If we have selected the wrong experience for you, please change it above.
NIS2 Directive
Strengthen your organization’s cybersecurity and resilience
Following its official adoption by the European Union in December 2022, the Luxembourg government, and all EU Member States, will be required to have transposed it into law by 17 October 2024. In response to this Directive, Luxembourg has introduced Bill of Law No. 8364. From finance and public administration to space and waste management, NIS2 will demand enhanced cybersecurity measures and resilience across several sectors. Are you prepared?
The Network Information System Directive 2 (NIS2) raises the standard for cybersecurity across the European Union. While NIS2 (Directive (EU) 2022/2555) ultimately replaces NIS1 (Directive (EU) 2016/1148), it will continue to prioritize the NIS1’s focus on protecting critical infrastructure, extending heightened cybersecurity requirements to an expanded range of sectors and entities.
How is NIS2 different from NIS1?
Entities are categorized differently:
There are now two categories of entities that are grouped according to criticality of the associated sector:
Essential entities belong to sectors deemed “highly critical.”
Important entities belong to other sectors deemed only “critical.”
Further distinction is made based on company size and turnover; Small and micro enterprises are not in scope.
There is no more distinction between operators of essential services (OES) and digital services providers (DSPs). The Institut Luxembourgeois de Régulation ILR will keep the list of entities currently in scope.
Entities are treated differently depending on their categorization:
While both essential and important entities will have to adhere to the same security requirements and be subject to an ex-post supervisory regime, essential entities will have an ex-ante supervisory regime (e.g., inspections, random checks, audits, requests of information).
Administrative fines will be up to €10 million or 2% of the total global annual turnover of the company.
There are new requirements that:
Oblige entities in scope to adopt specific cyber risk management practices;
Introduce a two-stage approach to incident reporting; and
Eleven sectors have been identified as being “highly critical” based on their broad and immediate impact on societal functions, public health and the economy if the essential entities within them are compromised. These highly critical sectors can also be seen as serving as a foundation from which other sectors depend on, thus amplifying the impact of their disruption.
Public administration
Banking
Financial market infrastructures
Energy
Transport
Space
Digital infrastructure
ICT service management
Drinking water
Wastewater
Health
7 other “Critical” sectors (containing important entities)
Seven other sectors have been identified as “critical” based on the significant consequences that would follow the disruption of their important entities.
Postal and courier services
Manufacturing
Production, processing and distribution of food
Manufacture, production and distribution of chemical
Waste management
Digital providers
Research
NIS2: New requirements, new challenges
NIS2 demands a wide range of cybersecurity enhancements, from governance and risk management to technical controls.
Entities that fail to comply with the regulations set forth by the national transposition of the NIS2 Directive will be subject to possible sanctions including: imposing of deadlines for compliance, withdrawal of certification, mandatory discontinuation, fines or administrative sanctions, and administrative liability.
Timely self-registration
Requirements
Once established that your entity falls under scope, it is necessary to register* at ILR Institut Luxembourgeois de Régulation (IRL) via its dedicated webpage within the time frame they specify.
*Entities already in scope of NIS1 are not required to register themselves.
Implications
Determination of eligibility and the registration process is the responsibility of the entity.
Increased risk ownership
Requirements
Management bodies must approve the cybersecurity measures, complete training in cybersecurity, and offer similar training to employees.
Implications
Management bodies will assume increased responsibility and will need to play a crucial and active role.
Additional security requirements
Requirements
It will be mandatory to implement the following:
Perform a risk analysis of not only IT risks, but all other relevant risks as well (e.g., HR)
Adopt and regularly review information system security policies and procedures to assess the effectiveness of cybersecurity risk-management
Consider the use of cryptography and encryption
Use multi-factor authentication and secure communication systems
Implement basic cyber hygiene practices and cybersecurity trainings
Enhance business continuity
Implications
Compliant cyber risk management will require an all-hazards approach in order to safeguard network and information systems and their physical environment from incidents.
Heightened focus on supply chain security
Requirements
Entities must assess the security of the supply chain and perform due diligence when selecting managed security services providers (MSSP).
Implications
All efforts must be made to ensure a secure supply chain.
Expanded incident reporting
Entities
Entities must adopt a two-stage incident notification mechanism to prevent the spread of attacks and to enrich future resilience plans.
Implications
The competent authority must be notified within 24 hours after a significant incident has been detected.
How Deloitte can help
From assessing the directive’s applicability to designing and implementing a remediation roadmap, Deloitte offers full-cycle support to address the challenges brought by the NIS2 directive.
Applicability assessment
Readiness assessment
Compliance with security
requirements
Incident reporting
guidelines
You must first confirm if the NIS2 requirements apply to you. We can help you:
Analyze your organization to check whether it falls under the entities in scope; and
Define and detail the NIS2 requirements applicable to your organization while considering the jurisdictional context.
If your organization is subject to requirements of NIS2, you will need to assess your readiness. We can help you:
Perform a gap assessment of the NIS2 security requirements, aligning it with other regulations applicable to your organization; and
Assess your third-party risk management practices.
If you need support in implementing the enhanced security measures required by NIS2, we can help you:
Define a detailed remediation roadmap to mitigate cyber risk and increase compliance; and
Assist with implementing the required security cybersecuritymeasures. This includes notably:
Shaping and updating the required policies and procedures
Providing cybersecurity awareness training for management bodies and staff
Selecting and implementing multi-factor authentication (MFA) solutions
If you need help complying with the required two-stage approach to reporting incidents, we can help you:
Align your incident reporting process with the new requirements; and
Leverage purple teaming to review, test, and improve your mechanisms for detecting security incidents.