NIS2 Directive

The NIS2 Directive (Directive (EU) 2022/2555) is the EU's updated cybersecurity legislation that establishes comprehensive security and incident reporting requirements for essential and important entities across critical sectors. Effective October 18, 2024, NIS2 significantly expands the scope and enforcement of its predecessor (NIS1), covering more sectors and imposing stricter obligations.

Who Needs NIS2 Compliance?

NIS2 applies to organizations operating in the EU across 18 critical sectors, categorized as:

Essential Entities (higher criticality):

• Energy (electricity, oil, gas, hydrogen)

• Transport (air, rail, water, road)

• Banking and financial market infrastructures

• Health sector (healthcare providers, laboratories, medical device manufacturers)

• Drinking water and wastewater

• Digital infrastructure (internet exchange points, DNS providers, cloud services, data centers)

• Public administration

• Space

Important Entities (moderate criticality):

• Postal and courier services

• Waste management

• Chemicals production and distribution

• Food production and distribution

• Manufacturing (medical devices, electronics, machinery, motor vehicles)

• Digital providers (online marketplaces, search engines, social networks)

• Research organizations

Size thresholds vary by member state, but generally apply to medium and large organizations (50+ employees or €10M+ annual turnover). Small and micro entities may be included if they provide critical services.

Core Security Requirements

NIS2 mandates a comprehensive set of cybersecurity measures across ten domains:

1. Risk management: Identify and assess cybersecurity risks to network and information systems

2. Incident handling: Detect, respond to, and recover from security incidents

3. Business continuity: Backup management, disaster recovery, and crisis management

4. Supply chain security: Assess and manage security risks from suppliers and service providers

5. Security in acquisition: Integrate security into procurement of systems and services

6. Vulnerability management: Assess vulnerabilities and deploy patches and updates

7. Policies and procedures: Document security policies for access control, asset management, and authentication

8. Cryptography and encryption: Protect data confidentiality and integrity

9. Human resources security: Access control policies, training, and awareness programs

10. Multi-factor authentication and secure communications: Implement strong authentication and encrypted emergency communication systems

Incident Reporting Obligations

NIS2 introduces strict incident reporting timelines:

• Early Warning (24 hours): Notify national CSIRT or competent authority within 24 hours of becoming aware of a significant incident

• Incident Notification (72 hours): Submit initial assessment including severity, indicators of compromise, and initial impact

• Final Report (1 month): Provide detailed report with root cause analysis, impact assessment, and remediation measures

Governance and Accountability

NIS2 emphasizes management body responsibility:

• Board-level accountability: Management bodies must approve cybersecurity measures and oversee implementation

• Personal liability: Management can be held personally liable for non-compliance

• Training requirements: Management must participate in cybersecurity training

• Supervision authority: National authorities can conduct on-site inspections and audits

Penalties and Enforcement

NIS2 introduces harmonized penalties across the EU:

• Essential entities: Up to €10 million or 2% of global annual turnover (whichever is higher)

• Important entities: Up to €7 million or 1.4% of global annual turnover (whichever is higher)

Penalties can be imposed for failure to implement security measures, incident reporting violations, or non-cooperation with authorities.

How ISMS Copilot Helps

ISMS Copilot provides comprehensive support for NIS2 compliance:

• Framework-specific guidance: Ask questions about specific NIS2 articles, security measures, or reporting obligations

• Policy generation: Create audit-ready policies covering all ten cybersecurity domains

• Gap analysis: Upload existing security documentation to identify gaps against NIS2 requirements

• Risk assessments: Generate NIS2-aligned risk assessments for systems and supply chain relationships

• Incident response planning: Develop incident classification schemes and reporting workflows aligned with NIS2 timelines

• Compliance roadmaps: Ask for implementation guidance based on your organization type and sector

• Workspace organization: Manage NIS2 projects separately from other compliance initiatives

The AI has direct knowledge of NIS2's structure and requirements, so you can reference specific articles or security measures in your prompts.

Getting Started

To begin NIS2 compliance work in ISMS Copilot:

1. Create a dedicated workspace for NIS2 compliance

2. Ask the AI whether your organization qualifies as an essential or important entity

3. Generate foundational policies for the ten cybersecurity domains

4. Upload existing cybersecurity policies for gap analysis

5. Develop an incident response plan with NIS2-compliant reporting workflows

6. Create a supply chain security assessment process

Member State Implementation

While NIS2 sets minimum requirements, individual EU member states may impose additional obligations through national transposition laws. Check your national cybersecurity authority's guidance for country-specific requirements.

Related Resources

• Official NIS2 Directive text: EUR-Lex

• ENISA (European Union Agency for Cybersecurity) guidance and resources

• National CSIRT and competent authority contacts