Back to Blog
9 minutes read

NIS2 and the Future of European Resilience in 2025

NIS2 and the Future of European Resilience in 2025 - icon

Table of Contents

Introduction

In an era where digital transformation is integral to economic and societal functions, the European Union (EU) has recognized the imperative of robust cybersecurity measures. The NIS2 Directive, officially known as Directive (EU) 2022/2555, represents a significant advancement in the EU’s efforts to enhance cybersecurity resilience across member states. Building upon its predecessor, the original NIS Directive, NIS2 aims to address the evolving landscape of cyber threats by establishing a high common level of security for network and information systems.

As we approach 2025, the implementation of NIS2 is set to play a pivotal role in shaping the future of European resilience. This comprehensive Directive expands its scope to include a broader range of sectors and introduces more stringent requirements for both essential and important entities. By doing so, it seeks to ensure that critical infrastructure, digital service providers, and other key actors within the EU are adequately protected against cybersecurity risks. Additionally, it mandates that entities develop a robust cybersecurity strategy by identifying, assessing, and mitigating risks, particularly in their supply chains and supplier relationships, thereby ensuring compliance with EU regulations.

What is the NIS2 Directive?

The NIS2 Directive is a legislative cybersecurity framework designed to enhance cybersecurity across the European Union by establishing a high common level of security for network and information systems. It builds upon the original NIS Directive, expanding its scope and strengthening requirements to better address evolving cyber threats. Each EU Member State is required to transpose the Directive into their national law to ensure compliance with the enhanced cybersecurity rules.

One of NIS2’s key advancements is its broadened scope, which now encompasses additional sectors and services that are deemed critical to the EU’s economy and society. These include energy, transport, healthcare, and digital infrastructure, among others. By expanding its reach, NIS2 aims to ensure that a wider array of essential and important entities implement robust cybersecurity measures to protect against potential threats.

Scope and Applicability

The NIS2 Directive aims to improve the cybersecurity resilience and incident response capacities of both public and private sectors across the European Union. It builds upon the original NIS Directive, expanding its scope and introducing more stringent security requirements.

The NIS2 Directive covers the sectors of energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, digital infrastructure, and public administration. By encompassing these critical sectors, the Directive ensures a comprehensive approach to enhancing cybersecurity across the EU.

Essential and Important Entities

The NIS2 Directive applies to essential and vital entities, classified based on their significance to society’s functioning. Essential entities include those providing critical services or infrastructure, such as energy, healthcare, and finance. These entities are vital to societal operations and are, therefore, subject to more stringent cybersecurity measures. Important entities, while not as critical, still play a significant role in the economy and society and must implement robust cybersecurity measures to protect against cyber threats.

Essential entities are required to adopt comprehensive cybersecurity risk management measures, including detailed incident reporting and stringent supply chain security protocols. Important entities, although not under the same level of scrutiny, must still ensure they have effective cybersecurity measures in place to mitigate risks.

Member States are responsible for determining the classification of entities as essential or important, considering factors such as the entity’s size, complexity, and impact on the economy and society. Once classified, these entities must comply with the Directive’s requirements, including implementing cybersecurity risk management measures, reporting cybersecurity incidents, and cooperating with competent authorities.

Key Provisions of NIS2

cybersecurity with fingerprint

Cybersecurity Risk Management Measures

NIS2 mandates that organizations adopt a comprehensive risk-based approach to cybersecurity. This involves identifying, assessing, and systematically mitigating risks associated with their network and information systems. Entities are required to establish clear internal governance structures and a robust cybersecurity strategy dedicated to managing cybersecurity, ensuring accountability and oversight at the highest management levels.

Furthermore, organizations must implement incident response plans and conduct operational resilience testing to ensure preparedness against cyber threats. This proactive stance is crucial in minimizing the impact of potential breaches and ensuring the continuity of essential services. The Directive also emphasizes the importance of supply chain security, requiring entities to assess and manage risks posed by third-party suppliers and partners.

Incident Reporting and Response

Under NIS2, the requirements for reporting cybersecurity incidents and incident response have been significantly enhanced. Organizations are now obligated to report substantial security incidents to the relevant authorities within 24 hours of detection. This prompt reporting is vital for early threat identification and mitigation, preventing widespread damage. Incident reporting plays a crucial role in enhancing cyber resilience by ensuring that entities can effectively prevent, respond to, and recover from cybersecurity incidents.

The Directive introduces a multi-stage approach to incident reporting. Initially, affected entities must submit an early warning within 24 hours, followed by a detailed incident report after a comprehensive analysis. This structured reporting process ensures that competent authorities receive timely and accurate information, enabling coordinated responses to cyber threats.

Supply Chain Security and Critical Infrastructure

Recognizing the interconnected nature of modern digital ecosystems, NIS2 places significant emphasis on supply chain security. A vulnerability in one entity can have cascading effects throughout the supply chain, potentially compromising multiple organizations. Therefore, entities are expected to assess and manage cybersecurity risks associated with their third-party suppliers and service providers. National cybersecurity strategies play a crucial role in securing supply chains by ensuring compliance with newly established cybersecurity requirements across EU Member States.

Member States, in collaboration with the European Commission and the European Union Agency for Cybersecurity (ENISA), may conduct coordinated security risk assessments of critical supply chains. These assessments aim to identify systemic risks and develop strategies to enhance the overall security and resilience of supply chains across the EU.

Security Measures

privacy worldwide

Implementing effective security measures is crucial for organizations to protect themselves against cyber threats. The NIS2 Directive emphasizes the importance of security measures in preventing and mitigating cybersecurity incidents. Essential and important entities must implement security measures proportionate to their risks.

These security measures should include:

  • Risk Management: Organizations must identify, assess, and mitigate risks in a systematic manner. This involves a thorough understanding of potential threats and vulnerabilities within their network and information systems.

  • Incident Response Planning: Establishing clear incident response plans is vital for swiftly addressing breaches when they occur. These plans should outline the steps to be taken in the event of a cybersecurity incident, ensuring a coordinated and effective response.

  • Supply Chain Security: Organizations must assess and manage the cybersecurity risks posed by third-party suppliers and partners. This includes evaluating suppliers’ security practices and ensuring they meet the required standards.

  • Network and Information Systems Security: Implementing measures to protect network and information systems from cyber threats is essential. This includes deploying firewalls, intrusion detection systems, and other security technologies.

  • Cybersecurity Awareness and Training: Regular cybersecurity awareness and training for employees are crucial. This helps to ensure that staff are aware of potential threats and know how to respond appropriately.

Implementing these security measures can help organizations reduce the risk of cybersecurity incidents and ensure the continuity of their operations.

Cooperation and Information Sharing

The NIS2 Directive requires enhanced cooperation and information sharing. It requires Member States to cooperate and share information on cybersecurity risks and incidents, which will help to identify and mitigate cyber threats more effectively.

The NIS2 Directive establishes a framework for cooperation and information sharing between:

  • Competent Authorities: Competent authorities must cooperate and share information on cybersecurity risks and incidents. This collaboration ensures a coordinated response to threats and enhances overall cyber resilience.

  • National Cybersecurity Strategies: Member States must develop national cybersecurity strategies that include cooperation and information sharing. These strategies provide a comprehensive approach to addressing cybersecurity risks at the national level.

  • Digital Operational Resilience Act (DORA): DORA requires financial entities to cooperate and share information on cybersecurity risks and incidents, enhancing the sector’s operational resilience.

  • Cyber Resilience Act (CRA): The CRA requires manufacturers to cooperate and share information on cybersecurity risks and incidents. This ensures that products and services are designed with cybersecurity in mind from the outset.

The NIS2 Directive aims to create a more resilient digital environment across Europe by enhancing cooperation and information sharing.

Implementation and Compliance

map with pins

Who is Impacted by NIS2?

NIS2 applies to a broad spectrum of public and private sector entities that provide critical services or infrastructure within the EU. This includes sectors such as energy, transport, banking, healthcare, and digital infrastructure. The Directive also impacts the financial sector, enhancing resilience against cyber threats during operational disruptions. Entities are categorized as either “essential” or “important,” with essential entities subject to more stringent supervisory measures.

The Directive also extends its scope to include medium-sized and large enterprises within these sectors, ensuring that a significant portion of the EU’s economic operators are covered. Additionally, Member States have the discretion to include other entities within the scope of NIS2 based on national considerations and the potential impact of a cybersecurity incident involving those entities.

Compliance Requirements

Organizations covered by NIS2 are required to conduct thorough assessments of their current cybersecurity posture and identify the necessary steps to achieve compliance. These steps, known as compliance requirements, include implementing robust cybersecurity risk management measures, establishing incident response plans, and ensuring effective governance structures are in place. Additionally, the Digital Operational Resilience Act (DORA) is set to enhance cybersecurity within the financial sector in Europe, emphasizing resilience during severe operational disruptions and aligning with other regulatory frameworks like the NIS2 Directive.

Non-compliance with NIS2 can result in significant consequences, including administrative fines and, in some cases, personal liability for members of an organization’s management body. Key entities could incur penalties reaching €10 million or 2% of their global annual revenue, whereas significant entities might face fines of up to €7 million or 1.4% of their revenue.

Implementation Roadmap

The implementation roadmap for the NIS2 Directive is as follows:

  • October 17, 2024: Member States must transpose the NIS2 Directive into national law. This step is crucial for ensuring that the Directive’s provisions are legally binding and enforceable within each Member State.

  • October 17, 2027: The Commission must review the functioning of the NIS2 Directive and report to the Parliament and the Council. This review will assess the effectiveness of the Directive and identify any areas for improvement.

  • January 17, 2025: The Digital Operational Resilience Act (DORA) will take effect. DORA complements the NIS2 Directive by focusing on the financial sector’s resilience to cyber threats.

  • Early 2025: The Cyber Resilience Act (CRA) is expected to enter into force. The CRA will further enhance the cybersecurity of products and services within the EU.

Organizations must determine the impact of the NIS2 Directive on their current cybersecurity posture and identify their compliance roadmap. Non-compliance may result in stricter supervision and enforcement, administrative fines, and personal responsibility for upper management. It is essential for organizations to take proactive steps to align with the Directive’s requirements and enhance their cybersecurity resilience.

Enforcement and Penalties

The NIS2 Directive introduces robust enforcement mechanisms to ensure compliance with its stringent cybersecurity requirements. Member States are mandated to establish competent authorities responsible for enforcing the Directive. These authorities are empowered to impose fines and sanctions on entities that fail to comply with the Directive’s provisions.

Penalties for non-compliance are significant, with fines reaching up to 2% of an entity’s annual turnover. Competent authorities can also issue binding instructions, orders to implement specific security measures and administrative fines. This strong enforcement framework ensures that entities take cybersecurity seriously and implement necessary measures to protect against cyber threats.

Moreover, the Directive introduces personal responsibility for upper management, holding them liable for non-compliance with the Directive’s requirements. This provision aims to ensure that cybersecurity is prioritized at the highest levels of management, fostering a culture of accountability and proactive risk management.

The enforcement and penalty regime is designed to be proportionate and effective, taking into account the entity’s size, complexity, and impact on the economy and society. Competent authorities are also required to consider the entity’s efforts to comply with the Directive and its cooperation with the authority. This balanced approach ensures that entities are motivated to enhance their cybersecurity posture while providing a fair and effective response to non-compliance.

Conclusion

Despite the comprehensive regulatory framework established by NIS2, Europe continues to face significant cybersecurity challenges. The rapid pace of digital transformation, the increasing sophistication of cyber threats, and the proliferation of connected devices all contribute to a complex and dynamic threat landscape. Ensuring that businesses of all sizes, particularly small and medium-sized enterprises (SMEs), can comply with these complex regulations remains a concern. Emphasizing cyber resilience is crucial to enhancing the security of critical digital infrastructures across Europe, as it helps entities adopt comprehensive measures to prevent, respond to, and recover from cybersecurity incidents. Additionally, there is a pressing need for a skilled cybersecurity workforce to implement and manage the required measures.

Make your Shopify Store GDPR/CCPA compliant today
Try for free
Pandectes GDPR Compliance App for Shopify
Share
Share
browser-search-icon

Scan your Shopify Store

Get the most accurate cookie scan of your store completely FREE.
Subscribe to learn more
pandectes
Andromachi Psomiadi
pandectes
Andromachi Psomiadi
Subscribe to learn more

Keep reading

Show all articles
g2-badges
Solutions
Free Tools
Regulations
Compare
Other Apps
Resources
Partners
Pricing
Company
Legal
SOC 2 Type 2
google-certified-cmp-partner
Microsoft Advertising UET
Pandectes IAB TCF v2.2 Certified CMP
shopify_monotone_white
capterra reviews
Youtube Linkedin X-twitter Facebook Pinterest Instagram
Β© 2024 Pandectes. All rights reserved.
The information provided on the Pandectes website, including all services, tools, and communications, is intended solely for general informational purposes. It should not be interpreted as legal or regulatory advice. For specific legal guidance, please consult a qualified attorney or law firm.