NIS2 Directive Explained: Duty of Care for Data

What is the Network and Information System Directive 2?

In the digital age, cybersecurity is not just about protecting data; it is about ensuring the very fabric of our critical infrastructure remains intact and resilient against threats. The introduction of the Network and Information Security Directive 2 (NIS2) by the European Union marks a significant milestone in the journey toward a safer, more stable digital ecosystem. As data protection veterans, we have witnessed firsthand the evolution of digital threats and the increasing sophistication of cyber adversaries. It is against this backdrop that we delve into the importance of NIS2 and its potential to redefine the landscape of cybersecurity for essential and digital services.

An expansion and reinforcement of its predecessor, the NIS Directive (2016), NIS2 is a significant overhaul of the EU’s cybersecurity regulation landscape, aiming to bolster the overall level of cyber resilience across member states and any entities that do business with them. It extends the scope of the original NIS Directive by broadening the range of sectors and types of entities that fall under its jurisdiction, including those considered to play an ‘essential’ and ‘important’ role in the EU’s internal market. 

For such organizations, NIS2 presents a step up in security compliance — they will either find themselves included under the regulatory scope for the first time or held to much higher standards (and penalties) than under the previous directive.

NIS2 introduces more significant obligations, requiring entities to adopt comprehensive incident reporting mechanisms, robust risk management practices, corporate accountability measures, and effective business continuity strategies. Significantly, the NIS2 Directive also introduces significant consequences for non-compliance, including substantial fines and the potential for litigation. 

As an EU Directive, NIS2 will be subject to variances in implementation by member states. This will likely add a layer of complexity for businesses operating across borders within the EU. However, the message is clear: preparation is non-negotiable. Organizations across the EU must take proactive steps to understand the regulation, assess its implications for their operations, and develop an action plan to ensure compliance.

Who is Affected by NIS2?

NIS2 significantly expands the scope of regulation beyond its predecessor, casting a much wider net over a range of sectors deemed critical for the EU’s international market. This expansion covers not only sectors considered directly critical, but also those that are part of the supply chain to these sectors, increasing the number of companies and sectors now falling under regulatory scrutiny. 

A key development in NIS2 is the classification of entities into two categories: ‘essential’ and ‘important.’ This distinction affects the directive’s reach and the implications for different types of organizations.

Essential Entities

This category, also recognized under NIS, encompasses sectors foundational to societal and economic well-being. The following sectors fall under “essential entities”:

Energy

• Electricity, oil, and gas sectors, including production, distribution, and storage

Transport

• Air, rail, water, and road transport

Banking and Financial Market Infrastructures (also covered by the DORA Act)

• Banks, stock exchanges, and payment service providers

Healthcare

• Healthcare providers, research labs, and entities involved in the distribution of vaccines or medicinal products

Drinking Water and Wastewater Management

Digital Infrastructure

• Internet exchange points, DNS service providers, and data centers

Public Administration

• Central and regional organisations

For these entities, NIS2 reaffirms their critical status and escalates compliance requirements. For instance, incident reporting must occur within 24 hours — a major update from the previous directive. The most significant change for these companies is the introduction of substantial fines and consequences for non-compliance. So, the rules have changed, and the stakes have never been higher. 

Important Entities

“Important entities” are a brand-new addition to NIS2, meaning the directive will cover these organizations for the first time.

Postal and Courier Services

Manufacture of certain critical products

• Pharmaceuticals, chemicals, and medical devices

Waste Management

Public Administration

Space

• Ground-based space infrastructure

Research

Digital Services

• Social networking platforms, online marketplaces, and search engines

Food production, processing, and distribution

• Production and distribution of food of animal origin

Electronic Communications Networks or Services

Digital Service Providers

• Cloud Computing Services
• Content Delivery Network (CDNs)
• Managed Service Providers (MSPs)
• Managed Security Service Providers (MSSPs)

Given the breadth of the requirements and shorter timeline, this may present a steeper initial challenge. The good news for these entities is that the directive imposes less stringent obligations than organizations classified as ‘essential,’ with lower potential repercussions for non-compliance. However, the need to prepare should not be underestimated.

In short, the NIS2 Directive broadens the regulatory scope, covering more sectors and introducing a classification system that dictates the level of requirements and potential penalties. To understand how to prepare for NIS2, organizations must understand which classification they fall under to know what’s expected of them and the possible consequences.

What NIS2 Means for Organizations

Once organizations understand if (and where) they fall under the NIS2 scope, the next step is to gain clarity on the implications of the directive.

Introduction of Greater Consequences

The NIS2 Directive introduces stricter rules and brings more significant consequences for organizations in terms of compliance, cybersecurity obligations, and potential penalties. Here’s an overview of these consequences:

1. Broader Scope and More Stringent Requirements

Expanded Coverage: More sectors and entities are now under the scope of NIS2, meaning more organizations need to comply with the Directive’s cybersecurity obligations.Stricter Security Requirements: Organizations must implement stronger cybersecurity measures, such as incident detection, risk management, and supply chain security.

2. Increased Reporting Obligations

Mandatory Incident Reporting:

• Initial Notification: Organizations must report any significant cybersecurity incident to the competent national authority within 24 hours.
• Detailed Incident Report: A more detailed report must follow within 72 hours after the initial notification.

3. Stricter Enforcement and Penalties

Enhanced Oversight: National authorities will have stronger enforcement powers to supervise organizations, including the ability to conduct audits and require evidence of compliance.

Sanctions and Fines:

• Essential Entities: Fines can reach up to €10 million or 2% of the total global annual turnover, whichever is higher.
• Important Entities: Fines can reach up to €7 million or 1.4% of the total global annual turnover, whichever is higher.

Temporary Suspension: In severe cases of non-compliance, authorities can temporarily suspend the provision of services.

4. Mandatory Governance Measures

Management Accountability:

• Senior management must oversee cybersecurity risk management.
• Boards and top management can be held personally liable for non-compliance with the Directive’s obligations.

5. Third-Party and Supply Chain Risks

Vendor Management: Organizations must ensure that their third-party suppliers and service providers comply with cybersecurity standards.

Supply Chain Security: Organizations should assess the security of their supply chain and implement risk management processes.

6. Information Sharing and Collaboration

Information Exchange: Organizations are encouraged to share cybersecurity-related information within their sector to improve collective defense.

CSIRT Cooperation: Closer cooperation with Computer Security Incident Response Teams (CSIRTs) is required.

7. Risk Management Framework

Risk Assessment: Organizations need to regularly conduct comprehensive risk assessments.

Implementation of Measures: Based on risk assessments, organizations must implement appropriate technical and organizational measures, such as network security, incident handling, and business continuity planning.
Organizations affected by the NIS2 Directive will face greater regulatory scrutiny and more severe penalties if they fail to comply. It’s crucial for them to adapt by improving cybersecurity measures, incident response procedures, and governance frameworks to meet the new requirements.

Broad Organizational Responsibilities

The NIS2 Directive requires organizations to take a comprehensive and structured approach to cybersecurity, placing a range of responsibilities on essential and important entities. Here is a summary of these organizational responsibilities:

1. Cybersecurity Risk Management

Risk Assessment: Conduct regular cybersecurity risk assessments to identify and manage risks to the organization and its supply chain.

Security Policies: Implement comprehensive cybersecurity policies covering the entire organization.

2. Security Measures Implementation

Network Security: Ensure the security of network and information systems, including their physical and environmental security.

Access Control: Implement identity and access management systems to restrict unauthorized access.

Incident Response: Develop and maintain effective incident response and crisis management plans.

System Monitoring: Monitor networks and systems to detect cybersecurity incidents.

3. Incident Reporting

Initial Notification: Report significant cybersecurity incidents to the relevant national authority within 24 hours of detection.

Detailed Reporting: Provide a more comprehensive incident report within 72 hours.

Follow-Up Report: Submit a final report once the incident is resolved, detailing the root cause and remediation actions taken.

4. Supply Chain Security

Vendor Risk Management: Evaluate the cybersecurity posture of third-party suppliers and service providers.

Contractual Obligations: Include cybersecurity requirements in contracts with suppliers to ensure compliance.

5. Governance and Accountability

Management Oversight: Ensure that top management is involved in overseeing cybersecurity risk management.

Personal Liability: Senior management may be held personally liable for non-compliance with the Directive’s requirements.

Training and Awareness: Provide cybersecurity awareness training for employees and ensure regular skill updates.

6. Cooperation and Information Sharing

Information Sharing: Participate in information-sharing networks and share relevant threat intelligence with sector peers and authorities.

CSIRT Collaboration: Cooperate with Computer Security Incident Response Teams (CSIRTs) and other relevant national authorities.

7. Crisis Management and Resilience

Business Continuity Planning: Develop and maintain business continuity and disaster recovery plans.

Resilience Testing: Conduct regular exercises and testing to ensure system resilience.

8. Documentation and Audits

Record-Keeping: Maintain documentation of cybersecurity policies, risk assessments, and incident reports.

Audit Compliance: Be prepared for audits by national authorities and provide evidence of compliance.

9. Sector-Specific Measures

Sector-Specific Requirements: Implement additional measures specific to the organization’s sector as mandated by the Directive.

NIS2 mandates a holistic approach to cybersecurity that requires organizations to not only protect their own networks but also address risks across their supply chains and industry sectors. Compliance requires continuous improvement of cybersecurity strategies, governance, and reporting mechanisms.

While the broad requirements give companies a good steer on where to address their people, processes and technologies to prepare for NIS2, as with any regulation, the devil is in the details.

Reviewing the directive fully or working with a partner who understands the ins and outs is essential. Crucially, the challenge of tracking the variation across different member states will be pivotal to ensuring compliance, particularly for businesses working across states, or with states from abroad. 

Key Steps to Prepare for NIS2 Compliance

Organizations must proactively prepare as the NIS2 Directive takes shape across the European Union. This section outlines the key steps an entity should take to prepare for the NIS2 Directive:

Understanding the Directive

As with most business-wide projects, you need to start with a thorough plan and review what you currently have in place and where you need to get to. 

1. Understand the Scope

Identify Applicability: Determine if your organization falls under the “essential” or “important” entity category.

Map Critical Services: Identify all critical services and digital infrastructure that may be impacted by the Directive.

2. Conduct a Gap Analysis

Assessment Against NIS2: Compare your current cybersecurity practices with the NIS2 requirements.

Identify Gaps: Highlight gaps in policies, procedures, and technical measures that need addressing.

3. Develop a Compliance Roadmap

Prioritize Actions: Prioritize the actions required to address identified gaps.

Timeline: Create a timeline for achieving compliance, including milestones and responsible teams.

4. Strengthen Cybersecurity Governance

Assign Responsibility: Designate a Chief Information Security Officer (CISO) or equivalent role.

Management Oversight: Ensure senior management is engaged in cybersecurity strategy and governance.

Security, IT and compliance teams cannot meet NIS2 requirements on their own. It requires a team effort throughout. From initial planning stages to ongoing review and maintenance, ensure every affected party has a seat at the table. 

Cross-team collaboration: Implementing the required security measures and processes demands collaboration and buy-in from all levels of the organization. Leadership backing is crucial for initiating change and because NIS2 mandates corporate management’s responsibility for cybersecurity. IT, security, and operations teams must also work together to implement security, backup, and encryption measures effectively.

5. Implement a Cyber Risk Management Framework

Risk Assessment: Conduct regular risk assessments of critical assets and supply chains.

Mitigation Measures: Develop and implement risk mitigation measures based on the assessment results.

6. Enhance Incident Response Capabilities

Incident Response Plan: Update or establish an incident response and crisis management plan.

Reporting Mechanisms: Implement mechanisms for reporting incidents to authorities within the required timeframes. NIS2 mandates having a comprehensive plan for security incidents that includes maintaining operations and continuity during and after an incident. Therefore, businesses need to have a dedicated incident response team including stakeholders across different business units to define and regularly drill a robust incident response process.

Threat Detection: Early detection of incidents, such as ransomware attacks that may breach systems well in advance, is critical. Invest in threat detection capabilities, monitoring, alerts, and malware detection to catch incidents as early as possible.

Backup Strategy: Ensure up-to-date backups are in place, focusing on mission-critical data. It is recommended to follow the Veeam 3-2-1-1-0 Golden Backup Rule. This includes having three copies of data on two different media, with one copy offsite and one to be air-gapped, immutable, or offline, and aiming for zero errors in backup and recovery verification.

Response and Recovery: Develop processes for incident reporting and communication during an incident. For recovery, have disaster recovery processes in place to ensure business continuity. Reliable backups are crucial, but a robust recovery process that includes planning for recovery in a separate, secure environment is vital to minimize downtime and its associated costs.

Strategic Planning for Recovery Environments: It is crucial that organizations consider their recovery environments. Often, you cannot recover in the same environment where the incident occurred. Planning for a separate, secure recovery environment in advance is essential.

7. Strengthen Supply Chain Security

Vendor Risk Management: Evaluate and monitor the cybersecurity practices of suppliers and third parties.

Contractual Clauses: Include cybersecurity requirements in supplier contracts.

8. Improve Security Monitoring and Testing

Continuous Monitoring: Deploy tools for network and system monitoring.

Security Testing: Conduct regular penetration testing, vulnerability assessments, and phishing simulations.

9. Increase Employee Awareness and Training

Training Programs: Provide regular cybersecurity training to employees, tailored to their roles.

Simulations: Conduct security awareness campaigns and phishing simulations.

It’s crucial that this training isn’t a one-time action, but a continuous process that helps maintain awareness of responsibilities long-term, evolves over time, and onboards new employees effectively.

10. Prepare for Audits and Documentation

Record-Keeping: Document all cybersecurity measures, incident reports, and risk assessments.

Audit Readiness: Conduct internal audits to ensure compliance and identify areas for improvement.

11. Engage in Information Sharing

Information Sharing Networks: Join relevant information-sharing networks in your sector.

CSIRT Collaboration: Build relationships with Computer Security Incident Response Teams (CSIRTs) for coordinated incident response.

12. Stay Updated on Sector-Specific Guidelines

National Guidelines: Follow guidelines and best practices issued by relevant national authorities.

Sector Standards: Implement additional sector-specific measures as required.

Navigating NIS2 with Veeam

As the European Union introduces the NIS2 Directive, businesses across various sectors need to bolster their cybersecurity and resilience practices. 

Wherever businesses are subject to the directive’s scope, preparing for it will be a fresh challenge — ‘important’ entities are navigating these waters for the first time. In contrast, ‘essential’ entities must meet even stricter requirements than before. Despite the variance in the execution of details and requirements by different EU member states, the overarching principles of NIS2 are consistent enough for organizations to begin preparing now. 

While it’s easy to view this kind of regulatory obligation as an inconvenience or burden, organizations should embrace it. The practices and requirements defined in NIS2 are essential for protecting businesses from scaling cyber threats — companies need to be moving towards these practices if they are not already part of their security posture. 

How Veeam Can Help

Meeting NIS2 requirements is an organization-wide, top-to-bottom mission. For many businesses, this will require implementing a host of new processes and technologies.  

Veeam Data Platform is well-positioned to help entities meet various NIS2 requirements, particularly around data hygiene, reporting, auditing, data backup, and disaster recovery. Veeam Data Platform includes Veeam Backup & Replication, Veeam Recovery Orchestrator, and Veeam ONE for monitoring and alerting, offering a robust foundation for securing digital assets and boosting cyber resilience.

• Veeam Backup & Replication: Secures data against loss and threats by providing reliable backup and replication for all workloads.
• Veeam Recovery Orchestrator: Ensures the rapid recovery of critical services with automated disaster recovery, planning and testing.
• Veeam ONE: Provides advanced monitoring, reporting, and capacity planning for your Veeam backup environment, enhancing your ability to maintain business continuity and meet compliance requirements.
• Veeam Security & Compliance Analyzer: Ensure successful recovery with automated scans, leveraging infrastructure hardening and data protection best practices
• Veeam Threat Center: Highlight threats, identify risks and measure the security score of your environment

Veeam’s solutions are designed to be a vital part of your cybersecurity toolbox, helping your organization navigate the complexities of NIS2 compliance. However, preparation for NIS2 extends beyond the capabilities of any single provider. It involves a commitment to ongoing cybersecurity education, the adoption of best practices, and the willingness to invest in the necessary technologies and processes to protect against evolving threats.

Speak with a Veeam expert today to understand how Veeam can help your organization become NIS2-ready. Discover how Veeam’s data protection and management solutions can fortify your cybersecurity posture, ensure compliance with NIS2, and safeguard your organization’s future in the face of emerging cyber threats.

Conclusion

The NIS2 Directive represents a pivotal advancement in the European Union’s approach to cybersecurity. By expanding the scope of the original NIS Directive and introducing stricter compliance requirements, NIS2 aims to reinforce the security and resilience of essential and important entities across multiple sectors.

Key Insights

Broader Scope and Coverage: The Directive’s expanded scope now includes a wider range of sectors and entities, ensuring that critical infrastructure and digital services are adequately protected from evolving cyber threats.

Enhanced Risk Management and Incident Response: The emphasis on comprehensive risk management frameworks, coupled with stringent incident reporting requirements, underscores the EU’s commitment to proactive cybersecurity governance.

Governance and Accountability: The Directive mandates a more accountable governance structure, engaging senior management directly in cybersecurity oversight and making them liable for non-compliance.

Third-Party and Supply Chain Risks: Organizations are now required to manage third-party and supply chain risks meticulously, reflecting the interconnected nature of modern business environments.

Stricter Enforcement and Penalties: The implementation of significant penalties and enhanced oversight mechanisms signals the EU’s seriousness in driving compliance and deterring negligence.

Implications for Organizations

For organizations, NIS2 is not just a regulatory requirement but a strategic imperative that necessitates a comprehensive transformation of their cybersecurity practices. They must undertake a holistic review of their current security posture, implement robust risk management processes, and strengthen incident response capabilities. Moreover, they need to ensure that supply chain partners are also aligned with NIS2 requirements.

Moving Forward

To succeed in this new regulatory landscape, organizations must adopt a proactive stance toward cybersecurity. By following a structured approach that includes understanding the Directive’s scope, conducting gap analyses, and developing a detailed compliance roadmap, organizations can achieve NIS2 compliance while simultaneously enhancing their overall cybersecurity resilience.

Final Thought

The NIS2 Directive offers a blueprint for achieving cybersecurity excellence across the EU. As organizations navigate this transformative journey, embracing the Directive’s principles will not only ensure compliance but also contribute to building a safer and more resilient digital ecosystem in Europe.

Continue reading about NIS2 and its potential implications for your business, by downloading our whitepaper The NIS2 Directive: What to Know and How to Prepare.