NIS2:
Regulations for increased cyber security within the EU

With increasing threats from cyber attacks and digital vulnerabilities, the European Union (EU) has introduced a new comprehensive regulatory framework: NIS2. The directive, which entered into force on 16 January 2023, aims to strengthen the cyber security and resilience of critical sectors within the Union. All member states have until 18 October 2024 to incorporate NIS2 into national legislation. This regulatory framework replaces the previous NIS directive from 2016 and covers more sectors, higher requirements for security and incident management, as well as clearer cooperation structures between member states.

What is NIS2?

NIS2 (Network and Information Security Directive) is the EU's updated framework for improving the security of networks and information systems in critical sectors. The directive expands the scope compared to the original NIS directive and places higher demands on both public and private actors in a range of sectors, including energy, transport, finance, health and digital infrastructure. NIS2's goal is to improve the ability of these actors to prevent, detect and manage cyber threats and security incidents, thereby protecting the EU's economic and social interests.

Basic provisions

Extended application
NIS2 covers more sectors and actors than before. In addition to including traditionally critical areas such as energy and transport, NIS2 also includes sectors such as public administrations, aerospace and electronic communications services. The directive divides companies into two categories: "significant entities" and "important entities", where the requirements vary depending on which category the actor belongs to. Essential entities, such as energy suppliers, are under stricter supervision than critical entities, but all must comply with the same basic security requirements.

Requirements for risk management and incident management
As with its predecessor NIS, NIS2 requires all covered actors to implement comprehensive security measures to manage risks associated with their network and information systems. Actors must establish processes to identify and manage potential cyber threats and ensure that their systems and data are protected. Incident management is a central part of NIS2, where all actors must be able to detect, report and remedy security incidents within strict time frames.

Reporting of incidents
An important change in NIS2 is the stricter reporting obligation for cyber incidents. Entities must report major security incidents to the relevant authorities within 24 hours of discovery of the incident. This is a significant reinforcement compared to previous requirements and means that faster action can be taken to limit the damage from incidents and the spillover effect within the Union.

Supervision and Sanctions
Under NIS2, member states' responsibilities for supervision and compliance are expanded. Authorities within each country are empowered to carry out inspections and issue administrative sanctions to ensure that companies comply with their obligations. The penalties for non-compliance can be significant, with fines of up to €10 million or 2% of global annual turnover for companies that fail to live up to the requirements.

Technical requirements

To further strengthen security, NIS2 places specific technical requirements on the actors' information systems. These requirements are intended to improve both proactive and reactive cyber threat management.

Risk management system
Every organization covered by NIS2 must develop and implement a comprehensive risk management system for its network and information systems. This includes identifying critical assets and functions and ensuring that their protection is adequate. The requirement also means that the actors must continuously monitor and update their systems to deal with new threats.

Regular security tests
A central part of NIS2 is that actors regularly carry out security tests and vulnerability analyzes of their systems. This includes penetration testing that simulates real cyber attacks to identify and fix weaknesses before they can be exploited by malicious actors.

Encryption and data management
NIS2 places great emphasis on protecting data through encryption and other data protection measures. Sensitive data must be encrypted both at rest and in transit, ensuring that even if the data is stolen, it cannot be used without the proper decryption keys. Companies must also implement strong authentication mechanisms, such as multi-factor authentication (MFA), to protect their systems from unauthorized access.

Impact on companies and organizations

NIS2 means a significant change for many companies and organizations within the EU. In addition to the fact that more sectors are now covered by the rules, higher requirements are placed on risk management, incident management and security tests. Companies that were not previously covered by the NIS must now build up structures and procedures to ensure that they meet the new requirements. This can mean investment in new technology, security personnel and training. Third-party providers that offer critical services to businesses in the EU must also comply with NIS2 security standards, which means that businesses must review their supplier agreements to ensure that the external actors maintain the same high levels of security as themselves.

Collaboration and Information Sharing

Another important aspect of NIS2 is to strengthen cooperation between EU member states in terms of cyber security. The regulations call for increased information exchange between the countries and between companies and authorities. By sharing information about threats and incidents, actors within the EU can act more quickly to protect themselves against common cyber threats.