Skip to main content

NIS2 Directive

Strengthen your organization’s cybersecurity and resilience

Following its official adoption by the European Union in December 2022, the Luxembourg government, and all EU Member States, will be required to have transposed it into law by 17 October 2024. In response to this Directive, Luxembourg has introduced Bill of Law No. 8364. From finance and public administration to space and waste management, NIS2 will demand enhanced cybersecurity measures and resilience across several sectors. Are you prepared?

What is NIS2?

The Network Information System Directive 2 (NIS2) raises the standard for cybersecurity across the European Union. While NIS2 (Directive (EU) 2022/2555) ultimately replaces NIS1 (Directive (EU) 2016/1148), it will continue to prioritize the NIS1’s focus on protecting critical infrastructure, extending heightened cybersecurity requirements to an expanded range of sectors and entities.

How is NIS2 different from NIS1?

 

Entities are categorized differently:

  • There are now two categories of entities that are grouped according to criticality of the associated sector:
    • Essential entities belong to sectors deemed “highly critical.”  
    • Important entities belong to other sectors deemed only “critical.”
  • Further distinction is made based on company size and turnover; Small and micro enterprises are not in scope.
  • There is no more distinction between operators of essential services (OES) and digital services providers (DSPs). The Institut Luxembourgeois de Régulation ILR will keep the list of entities currently in scope.
     

Entities are treated differently depending on their categorization:

  • While both essential and important entities will have to adhere to the same security requirements and be subject to an ex-post supervisory regime, essential entities will have an ex-ante supervisory regime (e.g., inspections, random checks, audits, requests of information).
  • Administrative fines will be up to €10 million or 2% of the total global annual turnover of the company.
     

There are new requirements that:

  • Oblige entities in scope to adopt specific cyber risk management practices;
  • Introduce a two-stage approach to incident reporting; and
  • Strengthen supply chain security.

What are the sectors in scope?

Eleven sectors have been identified as being “highly critical” based on their broad and immediate impact on societal functions, public health and the economy if the essential entities within them are compromised. These highly critical sectors can also be seen as serving as a foundation from which other sectors depend on, thus amplifying the impact of their disruption.
 
  • Public administration
  • Banking
  • Financial market infrastructures
  • Energy
  • Transport
  • Space
  • Digital infrastructure
  • ICT service management
  • Drinking water
  • Wastewater
  • Health
Seven other sectors have been identified as “critical” based on the significant consequences that would follow the disruption of their important entities.
 
  • Postal and courier services
  • Manufacturing
  • Production, processing and distribution of food
  • Manufacture, production and distribution of chemical
  • Waste management
  • Digital providers
  • Research

NIS2: New requirements, new challenges

NIS2 demands a wide range of cybersecurity enhancements, from governance and risk management to technical controls.

Entities that fail to comply with the regulations set forth by the national transposition of the NIS2 Directive will be subject to possible sanctions including: imposing of deadlines for compliance, withdrawal of certification, mandatory discontinuation, fines or administrative sanctions, and administrative liability.

Requirements

Once established that your entity falls under scope, it is necessary to register* at ILR Institut Luxembourgeois de Régulation (IRL) via its dedicated webpage within the time frame they specify.

*Entities already in scope of NIS1 are not required to register themselves.
 

Implications

Determination of eligibility and the registration process is the responsibility of the entity.

Requirements

Management bodies must approve the cybersecurity measures, complete training in cybersecurity, and offer similar training to employees.

 

Implications

Management bodies will assume increased responsibility and will need to play a crucial and active role.

Requirements

It will be mandatory to implement the following:

  • Perform a risk analysis of not only IT risks, but all other relevant risks as well (e.g., HR)
  • Adopt and regularly review information system security policies and procedures to assess the effectiveness of cybersecurity risk-management
  • Consider the use of cryptography and encryption
  • Use multi-factor authentication and secure communication systems
  • Implement basic cyber hygiene practices and cybersecurity trainings
  • Enhance business continuity

 

Implications

Compliant cyber risk management will require an all-hazards approach in order to safeguard network and information systems and their physical environment from incidents.

Requirements

Entities must assess the security of the supply chain and perform due diligence when selecting managed security services providers (MSSP).

 

Implications

All efforts must be made to ensure a secure supply chain.

Entities

Entities must adopt a two-stage incident notification mechanism to prevent the spread of attacks and to enrich future resilience plans.

 

Implications

The competent authority must be  notified within 24 hours after a significant incident has been detected.

How Deloitte can help

From assessing the directive’s applicability to designing and implementing a remediation roadmap, Deloitte offers full-cycle support to address the challenges brought by the NIS2 directive.

Applicability assessment

Readiness assessment

Compliance with security
requirements

Incident reporting
guidelines

You must first confirm if the NIS2 requirements apply to you. We can help you:

 

  • Analyze your organization to check whether it falls under the entities in scope; and
  • Define and detail the NIS2 requirements applicable to your organization while considering the jurisdictional context.

If your organization is subject to requirements of NIS2, you will need to assess your readiness. We can help you:

 

  • Perform a gap assessment of the NIS2 security requirements, aligning it with other regulations applicable to your organization; and
  • Assess your third-party risk management practices.

If you need support in implementing the enhanced security measures required by NIS2, we can help you:

 

  • Define a detailed remediation roadmap to mitigate cyber risk and increase compliance; and
  • Assist with implementing the required security cybersecurity measures. This includes notably:
    • Shaping and updating the required policies and procedures
    • Providing cybersecurity awareness training for management bodies and staff
    • Selecting and implementing multi-factor authentication (MFA) solutions

If you need help complying with the required two-stage approach to reporting incidents, we can help you:

 

  • Align your incident reporting process with the new requirements; and
  • Leverage purple teaming to review, test, and improve your mechanisms for detecting security incidents.