19 December 2024

NIS2 – what is it and who is it for?

The European Parliament has approved an update to the NIS Directive that imposes stricter requirements on companies, governments and infrastructure in the field of cybersecurity. The NIS2 Directive increases cybersecurity requirements throughout Europe and designates more organisations as essential businesses. This concerns approximately 160,000 organisations throughout Europe.

These companies must therefore meet higher requirements and there are obligations for risk management, reporting and information sharing. Different member states may be implementing the directive into their national laws at different rates. The knock-on impact for UK businesses is still unclear, but in this blog we will provide some guidance and best practices for UK businesses who may be affected.

In this blog we will describe who NIS2 applies to, the timeline for implementation of the directive, and provide practical guidance about whether your organisation is affected because of Brexit.

What is NIS2?

NIS stands for Network and Information Systems and the first NIS directive was published in 2016. It was intended primarily for large companies and institutions that perform essential functions within society. Think of suppliers for energy, transport, infrastructure for banks and the financial market, health, drinking water and digital infrastructure. They have been required to take measures to increase cyber resilience for several years. The European Parliament has now agreed to the introduction of a stricter version of this in the form of new legislation (NIS2) that imposes stricter requirements on companies, governments and infrastructure in the field of cybersecurity.

The NIS2 Directive aims to improve the security of networks and information systems and to ensure the resilience of society and the economy. It is crucial that organisations covered by the Directive take appropriate measures to ensure the security of their networks and information systems and to address potential cyber threats.

Who does NIS2 apply to?

NIS2 increases cybersecurity requirements for significantly more organisations across Europe by designating them as ‘essential businesses’. It is estimated that this will affect around 160,000 organisations across Europe. Anyone providing an essential service to consumers will be covered by the new law and will therefore have to meet higher requirements.

Which organisations fall under the new NIS2 directive?

The NIS2 Directive concerns organisations that are considered essential for the functioning of society and the economy. The size ("size cap") and the service provided are the two main criteria for determining whether the NIS2 Directive applies to an organisation.

1. The size cap

With some exceptions, an organisation must be considered to be at least a medium-sized enterprise within the meaning of the Recommendation in order for the NIS2 Directive to apply. A medium-sized enterprise has a workforce equivalent to at least 50 full-time workers and/or an annual turnover (or annual balance sheet total) exceeding 10 million euros.

NIS2-applicable organisationsExempt organisations

Organisations with more than 50 employees

OR

An annual turnover and balance sheet total of more than €10 million

Small and medium-sized enterprises that do not fall under the above sectors
Non-digital companies that do not provide essential services and do not offer digital services
Government agencies not considered essential to the functioning of society and the economy
Individual users of networks and information systems

2. Services provided: essential vs. important

The NIS2 Directive concerns organisations that are considered essential for the functioning of society and the economy. These organisations are referred to as "suppliers of essential or important services". If an organisation is designated as critical entity, the organisation will be informed of this by the responsible ministry. This will happen as soon as possible after the law comes into effect (after October 2024).

EssentialImportant
  • Energy (electricity, district heating and cooling, petroleum, natural gas, hydrogen)
  • Transport (air, rail, water, road)
  • Banking
  • Financial market infrastructure
  • Health
  • Drinking water
  • Waste water
  • Digital infrastructure
  • ICT service management
  • Public administration
  • Space travel
  • Postal and courier services
  • Waste management
  • Manufacture, production and distribution of chemicals
  • Production, processing and distribution of food
  • Manufacturing (of medical devices and in vitro diagnostic medical devices; computer, electronic and optical products; electrical equipment; machinery and equipment n.e.c., motor vehicles, trailers and semi-trailers; other transport equipment)
  • Digital providers
  • Research

Depending on size, turnover and sector, an organisation is considered 'essential' or 'important'. Essential entities are subject to a more intensive regime of supervision, while Important entities are subject to a lighter form of supervision that only takes place retrospectively, for example if there are indications of non-compliance with the law or if an incident has occurred.

3. Critical entity or chain supplier

It is also important to look at the position of the organisation in the supply chain. NIS2 applies to the entire supply chain of 'essential' organisations. This means that companies that do not carry out essential activities themselves, but do business with parties that do, are also covered by the new directive. For more information, see section below: What if I am a UK supplier to an EU business?

Fines for non-compliance

Essential organisations face fines of up to 10 million euros or 2% of their total annual turnover. Important organisations face fines of up to 7 million euros or 1.4% of their total annual turnover.

Timeline of the NIS2 Directive

The following timeline is taken from the legislation.

17 October 2024Member states must adopt and publish measures to comply with the NIS2 Directive. This includes:
“implementing acts laying down the technical and the methodological requirements of the measures with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers.”
17 January 2025The CSIRTs network shall assess progress made with regard to operational cooperation, with the aim of “learning from shared experiences, strengthening mutual trust, achieving a high common level of cybersecurity, as well as enhancing Member States’ cybersecurity capabilities and policies necessary to implement this Directive”. Participation in peer reviews is voluntary.
17 April 2025Member states shall establish a list of essential and important entities in each sector. Member States shall review and, where appropriate, update that list on a regular basis and at least every two years thereafter.
17 October 2027By 17 October 2027 and every 36 months thereafter, the Commission shall review the functioning of this Directive, and report to the European Parliament and to the Council.

The NIS2 Directive is being adopted at different speeds by different Because EU member states still have to adopt the NIS2 Directive into their local statutes, the timeline for implementing NIS2 is operating at different speeds in different countries. For example, France will be finalising its adoption of NIS2 in April 2025, while Germany will be finalising its adoption by October 2025.

How does Brexit affect NIS2 compliance?

Since Brexit the UK is no longer directly subject to EU legislation, including the NIS2 Directive. However, there are several ways in which the NIS2 Directive could still affect organisations in the UK:

  1. Compliance with NIS1 and domestic legislation: Even though the UK is no longer bound by the NIS2 Directive, it implemented its version of the original NIS Directive (NIS1) through the Network and Information Systems Regulations 2018 (NIS Regulations). These regulations continue to be in effect and establish cybersecurity requirements for critical service providers in the UK. While the NIS2 Directive is not directly applicable, the UK may choose to update its domestic legislation in line with the principles or requirements of NIS2 to maintain compatibility and cooperation with the EU.
     
  2. Organisations operating in the EU: UK-based organisations that have operations within the EU or provide services to EU customers may still need to comply with the NIS2 Directive. If these organisations fall within the scope of the directive, such as critical infrastructure providers or digital service providers operating in the EU, they may be required to ensure compliance with NIS2 requirements to continue operating in those markets.
     
  3. Cross-border dependencies: The interconnected nature of network and information systems means that cybersecurity incidents in one jurisdiction can have cross-border implications. UK organisations that interact with EU-based counterparties, suppliers, or customers may indirectly be affected by the NIS2 Directive as their partners seek to comply with the new requirements.
     
  4. Voluntary alignment: Some UK organisations may choose to voluntarily align their cybersecurity practices with NIS2 Directive standards as part of their overall risk management and to demonstrate a high level of cybersecurity maturity to customers, partners, and regulators.
     
  5. Stricter incident reporting: NIS 1, which is currently in effect in both the EU and the UK, mandates that covered organisations report a cyber incident within 72 hours. This will continue to apply to important entities within the EU. However, organisations classified as ‘essential entities’ must report a cyber incident within 24 hours. Similarly, the UK government's background notes for the Cyber Security and Resilience Bill highlight "mandating increased incident reporting to provide the government with better data on cyber-attacks" as one of the bill’s three pillars. These stricter requirements are also specified to apply to ransomware attacks.

UK organisations should stay informed about regulatory developments and consider the potential impact of NIS2 on their operations and compliance requirements.

What if I am a UK supplier to an EU business?

The answer to this is still unclear. The NIS2 focuses on the entire supply chain. This applies to organisations that do not fall under the NIS2 themselves, but are suppliers of organisations that do fall under that heading. You will therefore have to map out whether your customers may fall into this category making you liable to comply with NIS2.

What can you do?

The draft text for the Cyber Security & Resilience Bill, is expected to align closely with the NIS2 Directive. As a result, even if you are not currently bound by NIS2 as a supplier, you can look to NIS2 as a model, preparing your organisation to comply with the Cyber Security & Resilience Bill.

  • Establish board-level accountability for cybersecurity to ensure leadership is responsible for implementing strong security measures.
  • Maintain compliance and manage the continuously evolving cybersecurity threats through ongoing monitoring, regular audits, and coordination with national authorities.
  • Built a patch management programme
  • Ensure you have an incident response procedure
  • Consider adopting an internationally-recognised information security framework such as ISO 27001, building a basis for complying with NIS2 and the Cyber Security & Resilience Bill.

If you would like to find out in more detail which aspects of your security posture would be affected by NIS2, and what you can do should you choose to comply, you can read the next blog in our series: NIS2: I want to comply. What now?

For more information on how you can improve your security posture and demonstrate the security of your organisation, contact Claranet today.

Related articles