Submit your questions below, and we’ll provide answers publicly on this page (without disclosing any of your information) and send you an email with the response.
We only publish questions and answers publicly, without disclosing any company information
Our F.A.Q.s are constantly being updated with the latest questions you are posting
Which Sectors Are Impacted by NIS 2?
The NIS2 directive aims to strengthen the cyber security provision of key services and industries across EU nations. While specific mechanisms for the implementation of this directive are to be decided on a state-by-state basis (and as such, weโd always recommend seeking guidance on the criteria, inclusions, exclusions, and sanctions within your own state) the sectors impacted by NIS 2 will be largely uniform across its whole scope.
Essential and Important Entities: What's The Difference?
NIS2 separates the services and industries within its remit into Essential (Sectors of High Criticality) and Important (Other Critical Sectors). In the lead up to NIS 2โs implementation, you are likely to see them referred to in both manners.
In practice, this differentiation between the two groups relates to the societal impact of the associated sectors and the potential consequences of a cyber breach or attack. Subsequently, Essential entities are more likely to be subject to stricter government oversight in order to achieve compliance, with harsher sanctions for non-compliance.
Which Businesses Are Exempt from NIS 2?
While it is worth taking note of NIS 2โs requirements and prioritising strong cyber security hygiene whatever the size of your business, it is important to understand that not all organisations, and not even all of those which fall into the below sectors, are subject to the NIS 2 directive.
In general terms, only those businesses of a medium size or above will find themselves required to achieve NIS 2 compliance.
However, please note that while sectors have been grouped by general criteria according to their size, should an entity not fall within the requirements of these size thresholds, it may still be considered either important or essential (and subject to NIS 2 compliance) in specific circumstances, such as where the organisation is the sole provider of its respective service within its EU Member State.
Size Thresholds
Essential Entitiesย are subject to a generalย size thresholdย which, while varying by sector, generally includes those organisations with: 250+ employees, an annual turnover of โฌ50 million and above, or a balance sheet of โฌ43 million and above.
Important Entitiesย are also subject to a size threshold based on the same criteria, again, varying by sector, but to a lower threshold. This will include those organisations with: 50+ employees, an annual turnover of โฌ10 million, or a balance sheet of โฌ10 million or above.
Which Sectors Are Impacted by NIS 2?
Not all industries and sectors will be subject to NIS 2 compliance.
The directive aims to strengthen the resilience of network and information systems throughout the European Union, concentrating specifically on the providers of core (or essential and important) services. Its aim is to ensure that common cyber security standards are met across member states, and key services remain strong and functional in the event of an attack.
With this in mind, NIS 2 will impact the following sectors, which have been broken down into Essential and Important:
Essential Entities (Sectors of High Criticality)
Energy โ Electricity, District Heating and Cooling, Oil, Gas, Hydrogen
Transport โ Air, Rail, Water, Road
Banking
Financial Market Infrastructures
Health
Water โ Drinking Water, Waste Water
Digital Infrastructure
ICT Service Management (B2B)
Public Administration
Space
Important Entities (Other Critical Sectors)
Postal and Courier Services
Waste Management
Manufacture, Production and Distribution of Chemicals
Production, Processing and Distribution of Food
Manufacturing โ Medical Devices, Computer Electronic or Optical Products, Machinery, Vehicles
Digital Providers
Research
The NIS 2 Directive places supervision and enforcement at the core of competent authoritiesโ responsibilities and layouts a coherent framework for supervisory and enforcement activities across Member States.
To this end, itprovides a minimum list of supervisory measures for competent authorities to strengthen their oversight on essential and important entities for effective compliance. These measures include:
regular and targeted audit
on-site and off-site check
request for information
access to documents or evidence.
On top of this, NIS 2 establishes a differentiation of supervisory regimes between essential and important entities to ensure a fair balance of obligations.
NIS 2 also introduces a consistent framework for sanctions across the Union to make enforcement effective. In extenion of this, it presents a minimum list of administrative sanctions for breach of cybersecurity risk management and reporting obligations, including:
Binding instructions.
Order to implement the recommendations of a security audit.
Order to bring security measures in line with NIS requirements.
Administrative fines.
Furthermore, NIS 2 distinguishes between essential and important entities for administrative fines:
Essential entities: maximum of at least โฌ10,000,000 or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Important entities: maximum of at least โฌ7,000,000 or at least 1.4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Competent authorities should consider the specific details of each case when exercising enforcement powers, including the nature and severity of the breach and any damages or losses incurred. The NIS 2 Directive also holds natural persons in senior management positions within covered entities accountable for cybersecurity measures.
The NIS 2 Directive interacts with the CER Directive and the DORA, two other EU policies.
The NIS2 and CER Directives have been aligned to address the physical and cyber resilience of critical entities comprehensively. The critical entities identified under the CER Directive will also be subject to the cybersecurity obligations of the NIS 2 Directive.
National competent authorities under both directives must cooperate and exchange information regularly on risks and incidents.
The NIS 2 Cooperation Group will meet regularly with the Critical Entities Resilience Group. The DORA applies to the financial sectorโs cybersecurity risk management and reporting obligations, and allows for participation in the NIS Cooperation Group and for consultation and information sharing with NIS2 SPOCs and CSIRTs.
NIS 2 will strengthen and streamline cybersecurity requirements for covered entities by requiring all companies to address a core set of 10 minimum requirements in their cybersecurity risk management policies.
These elements include incident handling, supply chain security, vulnerability handling and disclosure, and the use of cryptography. The NIS 2 Directive also includes a multiple-stage approach to incident reporting, which strikes a balance between swift reporting to prevent the spread of incidents and in-depth reporting to draw valuable lessons learned.
Affected companies have 24 hours to submit an early warning, 72 hours to submit an incident notification, and one month to submit a final report. This will help to reduce the additional burden for companies operating in multiple Member States and ensure that all companies are addressing the necessary cybersecurity requirements.
The NIS 2 Directive aims to address the deficiencies of the previous rules, matching it to the needs of the times and making it future proof. To this end:
The NIS 2 Directive expands cybersecurity rules to new digitalized and interconnected sectors.
It eliminates the distinction between operators of essential services and digital service providers.
The directive streamlines security and reporting requirements with a risk management approach and more precise incident reporting provisions.
It addresses cybersecurity risks in supply chains and strengthens supply chain cybersecurity for key information and communication technologies at the European level.
The directive enhances supervisory measures and cooperation between Member States, including harmonizing sanctions regimes and establishing a basic framework for coordinated vulnerability disclosure.
It enhances operational cooperation within the CSIRT network and establishes the European cyber crisis liaison organization network (EU-CyCLONe).
NIS2 creates an EU vulnerability database to be operated and maintained by the EU agency for cybersecurity (ENISA).
These elements include incident handling, supply chain security, vulnerability handling and disclosure, and the use of cryptography. The NIS 2 Directive also includes a multiple-stage approach to incident reporting, which strikes a balance between swift reporting to prevent the spread of incidents and in-depth reporting to draw valuable lessons learned.
Affected companies have 24 hours to submit an early warning, 72 hours to submit an incident notification, and one month to submit a final report. This will help to reduce the additional burden for companies operating in multiple Member States and ensure that all companies are addressing the necessary cybersecurity requirements.
The NIS 2 Directive proposes to improve cyber risk management by introducing clear responsibilities, appropriate planning, and increased EU cooperation.
NIS 2 requires Member States to appoint national authorities responsible for cyber crisis management, introduces national large-scale cybersecurity incident and crisis response plans, and establishes the European cyber crisis liaison organization network (EU-CYCLONe) to support the coordinated management of large-scale cybersecurity incidents and crises.
The EU-CYCLONe network is a key component of the EU cyber crisis management framework outlined by the Commission in 2017, contributing to a coordinated response to large-scale incidents and crises.
Meet with Matt and book a free 15-min call below to better understand how to implement NIS 2 compliance in your company
Curated by NIS2Compliant.org, this page provides publicly-sourced information on everything related to the upcoming NIS2 Directive. Presented in a clear and concise manner for easy consumption.
ย
Disclaimer
The information provided on this website is intended for educational and informational purposes only. The content is not intended to be a substitute for professional advice or any other legal advisory, service, etc. The site’s administrators and contributors make no representations or warranties of the information on the site. Any reliance you place on such information is therefore strictly at your own risk.
Copyright By Nis2Compliant.org
