Understanding NIS2: The New EU Cybersecurity Directive

This blog post is originally published on Directors' Institute Finland's website.

Introduction to NIS2 

NIS2 is the latest EU cybersecurity directive, building upon the original NIS directive. Its primary goal is to strengthen the security of network and information systems across the EU. This directive mandates that operators of critical infrastructure and essential services implement robust security measures and promptly report any incidents to relevant authorities. By modernizing the existing legal framework, NIS2 addresses the increased digitization and evolving cybersecurity threats. It also broadens the scope of cybersecurity regulations to include new sectors and entities, enhancing the resilience and incident-response capacities of public and private organizations, competent authorities, and the EU as a whole.

Implementation Timeline 

EU member states had until 17 October 2024 to transpose the directive into national law. However, only a few countries have accomplished it so far. For instance, Finland has yet to implement NIS2, so far a draft proposal has been prepared. It is highly likely that Finland will complete the local implementation by the first half of 2025. You can follow the process here: HE 57/2024 vp. 

Sectors Covered by NIS2 

NIS2 applies to organizations within specific sectors that have at least 50 employees and/or an annual turnover of EUR 10 million. However, exceptions exist: if an organization is covered by the Critical Entities Resilience (CER) directive, NIS2 applies regardless of size. Entities are categorized into two groups:

• Essential Entities: These include sectors like finance, energy, transport, and healthcare. Organizations with at least 250 employees, an annual turnover exceeding EUR 50 million, and a balance sheet total over EUR 43 million are considered essential entities.
• Important Entities: This category includes sectors such as waste management, food, and manufacturing.

Management Responsibilities and Sanctions 

NIS2 elevates cybersecurity to a board-level priority by holding senior leadership and the board accountable for infringements. Governing bodies of both essential and important entities must endorse cybersecurity risk management measures and oversee their implementation. Leadership can be held liable for breaches, though this liability does not override existing national laws regarding public institutions and officials. Additionally, governing bodies must ensure they have the necessary knowledge to assess cybersecurity risks and management practices, providing training opportunities as needed. Employees should also receive regular training to identify risks and evaluate cybersecurity measures' impacts.

Authorities will supervise compliance through various methods, including on-site inspections, external monitoring, and security checks. Enforcement measures can range from warnings and binding instructions to administrative fines. For essential entities, fines can reach up to EUR 10 million or 2% of the annual turnover. For important entities, fines can be up to EUR 7 million or 1.4% of the annual turnover. Governing bodies of essential entities might also face personal liability and temporary bans on managerial duties.

Achieving Compliance with NIS2 

To comply with NIS2, EU member states must ensure that essential and important entities implement adequate cybersecurity risk-management measures. These measures should follow an all-hazards approach, covering risk analysis, incident handling, business continuity, supply chain security, and cybersecurity training. Organizations must assess the vulnerabilities of their suppliers and service providers and report significant incidents to the authorities promptly. Compliance involves detailed reporting obligations and may require specific technical and methodological implementations.

Deloitte's Compliance Services 

Deloitte supports organizations in achieving NIS2 compliance by leveraging existing strengths while aligning with EU regulations. This involves assessing the regulatory impacts on various parts of the organization and stakeholders, conducting a comprehensive baseline assessment to identify key development areas, and implementing essential cybersecurity measures such as risk management and business continuity planning.