ConnectedGRC

Drive a Connected GRC Program for Improved Agility, Performance, and Resilience

MetricStream Named Category Leader in All Seven Quadrants of the Chartis Research RiskTech Quadrant® for Integrated GRC Solutions, 2024

MetricStream Named Category Leader in All Seven Quadrants of the Chartis Research RiskTech Quadrant® for Integrated GRC Solutions, 2024

Learn More

Discover ConnectedGRC Solutions for Enterprise and Operational Resilience

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn More

Explore What Makes MetricStream the Right Choice for Our Customers

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Learn More

Discover How Our Collaborative Partnerships Drive Innovation and Success

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Learn More

Find Everything You Need to Build Your GRC Journey and Thrive on Risk

Download this report to explore why cyber risk is rising in significance as a business risk.

Download this report to explore why cyber risk is rising in significance as a business risk.

Learn More

Learn about our mission, vision, and core values

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Learn More
+1-650-620-2955
+1-650-620-2955 Contact Us Request Demo
×
Hit enter to search or ESC to close
Blogs

Navigating the NIS2 Directive: Essential FAQs for Compliance Success

navigating-the-nis2-directive-compliance-success-dsktop
5 min read

Introduction

The NIS2 Directive, effective as of October 17, 2024, marks a significant milestone in the European Union's efforts to bolster cybersecurity. This directive is a crucial update from its predecessor, the NIS Directive (2016), expanding requirements and strengthening cybersecurity obligations for critical sectors across the European Union (EU).

The new directive has expanded scope, new risk management and incident reporting requirements, and stricter financial penalties. We answer some of the top FAQs on NIS2 to guide your organization through compliance.

What is the NIS2 Directive?

The NIS2 Directive is the EU's enhanced regulatory framework for cybersecurity network and information systems, setting a high common level of security to protect essential and important entities in sectors like energy, healthcare, digital infrastructure, and finance. These organizations are now required to implement stronger security measures to ensure resilience against cyber threats.

How Does the NIS2 Directive Differ from the Earlier NIS Directive (2016)?

NIS2 expands both the scope and depth of regulatory requirements. Key changes include:

  • Stricter Cybersecurity Obligations: Enhanced security measures now apply across an expanded range of sectors.
  • Extended Scope: The directive applies to medium and large enterprises, with a focus on critical infrastructure and suppliers, even if they are outside the EU.
  • Incident Reporting Requirements: New timelines mandate that incidents be reported within 24 hours, with a follow-up report due in 72 hours.
  • Increased Accountability: Leadership is held accountable for compliance failures.
  • Stricter Penalties: Fines can reach up to €10 million or 2% of global turnover, whichever is greater.

Which Organizations Are Subject to NIS2?

NIS2 targets medium and large organizations, especially those involved in critical national infrastructure, with some exemptions. It applies to organizations with a minimum of 250 employees and €50 million in annual turnover for essential services, or at least 50 employees and €10 million in turnover for important services. Member states have the discretion to make exceptions for high-risk entities that fall outside of these parameters.

List of essential sectors covered under NIS2

  • Energy (electricity, oil, gas, district heating and cooling, and hydrogen)
  • Transport (air, rail, water, and road)
  • Healthcare
  • Water supply (drinking water, wastewater)
  • Digital infrastructure (telecom, DNS, TLD, cloud service, data centres, trust service providers)
  • Finance (banking, financial market infrastructure)
  • Public administration
  • Space

List of important sectors covered under NIS2

  • Digital providers (online markets, search engines, social networks)
  • Postal services
  • Waste management
  • Foods
  • Manufacturing (medical devices, electronics, machinery, transport equipment)
  • Chemicals (production and distribution
  • Research

NIS2 regulations cover not only essential and important services but also extend to their entire supply chain. This means that subcontractors and suppliers, regardless of location, must meet the same security standards as required by NIS2.

What Are the Core Requirements of NIS2?

The NIS2 Directive mandates:

  • ICT Risk Management: Proactive identification, assessment, and management of cybersecurity risks.
  • Supply Chain Security: Organizations must assess and manage risks from third-party vendors.
  • ICT Incident Reporting: Timely and structured reporting of incidents, with specific deadlines.
  • Corporate Accountability: Leadership is directly responsible for compliance.
  • Business Continuity: Robust business continuity and resilience plans are essential to maintain operations during disruptions.

What are the Incident Reporting Timelines Under NIS2?

Under the new essential and important entities must notify any incident with significant impact without undue delay.

  • Within 24 hours: An early warning, including initial assumptions about the incident type, should be sent to the competent authority or CSIRT.
  • Within 72 hours: A full notification report is required, detailing the incident assessment, severity, impact, and indicators of compromise.
  • Within 1 month: A final, comprehensive report must be submitted.

To streamline this process, the Directive encourages Member States to:

  • Simplify incident reporting through a single-entry point, minimizing administrative burdens
  • Facilitate easier reporting for cross-border incidents within the EU

Does NIS2 Impact Non-EU Companies?

Yes, NIS2 also applies to non-EU companies that provide essential services within the EU. Sectors like healthcare, digital infrastructure, and transportation are particularly impacted, even if services originate outside the EU.

What is the Role National Governments in NIS2 Compliance?

Member states oversee enforcement by designating authorities to monitor compliance, enforce penalties, and ensure that all organizations within their jurisdiction align with NIS2 standards. Additionally, national governments guide organizations in adhering to the directive’s rules.

Has the NIS2 Directive come into effect?

Yes, the NIS2 was formally adopted in 2022, and EU member states were required to implement the directive into national law by 17th October 2024.

(Source: European Commission’s Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive)

Preparing for NIS2: How to Get Started

To meet NIS2 mandates, organizations must strengthen cyber resilience by focusing on proactive risk management and robust incident response. Start your NIS2 compliance journey by:

  • Mapping your compliance status by assessing and aligning current risk management practices with NIS2 standards to bridge compliance gaps.
  • Adopting proactive risk management by regularly assess and mitigate cyber risks with clear accountability and thorough incident response procedures.
  • Establishing a unified risk view by centralizing risk data, aligning digital risks with organizational assets, processes, and compliance needs.
  • Managing vendor risks by maintaining oversight on ICT vendor risks, ensuring continuity and compliance through systematic assessments.
  • Developing business continuity plans by preparing recovery plans with prioritized assets and tested crisis communication strategies.

How Can MetricStream Help?

MetricStream’s CyberGRC platform simplifies NIS2 compliance with built-in frameworks, automated incident reporting, vendor risk management, and robust continuity planning tools. With MetricStream, organizations can efficiently manage cyber risks, streamline compliance processes, and respond swiftly to incidents, aligning seamlessly with NIS2 requirements.

The NIS2 Directive signals a new era of cybersecurity compliance. As the directive takes hold, staying informed and proactive is essential. For more detailed guidance on the next steps and how to ensure compliance, download our comprehensive eBook today.nis2-directive-next-steps-for-your-organization

Request a personalized demo today.

simrin

Simrin Jhangiani Associate Director, Marketing at MetricStream

Simrin Jhangiani is the Product Marketing Lead for MetricStream’s ESGRC product. As a former NYU student with a minor in Corporate Social Responsibility, Simrin is passionate about helping businesses make risk-aware business decisions around ESG. Simrin has an extensive business and marketing background having worked as a strategy consultant at KPMG and being a business owner of a sustainable fashion brand. She has lived on 3 different continents, and has travelled to over 50+ countries around the world, resulting in a comprehensive understanding of why ESG is important on a global scale. She believes that ESG is fundamental to the growth of businesses in the present day and is ardent about bringing awareness of the ever-changing regulations around Environmental, Social, and Governance.

 

Related Resources

Blog
Blog
5 mins
Simrin Jhangiani
Navigating the NIS2 Directive: Essential FAQs for Compliance Success