NIS2 Directive: What You Need to Know

The NIS2 Directive represents the most significant update to European cybersecurity legislation in over a decade. As operational technology increasingly becomes a target for cyber attacks, understanding NIS2 requirements is critical for organizations operating critical infrastructure across the EU.

What is the NIS2 Directive?

The Network and Information Security Directive 2 (NIS2) is EU legislation that replaces the original NIS Directive from 2016. NIS2 significantly expands the scope of covered entities, introduces stricter security requirements, and establishes harmonized enforcement mechanisms across EU member states.

The directive came into effect in January 2023, with EU member states required to transpose it into national law by October 2024. Organizations must comply with their national implementing legislation, which may include additional sector-specific requirements.

Who Does NIS2 Apply To?

NIS2 categorizes organizations into two groups based on their criticality to society and the economy:

Essential Entities

Organizations in highly critical sectors including:

• Energy: Electricity, district heating/cooling, oil, gas, hydrogen
• Transport: Air, rail, water, road transport
• Banking and Financial Market Infrastructure
• Health: Healthcare providers, laboratories, pharmaceutical manufacturers
• Drinking Water: Supply and distribution
• Wastewater: Collection and treatment
• Digital Infrastructure: DNS, TLD registries, cloud computing, data centers
• Public Administration: Central government entities
• Space: Ground-based infrastructure for space services

Important Entities

Organizations in sectors that are important but less critical:

• Postal and Courier Services
• Waste Management
• Chemicals: Production, processing, distribution
• Food Production, Processing, and Distribution
• Manufacturing: Medical devices, electronics, machinery, motor vehicles, aerospace
• Digital Providers: Online marketplaces, search engines, social networks
• Research Organizations

Size Thresholds

Generally, NIS2 applies to medium and large organizations (50+ employees or €10M+ annual turnover/balance sheet). However, all entities in certain highly critical subsectors are covered regardless of size.

Key Security Requirements

NIS2 establishes comprehensive cybersecurity risk management obligations for covered entities:

1. Risk Management Measures

Organizations must implement appropriate technical, operational, and organizational measures including:

• Risk analysis and information system security policies
• Incident handling procedures and business continuity plans
• Supply chain security, including security-related aspects of supplier relationships
• Security in network and information systems acquisition, development, and maintenance
• Policies and procedures to assess the effectiveness of cybersecurity risk management
• Basic cyber hygiene practices and cybersecurity training
• Use of cryptography and encryption
• Human resources security, access control, and asset management
• Multi-factor authentication or continuous authentication solutions
• Secured voice, video, and text communications
• Secured emergency communication systems

2. Incident Reporting

NIS2 establishes strict incident notification timelines:

• Early Warning (24 hours): Initial notification of significant incidents
• Incident Notification (72 hours): Initial assessment including severity, impact, indicators of compromise
• Interim Report (as needed): Updates on significant changes during incident response
• Final Report (1 month): Detailed incident report including root cause analysis, impact assessment, and corrective measures

3. Management Accountability

NIS2 explicitly holds management bodies accountable for cybersecurity. Management must:

• Approve and oversee implementation of cybersecurity risk management measures
• Participate in cybersecurity training
• Ensure adequate resources for cybersecurity risk management
• Management can be held personally liable for non-compliance in certain circumstances

Enforcement and Penalties

NIS2 introduces significant enforcement powers and penalties for non-compliance:

Essential Entities

• Administrative fines up to €10,000,000 or 2% of global annual turnover (whichever is higher)
• Binding instructions and periodic penalty payments
• Audits and on-site inspections
• Public warnings and temporary suspension of certifications

Important Entities

• Administrative fines up to €7,000,000 or 1.4% of global annual turnover (whichever is higher)
• Similar enforcement powers as essential entities but with proportionally lower penalties

OT-Specific Implications

NIS2 has particular significance for operational technology environments:

Expanded Scope to Industrial Systems

Unlike the original NIS Directive which focused primarily on IT systems, NIS2 explicitly covers operational technology including SCADA, DCS, ICS, and industrial control systems critical to essential services.

Supply Chain Security

Organizations must assess cybersecurity risks related to supplier relationships including:

• Security vulnerabilities specific to suppliers (equipment vendors, system integrators, managed service providers)
• Overall quality of products and cybersecurity practices of suppliers
• Implementation of security requirements in contracts with suppliers and service providers

Vulnerability Management

NIS2 requires organizations to handle and disclose vulnerabilities. For OT environments, this includes:

• Coordinated vulnerability disclosure policies
• Timely patching of identified vulnerabilities
• Compensating controls when patches cannot be deployed due to operational constraints

Practical Compliance Steps

Step 1: Determine Applicability (Immediate)

• Assess whether your organization falls under essential or important entity categories
• Review national implementing legislation in countries where you operate
• Consider sector-specific guidance from national regulators

Step 2: Gap Assessment (1-3 months)

• Conduct comprehensive assessment of current cybersecurity measures against NIS2 requirements
• Document IT and OT systems in scope of NIS2
• Identify gaps in risk management, incident response, supply chain security, and governance
• Assess management awareness and training needs

Step 3: Remediation Roadmap (3-6 months)

• Develop prioritized remediation plan addressing identified gaps
• Align remediation with existing standards (IEC 62443, NIST CSF, ISO 27001)
• Define governance structure with clear management accountability
• Establish incident response procedures meeting NIS2 reporting timelines
• Implement supply chain security program for critical vendors

Step 4: Implementation (6-18 months)

• Deploy technical controls (MFA, encryption, network segmentation, monitoring)
• Update policies and procedures to align with NIS2 requirements
• Conduct management and staff cybersecurity training
• Establish relationships with national CSIRT and regulatory authorities
• Test incident response procedures with tabletop exercises

Step 5: Continuous Compliance (Ongoing)

• Conduct regular risk assessments and security audits
• Monitor effectiveness of cybersecurity measures with KPIs
• Update risk management approach based on changing threat landscape
• Maintain evidence of compliance for regulatory inspections
• Review and update supplier security assessments

Alignment with Other Standards

Organizations can leverage existing cybersecurity frameworks to achieve NIS2 compliance:

IEC 62443

The IEC 62443 standard for industrial automation and control systems security aligns well with NIS2 OT requirements. Organizations implementing IEC 62443 will satisfy many NIS2 technical requirements.

ISO 27001

ISO 27001 information security management provides a governance framework compatible with NIS2. Organizations with ISO 27001 certification have a strong foundation for NIS2 compliance.

NIST Cybersecurity Framework

The NIST CSF Identify, Protect, Detect, Respond, Recover functions map to NIS2 risk management requirements and provide practical implementation guidance.

Common Challenges

Multi-Jurisdictional Compliance

Organizations operating across multiple EU member states must comply with varying national implementations. Establish centralized governance with local expertise in each jurisdiction.

OT System Constraints

Legacy industrial systems may not support modern security controls like MFA or encryption. Implement compensating controls through network segmentation, monitoring, and access restrictions.

Incident Reporting Timelines

24-hour early warning notification is challenging for OT incidents requiring investigation to determine impact. Establish clear escalation procedures and pre-position incident response capabilities.

Supply Chain Visibility

Assessing security of complex industrial supply chains is difficult. Start with critical suppliers (SCADA vendors, system integrators, managed service providers) and expand coverage over time.

Conclusion

NIS2 represents a fundamental shift in European cybersecurity regulation, with significant implications for organizations operating critical infrastructure and industrial environments. The directive's emphasis on management accountability, strict enforcement, and comprehensive security requirements demands proactive action.

Organizations should begin NIS2 compliance efforts immediately, starting with applicability assessment and gap analysis. By aligning with established OT security standards like IEC 62443 and implementing robust risk management practices, organizations can achieve compliance while building more resilient operations.