NIS2: A Roadmap to Compliance

The deadline for European Union member states to pass the new EU NIS2 regulation into national law was October 17, 2024, yet only a few countries have transposed it into law, leaving others lagging behind, with regulations in draft or public consultation phases, or not at all. In the absence of certainty for firms (or what NIS2 calls entities), confusion is understandable, but steps can be currently taken considering what we already know.

What is NIS2?

NIS2 replaces the original NIS Directive from 2016, which sought to set a high level of cybersecurity across critical infrastructure across the EU. NIS2 is an important update, with the original NIS directive considered to have too limited a scope and lack of consistency in its application by member states. NIS2 therefore includes an expanded scope of EU impacted entities and a wider supervisory and coordinated regime from member states that entities will need to register with.

Does NIS2 Apply to the UK?

For now, the UK is an outsider. While the original NIS came into force prior to the UK’s withdrawal from the EU, NIS2 was released post-Brexit, meaning the UK is outside its scope. Despite this, UK firms can expect the government’s upcoming Cyber Security and Reliance Bill to adopt much of what is covered in the EU NIS2, with timelines lagging behind those of EU member states under NIS2. While full details are not available, we can see from the Kings Speech on July 17 when opening Parliament that the regulation will bring more digital services into scope than earlier. Furthermore, we can see that, as with NIS2, regulators will be given additional powers to ensure firms are implementing robust cyber security measures, with tighter reporting obligations.

Expanded Scope to Additional Sectors

NIS2 expands the scope of NIS2 to 18 sectors, with the addition of utilities such as water and waste management, public administration, space, ICT providers, post, manufacturing, food, chemical production and distribution, research and space. Company sectors are divided into two categories depending on if they are determined to be ‘High Criticality’ or ‘Other critical services’, with companies in those categories becoming ‘Essential’ or ‘Important’ respectively. The size or revenue (less than 250 employees or annual turnover of < €50 million) of the entity in some sectors can drop the company from ‘Essential’ to ‘Important’, or even take them out of NIS2 scope altogether if they are classified a small ‘microenterprise’ (less than 50 employees or annual turnover of < €10 million).
Entities in scope are subject to the same requirements regardless of whether they are ‘Essential’ or ‘Important’. The difference between the two classifications determines the entities supervision level and potential fines as:

• Essential Entities

• Proactive supervision. On-site inspections, document reviews, random checks and regular audits of entities to find evidence that a cybersecurity policy has been implemented.
• Highest fines. Should a company have an incident because of non-compliance they can face fines of either €10 million or 2% of annual turnover, whichever is higher.

• Important Entities

• Reactive supervision. If there is evidence of noncompliance - such as if incident failures were evident.
• Large fines. Either €7 million or 1.4% of annual turnover, whichever is higher.

Enhanced Supervisory Powers

The NIS2 Directive places requirements on member states to supervise, enforce and provide mechanisms for the sharing of data between entities and between member states. This data reporting, sharing and enforcement comes via a number of mechanisms:

• Competent Authorities

An authority designated by the member state to oversee NIS2. These will be government organisations, and each member state will designate their own.

• Member State Cyber Security Incident Response Team (CSIRT)

To allow coordination of incidents within member states and facilitate information sharing. In addition, CSIRT from member states may coordinate with CSIRTs of other member states, if there is cross-border impact.

• Disclosure of Vulnerabilities to an EU DB

Responsibility of each CSIRT is the coordination and facilitation of vulnerability disclosure of ICT systems across entities in their member states and also across other CSIRTs. To aid this, a European vulnerability database will be established in conjunction with ENISA which will be available to in-scope entities and entities who are not in scope on a voluntary basis.

• European Cyber Crisis Liaison Organisation Network (EU-CyCLONe)

Made up of representatives of each member state, ensuring close coordination and regular sharing of relevant data, as well as coordinated management of large-scale incidents.

• Registration of Entities

Each member state will set up a register for entities to add their details. We have seen that in some member states such as Hungary, at the point of registration the entities need to pay a ‘supervision fee’, based on the revenue of the entity being registered.

• EU Cyber Certifications

As part of future proofing the directive, there is scope to specify that in-scope entities use certified ICT products and services which have been demonstrated to have sufficient levels of security.

• Cooperation Groups

Formed again from a group across all member states, this group will oversee the implementation of NIS2 and provide guidance to competent authorities in implementation and exchanging best practices.

Roadmap to NIS2 Compliance 

So even though the deadline has passed, and guidance in some territories is unclear, how can entities plan for their NIS2 compliance before EU-wide transposition into national law by each member state? The good news – although that is perhaps unsurprising given the aim of NIS2 – is that the overall transposition of regulations from countries we have seen are similar in approach and entities will need to follow the same overall approach outlined below:

Time Is of the Essence

While the deadline for regulators may have passed and the UK might not yet be implementing a NIS2-like regulation, entities should not adopt a wait and see approach to NIS2 compliance. As we see from member states who have transposed the regulation in full, there are very few grace periods or long timelines being offered for NIS2 compliance.

With NIS2 compliance there is a lot of “no regret” remedial work that will be required regardless of where in Europe you sit and who your regulator is, including enhancing risk assessments, accountability, multi-factor authentication (MFA), training and other specific aspects in the directive. Organizations need to remember that it’s a law, not a recommendation or a guideline, so the associated regulatory risk and potential repercussions are very real. If they haven’t already started to do so, organizations must now act to be prepared for NIS2 requirements.

Entities can achieve this more easily and quickly by accessing support from partners with proven expertise. With unrivalled expertise in cybersecurity assessments and program design, cyber resilience risk management, incident response, digital resilience testing and third-party risk management, Kroll is uniquely positioned to provide in-depth support to help your organization prepare for and fully meet NIS2 requirements.

Kroll can support you by providing a custom NIS2 compliance assessment consisting of:

• Evaluation of your organization’s current cyber security maturity against NIS2 requirements with a clear risk rating highlighting key gaps, existing coverage and areas of improvement
• A roadmap outlining actionable tasks and timeframes to address key weaknesses
• Implementation and remediation support to achieve defensible position and ensure greenfield processes and controls

Reach out to us today for more information.