What is the NIS2 Directive?
The European Union’s Network and Information Security Directive (NIS) is a legislative act that aims to achieve a high common level of cybersecurity for organizations across the European Union. Originally adopted in 2016, NIS relied heavily on the discretion of individual member states and lacked accountability.
On January 16, 2023, in response to growing threats posed by increasing digitalization and the surge in cyber-attacks, the EU adopted NIS2 to strengthen security requirements and cyber resilience. The EU’s 27 Member States have until October 17, 2024 to transpose the NIS2 Directive into applicable, national law.
NIS2 expands the original NIS Directive to cover more industry sectors, with additional risk-management measures and incident reporting obligations. It also provides for stronger enforcement. NIS2 adds to NIS in 4 key areas:
- Expanded scope: NIS2 extends its reach to more sectors, moving from seven to eighteen. NIS2 has also categorized sectors as essential or important, with different supervision requirements.
- More stringent security requirements: The Directive enforces stricter cybersecurity measures. These requirements involve risk management practices, technical and organizational measures, incident response and recovery plans, employee training, and frequent updates and patching.
- Mandatory incident reporting with specific timeframes: NIS2 requires organizations to report significant cybersecurity incidents, which are those that are likely to adversely affect the provision of the organization’s services. Organizations must provide an “early warning” report, using a standardized format and a shortened reporting timeframe of 24 hours, followed by an Incident Notification within 72-hours of first becoming aware of the incident, as well as a Final Report within 30 days.
- Enforcement through penalties: The NIS2 Directive imposes more severe penalties for non-compliance, including increased financial penalties.
NIS2 has expanded the directive's scope from 7 sectors to 18. The previous version of NIS identified healthcare, transport, digital infrastructure, water supply, banking, financial market infrastructure, and energy as essential sectors. NIS2 adds digital service providers, waste management, pharmaceutical and labs, space, and public administration to the ‘Essential’ sectors category. NIS2 also adds an ‘Important’ sector category, including public communications providers, chemicals, food producers and distributors, critical device manufacturers, social network and online marketplaces, and courier services.
Essential entities must comply with supervision requirements, while important entities will only be subject to ex-post supervision. Ex-post supervision means that supervision action will be taken only if authorities receive evidence of non-compliance.
Article 21 of NIS2 states, “Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational, and organizational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or the provision of their services and to prevent or minimize the impact of incidents on recipients of their services and on other services.” The goal of Article 21 is to protect network and information systems and the physical environment of those systems from incidents and shall include at least the following:
(a) policies on risk analysis and information system security;
(b) incident handling;
(c) business continuity, such as backup management, disaster recovery, and crisis management;
(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
(e) security in the network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure;
(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
(g) basic cyber hygiene practices and cybersecurity training;
(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;
(i) human resources security, access control policies, and asset management;
(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems within the entity, where appropriate.
Article 23 of NIS2 requires that every significant cybersecurity incident “…that has a significant impact on the provision of their services…” be reported, whether or not the attack actually affected the entity’s operations. The most significant change around incident reporting is how the NIS2 Directive details the mandatory multi-stage incident reporting process and the content that must be included.
Early Warning:
Within 24 hours. An initial report must be submitted to the competent authority or the nationally relevant CSIRT within 24 hours of a cybersecurity incident. The initial report should provide an early warning where there may be cross-border impact or maliciousness involved. This first notification is intended to limit the potential spread of a cyber threat.
Follow-up Incident Notification:
Within 72 Hours. A more detailed notification report must be communicated within 72 hours. It should contain an assessment of the incident, including its severity, impact, and indicators of compromise. The impacted entity should also report the incident to law enforcement authorities if it was criminal.
Final report: Within one month.
A final report must be submitted within one month after the initial notification or first report. This final report must include:
- A detailed description of the incident.
- The severity and consequences.
- The type of threat or cause likely to have led to the incident.
- All applied and ongoing mitigation measures.
Additionally, under the NIS2 Directive, entities must report any major cyber threat they identify that could result in a significant incident. A threat is considered significant if it results in:
- Material operational disruption or financial losses for the entity concerned.
- It may affect natural or legal persons by causing significant material or immaterial damage.
Failure to comply with the NIS2 Directive comes with stricter penalties than NIS. Under the NIS2 Directive, penalties for non-compliance differ for essential entities and important entities.
- For essential entities, administrative fines can be up to €10,000,000 or at least 2% of the total annual worldwide turnover in the previous fiscal year of the company to which the essential entity belongs, whichever amount is higher.
- For important entities, administrative fines can be up to €7,000,000 or at least 1.4% of the total annual worldwide turnover in the previous fiscal year of the company to which the important entity belongs, whichever amount is higher.
White Paper
Network and Information Security Directive 2 (NIS2)
Discover how organizations comply with the NIS2 Directive through our comprehensive cybersecurity solutions and learn more about NIS2 requirements.
How Thales Helps with NIS2 Compliance
Thales and Imperva, a Thales company, deliver a broad portfolio of complementary application security, data security, and identity & access management products to provide a comprehensive solution that helps address NIS2 requirements. We can help Essential and Important entities in complying with NIS2 by addressing essential cybersecurity risk-management requirements under article 21 and helping organizations produce complete, accurate and timely reports to meet article 23 requirements.
NIS2 Compliance Solutions
Application Security
Protect applications and APIs at scale in the cloud, on-premises, or in a hybrid model. Our market leading product suite includes Web Application Firewall (WAF), protection against Distributed Denial of Service (DDoS) and malicious BOT attacks, security for APIs, a secure Content Delivery Network (CDN), and Runtime Application Self-Protection (RASP).
Data Security
Discover and classify sensitive data across hybrid IT and automatically protect it anywhere, whether at rest, in motion, or in use, using encryption tokenization and key management. Thales solutions also identify, evaluate, and prioritize potential risks for accurate risk assessment as well as identify anomalous behavior, and monitor activity to verify compliance, allowing organizations to prioritize where to spend their efforts.
Identity & Access Management
Provide seamless, secure and trusted access to applications and digital services for customers, employees and partners. Our solutions limit the access of internal and external users based on their roles and context with granular access policies and Multi-Factor Authentication that help ensure that the right user is granted access to the right resource at the right time.
Address Key NIS2 Requirements
How Thales helps:
- Discover and classify potential risk for all public, private and shadow APIs.
- Identify structured and unstructured sensitive data at risk on-premises and in the cloud.
- Identify current state of compliance, documenting gaps, and providing a path to full compliance.
How Thales helps:
- Speed up incident handling by automatically opening and updating ServiceNow tickets.
How Thales helps:
- Mitigate of DDoS attacks in as little as three seconds.
- Implement preventive measures to predict and avoid crisis situations.
How Thales helps:
- Reduce third party risk by maintaining on-premises control over encryption keys protecting data hosted by in the cloud.
- Ensure complete separation of roles between cloud provider admins and your organization, restrict access to sensitive data.
- Monitor and alert anomalies to detect and prevent unwanted activities from disrupting supply chain activities.
- Enable relationship management with suppliers, partners or any third-party user; with clear delegation of access rights.
- Minimize privileges by using relationship-based fine-grained authorization.
Solutions:
Data Security
Identity & Access Management
How Thales helps:
- Detect and prevent cyber threats with web application firewall, ensuring seamless operations and peace of mind.
- Safeguard critical network assets from DDoS attacks and Bad Bots while continuing to allow legitimate traffic.
- Data-centric security, regardless means simple sensors can provide security and compliance across the broadest data environment.
How Thales helps:
- Gain full sensitive data activity visibility, track who has access, audit what they are doing and document.
How Thales helps:
- Encrypt data-at-rest on-premises, across clouds, and in big data or container environments.
- Pseudonymize sensitive information in databases.
- Streamline key management in cloud and on-premises environments.
- Protect cryptographic keys in a FIPS 140-2 Level 3 environment.
- Protect data in motion with high-speed encryption.
How Thales helps:
- Limit the access of internal and external users to systems and data based on roles and context with policies.
- Apply contextual security measures based on risk scoring.
- Prevent password fatigue with Smart Single Sign-On with conditional access.
- Create frictionless, secure and privacy protected access for your customers.
How Thales helps:
- Enable Multi-factor Authentication (MFA) with the broadest range of hardware and software methods and form factors.
- Build and deploy adaptive authentication policies based on the sensitivity of the data/application.
How Thales helps:
- A year's worth of retained records are instantly accessible for detailed search and investigation. Audit data is archived automatically but remains accessible in seconds for queries and reporting.
