiene and incident response planning.

  • Finance:

In addition, organizations in the finance sector may want to pay particular attention to developments around NIS2. As well as stipulations that emerge directly from the regulation, such as those related to data encryption, finance firms must also be mindful of how the Digital Operational Resilience Act (DORA) impacts them. Aimed at enhancing operational stability in the financial sector, DORA covers many of the same measures mentioned by NIS2 - but some differences are present. As such, it is important for financial firms to look at ways they can harmonize security practices to meet the demands of both DORA and NIS2.

Strategize to meet stakeholder needs

On October 18th, 2024, the existing NIS Directive will be repealed, and businesses will have to prove compliance with the new NIS2 Directive. This means there is a transition period to allow organizations to get to grips with the updated regulations. The efforts of a variety of stakeholders will be required to ensure this transition is as smooth as possible, including CEOS, CISOs, CTOs, and other board members. SMEs, many of which may find compliance a challenge given limited budgets, will also be crucial to compliance across all member states. 

With the timeline for the NIS2 Directive set, organizations must outline their strategic blueprints for achieving compliance now. Businesses should conduct a thorough assessment of their vulnerability management plan, recognizing that a recalibration of penetration testing and a more robust risk-based vulnerability management strategy may be needed. 

In addition to the technical enhancements that organizations should implement to achieve NIS2 compliance, a greater emphasis should be placed on fostering a cybersecurity-aware culture. This involves implementing comprehensive cyber hygiene practices, conducting regular cybersecurity training, and ensuring adherence to cryptographic and encryption protocols. NIS 2 readiness will require security improvements that are both human and technological in nature. 

How Hadrian can help with NIS2 compliance

Preparing for NIS2 compliance will require proactive measures, strategic planning, and a commitment to elevating cybersecurity practices. It will also require better penetration testing and risk-based vulnerability management, attack surface management, automated penetration testing, vulnerability management and exposure management. Hadrian can help you achieve all of this and more.

Hadrian provides continuous asset discovery, simulates hacker techniques through event-based AI, and offers third-party risk monitoring. Through automation, Hadrian allows you to meet the added regulatory demands of NIS2 - without an added burden on your security teams.

To find out more about NIS2, what it means for your organization and how you can achieve compliance, download our eBook Securing Tomorrow: Hadrian's Guide to NIS2 Compliance now.

Book a demo

Get started scanning in 5 minutes

We only need your domain for our system to get started autonomously scanning your attack surface.

Book a demo