NIS2 Directive Explained: Who It Affects and What to Do

Introduction

Step 1: Open your ICT provider register. If you don't have one, that's your first problem. The NIS2 directive demands comprehensive tracking and oversight of third-party providers. Ignoring this requirement can lead to severe consequences. The NIS2 directive, or Network and Information Systems 2, is the EU's latest attempt to strengthen the cybersecurity resilience of its member states, particularly in critical sectors like financial services. If you're a compliance professional, CISO, or IT leader at a European financial institution, this matters to you. Failure to comply can result in fines of up to 6.5% of annual turnover, audit failures, operational disruption, and severe reputational damage.

The NIS2 directive is not just another regulation to check off a list. It represents a fundamental shift in how the EU approaches cybersecurity. By reading this article, you'll gain a deep understanding of what NIS2 means for your organization, who it affects, and what concrete steps you can take to ensure compliance.

The Core Problem

Many organizations mistakenly view the NIS2 directive as a mere cybersecurity standard. In reality, it's much more. NIS2 has far-reaching implications for any organization operating within the EU, particularly those in the financial services sector.

Consider the numbers: Non-compliance can result in fines of up to 6.5% of annual turnover. For a financial institution with a turnover of 1 billion EUR, that's a staggering 65 million EUR in potential fines. That's real money. And that's just the financial cost. The operational disruption and reputational damage caused by non-compliance can be even more devastating.

Most organizations are also getting the scope of NIS2 wrong. They're focusing on the cybersecurity aspects, when in reality, NIS2 has a much broader scope. For example, per Article 8(1) of the NIS2 directive, financial institutions must ensure the security of their network and information systems, as well as take appropriate technical and organizational measures to prevent and minimize the impact of incidents affecting those systems.

This means organizations need to have robust incident response plans in place. They also need to have processes for identifying, assessing, and managing risks to network and information security. Many organizations are failing to implement these requirements, leaving them exposed to NIS2-related risks.

Why This Is Urgent Now

The urgency of compliance with the NIS2 directive is only increasing. In 2022 alone, the European Commission imposed a record-breaking 1.2 billion EUR in fines for various violations of EU regulations. This includes fines related to data protection, antitrust, and consumer protection. The message is clear: the EU is serious about enforcement.

Moreover, customers are increasingly demanding cybersecurity certifications. A recent study found that 82% of consumers would pay more for products from companies with strong cybersecurity measures in place. Non-compliance with NIS2 not only exposes your organization to regulatory risks but also puts you at a competitive disadvantage.

The gap between where most organizations are and where they need to be is significant. According to a recent survey, only 37% of financial institutions have a comprehensive third-party risk management program in place. This despite the fact that per Article 8(4) of the NIS2 directive, financial institutions must have effective processes in place for identifying, assessing, and managing third-party risks.

In the face of increasing regulatory scrutiny and market pressure, organizations can no longer afford to delay their NIS2 compliance efforts. The consequences of non-compliance are simply too severe. The good news is that by taking proactive steps today, you can position your organization for success under the NIS2 directive.

The Solution Framework

To effectively navigate the NIS2 landscape, establishing a structured, risk-based approach is essential. This framework acts as a map for organizations to identify and manage the cybersecurity risks they face due to NIS2.

Step 1: Identify Key Assets
Start by identifying the critical digital services your organization provides and the assets that support these services. According to Article 5 of NIS2, you must have a clear understanding of your digital services' architecture and the assets involved. This involves cataloging all hardware, software, and data that could be affected by a cybersecurity incident.

Step 2: Conduct Risk Assessments
Under NIS2, risk assessments are crucial (per Article 10). Use these assessments to identify potential cybersecurity threats and vulnerabilities. The goal is to understand the likelihood and potential impact of various incidents. Use both quantitative and qualitative analyses to assess risk, and consider the dependencies and interconnections between different assets and services.

Step 3: Establish and Implement Security Measures
NIS2 (Article 14) requires organizations to implement proportionate and state-of-the-art security measures. This involves developing and implementing security policies, procedures, and controls that will effectively manage the identified risks. Ensure these measures align with industry best practices and are adaptable to evolving threats.

Step 4: Incident Reporting and Management
NIS2 demands mandatory incident reporting (Article 15). Develop robust incident management processes that include timely detection, response, and reporting mechanisms. This includes having clear communication channels with relevant authorities and stakeholders.

Step 5: Continuous Monitoring and Improvement
NIS2 emphasizes continuous improvement (Article 16). Regularly review and update your cybersecurity measures, risk assessments, and incident response plans. This ongoing process helps ensure that your organization remains compliant and resilient in the face of changing threats.

Common Mistakes to Avoid

1. Underestimating Asset Identification: Some organizations underestimate the breadth of assets they must protect under NIS2. They might overlook third-party services or fail to consider interdependencies between systems. This mistake can leave gaps in your security posture. Instead, conduct comprehensive asset identification that includes all digital services, assets, and their interconnections.

2. Inadequate Risk Assessments: A common error is performing risk assessments that are too generic or superficial. This can result in an incomplete understanding of the organization’s exposure to cybersecurity threats. Instead, perform detailed, asset-specific risk assessments that consider the unique vulnerabilities and potential impacts of each asset.

3. Lack of Incident Response Preparedness: Some organizations fail to establish clear incident response plans or neglect to train staff in the execution of these plans. This can lead to delayed or ineffective incident management. Develop and regularly update incident response plans, and ensure that all relevant personnel are trained in their execution.

4. Neglecting Continuous Improvement: Finally, some organizations view NIS2 compliance as a one-time task rather than an ongoing process. This can result in compliance gaps over time. Instead, commit to continuous monitoring and improvement of your cybersecurity measures, ensuring that your organization remains resilient against evolving threats.

Tools and Approaches

Manual Approach

• Pros: It can be cost-effective and allows for a high degree of customization. It also encourages a deep understanding of the organization’s specific risks and assets.
• Cons: It is time-consuming and prone to human error. It also struggles to keep pace with the dynamic nature of cybersecurity threats.
• When It Works: It can be effective for small organizations with limited assets and a simple digital service architecture.

Spreadsheet/GRC Approach

• Limitations: While this approach can help manage documentation and tracking of compliance efforts, it often lacks the ability to automate processes or integrate with other systems. This can result in inefficiencies and delays in identifying and addressing compliance issues.
• When It Works: It can be suitable for medium-sized organizations that have some cybersecurity processes in place but require a structured way to document and track compliance efforts.

Automated Compliance Platforms

• What to Look For: Look for platforms that support risk assessments, incident reporting, and continuous monitoring. They should also integrate with other systems and be customizable to meet the specific needs of your organization.
• When It Helps: Automation can significantly reduce the workload and increase the accuracy of compliance efforts, especially for larger organizations with complex digital service architectures and numerous assets.
• When It Doesn’t: While automation can streamline many compliance tasks, it cannot replace the need for human judgment and expertise in areas such as risk assessment and incident response.

Matproof Mention

Matproof, a compliance automation platform specifically built for EU financial services, can support organizations in their NIS2 compliance journey. It offers AI-powered policy generation, automated evidence collection from cloud providers, and an endpoint compliance agent for device monitoring—all while ensuring 100% EU data residency. This can help organizations efficiently manage their compliance efforts, from risk assessments to incident reporting and beyond. Visit Matproof to explore how it can streamline your NIS2 compliance process.

Getting Started: Your Next Steps

To ensure you are compliant with the NIS2 directive, follow these five steps this week:

1. Review the NIS2 draft directive: Start with the official source – the European Commission’s draft directive. Review it to understand the scope and requirements that will apply to your organization.

   Action: Visit the European Commission's NIS2 page to download the NIS2 directive.

2. Assess your current cybersecurity posture: Identify gaps between your current practices and NIS2 requirements. Review your incident management, risk assessment, and reporting procedures.

   Action: Conduct a quick audit of your security policies and incident response plan.

3. Engage with your IT and security teams: Discuss the NIS2 directive’s implications and collaborate on a strategic plan to address the requirements.

   Action: Schedule a meeting with your IT and security teams to discuss NIS2 compliance.

4. Determine the need for external expertise: Consider whether you need external help or if your in-house team can manage the compliance efforts.

   Action: Evaluate your team’s bandwidth and expertise. If gaps exist, explore hiring a consultant or compliance automation platform.

5. Quick win: Implement an endpoint compliance agent: A simple, immediate step is deploying an endpoint compliance agent to monitor devices and ensure they meet security requirements.

   Action: Start with a free assessment from Matproof, which offers an endpoint compliance agent and can help automate compliance.

Frequently Asked Questions

Q1: What are the reporting obligations under NIS2?

Under NIS2, digital service providers must report any cybersecurity incident that has a significant impact. This includes incidents that result in substantial disruption of service, loss of data, or infringement of personal data. The directive also requires notifying the competent authority within 24 hours. Companies must also provide regular cybersecurity risk assessments and incident reports to the authorities.

Action: Review the NIS2 requirements to understand the specific reporting obligations.

Q2: How will NIS2 impact incident response planning?

NIS2 intensifies the focus on incident response. Companies will need to ensure they have robust incident response plans that align with the directive’s requirements. This includes having clear procedures for identifying, containing, and mitigating incidents, as well as communicating them to the relevant authorities within the specified timeframe.

Action: Update your incident response plan to align with NIS2 requirements, specifically focusing on the 24-hour reporting requirement.

Q3: What are the penalties for non-compliance with NIS2?

Non-compliance with NIS2 can result in significant penalties. The directive allows for fines up to 6.5% of a company’s annual turnover or up to €16.5 million, whichever is higher. Additionally, repeated violations may lead to periodic penalty payments.

Action: Review the penalties outlined in the NIS2 directive to understand the risks of non-compliance.

Q4: How does NIS2 affect cloud service providers?

Cloud service providers are considered critical digital infrastructure under NIS2. They must comply with stricter security requirements and have a heightened obligation to report incidents. This includes notifying the competent authority within 24 hours and providing regular cybersecurity risk assessments.

Action: Cloud service providers should review Article 12 of the NIS2 directive, which outlines the obligations for critical digital infrastructure operators.

Q5: Is our organization considered an essential service under NIS2?

The NIS2 directive applies to essential services, which are defined in Annex II. This includes sectors such as energy, transport, banking, financial market infrastructures, health, and digital infrastructure. If your organization operates in one of these sectors, it is considered an essential service under NIS2.

Action: Review Annex II of the NIS2 directive to determine if your organization is classified as an essential service.

Key Takeaways

• The NIS2 directive significantly expands the scope of cybersecurity requirements for digital service providers and essential services.
• Compliance will require a comprehensive review of your organization’s cybersecurity practices, incident response planning, and reporting procedures.
• The penalties for non-compliance are severe, with potential fines up to 6.5% of annual turnover.
• Matproof can help automate compliance with NIS2 and other regulations. Visit Matproof for a free assessment and to start your compliance journey.