The NIS 2 Directive (Network and Information Security Directive 2) is an updated European Union (EU) cybersecurity regulation that strengthens and expands the scope of the original NIS Directive (2016).
It aims to improve the cybersecurity level of critical and important sectors across the EU.
Below is the roadmap with the main steps to follow towards NIS 2 compliance:
January 16, 2023 - NIS 2 Officially Enters into Force
By October 17, 2024 - Transposition into National Law
Late 2024 - Early 2025 - Designation of Essential & Important Entities
Organizations must determine whether they fall under NIS 2’s scope based on their sector and size, and must register to their national cybersecurity agency portal.
The deadlines for companies to register vary depending on the provisions adopted by each country.In Italy, for example, companies subject to NIS 2 must register on the digital platform of the Agency for National Cybersecurity (ACN) no later than 28 February 2025.
Late or missing registration are punishable by administrative sanctions (0.07% - 0.1% of annual worldwide turnover).By end 2025 - Full Compliance Requirements Begin
Organizations must implement the directive obligations.
Note that this will also have to be done by companies not directly subject to NIS 2, but which are part of a digital service chain under an NIS 2 entity.2026 and beyond - Enforcement & Monitoring
Authorities will oversee compliance (auditing) of organizations to NIS 2 obligations.
Scope
The NIS 2 Directive applies to a wide range of organizations covering both essential and important entities in critical sectors:
Essential Entities are the organizations playing a critical role in maintaining social and economic stability, like:
Energy (electricity, oil, gas, hydrogen), Transport (air, rail, road, maritime), Banking & Financial Market Infrastructure, Healthcare (hospitals, medical device manufacturers, pharmaceuticals), Drinking Water & Wastewater Management, Digital Infrastructure (cloud providers, DNS services, data centers), Public Administration (central and regional government bodies), Space (satellite services, ground stations)
Important Entities are the organizations providing essential services but with a low impact on society as essential entities, like:
Postal & Courier Services, Waste Management, Chemical Industry, Food Production & Distribution, Manufacturing (electronics, machinery, vehicles), Digital Providers (social networks, online marketplaces), Research & Development
Furthermore, to be subject to the directive, Important entities must have at least 50 employees or a turnover of EUR 10 millions.
Directive Obligations
Below are the main obligations that an NIS 2 organizations must fulfil.
Risk management and security measures
Implement risk analysis and security policies for information systems.
Adopt incident management measures, ensuring business continuity through backups and disaster recovery plans.
Ensure supply chain security, including supplier and partner relationship management.
Ensure security in the acquisition, development and maintenance of computer and network systems, including vulnerability management.
Establish strategies and procedures to assess the effectiveness of cybersecurity risk management measures.
Adopt basic digital hygiene practices and provide cybersecurity training to staff.
Establish policies and procedures related to the use of encryption and ensure the security of human resources, access control strategies and asset management.
Implement all necessary countermeasures (e.g. Cryptography, MFA, Isolation, WAF) to prevent security incidents.
Incident reporting
Promptly report significant IT security incidents to the relevant authorities or to related NIS 2 organizations.
File an early warning within 24 hours of identifying the incident and a full notification within 72 hours.
Management's responsibility
Management must supervise and approve the cybersecurity measures taken.
Ensure that management receives appropriate training in cybersecurity.
Be aware that violations may result in sanctions for management and potential temporary bans from management roles.
Supply Chain Responsibility
As stated in the NIS 2 - Article 21 (d), the organization is responsible to the supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers, and this includes the Servitly DPS.
How Servitly can help you?
Servitly will be happy to support you by providing you with all the information you need to be NIS 2 compliant.
In any case, we recommend you take advice from a specialized consultancy firm.