The NIS 2 Directive

Towards a high common level of cybersecurity in the European Union

On 27 December 2022, the Directive on Measures for a High Common Level of Cybersecurity across the Union (the ‘NIS 2 Directive’) was published in the Official Journal of the European Union. 

The NIS2 Directive significantly broadens the scope of the original NIS Directive, which has been adopted and in force since 2016, as it is directed to a wider range of industries to extend and strengthen cybersecurity requirements across the EU. This includes addressing supply chain security, streamlining reporting obligations and introducing strict enforcement requirements. In other words, NIS 2 requires a large number of organisations to implement a comprehensive cybersecurity risk management framework, with the aim to increase the overall level of cyber resilience within the EU.

Entering into force on 16 January 2023, the directive will have to be transposed into national legislation by October 2024. Shortly thereafter, competent authorities of the member states will ensure compliance oversight and enforce the national implementation law, where necessary through severe administrative penalties and remedial measures. 

Who is affected?

The first new element introduced by NIS 2 concerns the scope of the directive itself, which is significantly broader than its predecessor. Whereas the original NIS Directive merely applied to ‘Operators of Essential Services’ (OES) and ‘Digital Service Providers' (DSP), NIS 2 applies to ‘essential’ and ‘important’ entities within the EU. 

These entities are considered critical for the EU economy and society and thus include providers of public electronic communications services, digital services, waste water and waste management, manufacturing of critical products, postal and courier services, and public administration, both at central and regional level. 

Cyber security man working on a lot of computers

Interaction with other (sector-specific) cybersecurity legislation

Where sector-specific legislation - such as the Digital Operational Resilience Act (DORA) - requires essential or important entities under NIS 2 to adopt cybersecurity risk-management measures or to notify significant incidents, NIS 2 shall not apply to these entities if the sector-specific requirements are at least equivalent in effect to the obligations laid down in the NIS 2 Directive. 

If sector-specific legislation does not cover all entities in a specific sector falling within the scope of the NIS 2 Directive, the relevant provisions of NIS 2 shall continue to apply to the entities not covered by the sector-specific legislation

When will NIS 2 impact my organisation? 

Now that NIS 2 is officially adopted, a significant number of organisations will need to consider, implement and comply with various binding obligations that will materialise after the transposition of the directive into national legislation. 

The following timeline outlines the key phases in the development and enforcement of NIS 2. 

The Commission adopted a proposal for a revised Directive on Security of Network and Information Systems (NIS 2 Directive), revoking the original NIS Directive. 

Following the publication of the proposal, the co-legislators - the European Parliament and Council of the European Union - started the negotiation process, which led to a political agreement in May 2022.

The Council adopted NIS 2 on 28 November, after the European Parliament voted in favour of the act on 10 November.

 

On January 16, 2023, the Directive on measures for a high common level of cybersecurity across the Union (the ‘NIS 2 Directive’) and the Directive on the resilience of critical entities (“CER Directive”) entered into force.

By 17 October 2024, member states must adopt and publish the transposition measures necessary to comply with the NIS 2 Directive, which shall apply from 18 October 2024 onwards.

 

How does NIS 2 impact your organisation?

Although national implementation laws are yet to be developed and adopted, the NIS 2 Directive clearly emphasises three major pillars in which organisations will have to step up their efforts in order to ensure compliance. 

Comprehensive cybersecurity risk management

Under NIS 2, organisations are required to take a proactive rather than reactive approach to risk management by introducing strong information security policies to ensure systematic and thorough risk analysis. 

In general, these policies should be designed on the basis of an all-hazard approach, proportional to the risk, size, cost, impact and severity of incidents that individual organisations face.

Taking into consideration this principle of proportionality, organisations are expected to implement industry-accepted and state-of-the-art cybersecurity measures in - among other - the following domains.

Incident prevention, detection and response

Under NIS 2, essential and important entities need to have a robust Incident Management Framework (IMF) in place, which is tested regularly and communicated to all relevant parties. Moreover, the new directive requires organisations to implement clear procedures to prevent attacks, investigate root causes and adopt mitigating measures.

Business continuity and crisis management

Under NIS 2, essential and important entities need to ensure the continuity of their operations in the event of a major (cybersecurity) incident. As such, organisations must implement a comprehensive resilience framework - encompassing business continuity, disaster recovery and crisis management - in order to minimise disruption.

Supply chain security

As supply chain security becomes ever more relevant, NIS 2 requires essential and important entities to engage in Third Party Risk Management (TPRM). Ensuring TPRM across their digital value chains will be a challenging task for organisations and a comprehensive supply chain resilience framework could be warranted.

Incident reporting and supervision

Incident reporting

Under NIS 2, essential and important entities must report - without undue delay - any incident that has a significant impact on the provision of their services to their National Computer Security Incident Response Teams (CSIRT) or appropriate national authority. 

In order to comply with these reporting obligations, organisations must submit: 

  • Early warning: Issued without undue delay and no later than 24 hours of becoming aware of the incident, stating whether the event is thought to have been the result of unlawful or malicious activity or could have cross-border ramifications;

  • Incident notification: Issued without undue delay and no later than 72 hours of becoming aware of the incident, thereby updating the information provided in the early warning and giving a preliminary evaluation of the incident's severity and effects;

  • Intermediate report: Issued upon request of the CSIRT or the appropriate national authority, highlighting relevant status updates in incident and crisis management.

  • Final report: Must be submitted no later than one month after the incident notification was submitted. A thorough description of the incident - including its root cause, any adopted mitigation strategies, and any cross-border effects - must be included in the final report.

Supervisory framework

When compared to its predecessor, NIS 2 provides a tough enforcement framework in order to ensure a higher level of compliance. 

First and foremost, competent national authorities will be able to rely on a robust enforcement and investigation framework, the limits of which depend on the classification of your organisation.

  • Essential entities: Subject to a comprehensive, ex ante, supervisory regime, in which the supervisory powers of the national authorities include the ability to conduct random raids, perform (ad hoc) security audits as well as the ability to request certain information and evidence of compliance.

  • Important entities: Subject to lighter, ex post, supervisory regime that is applicable in the event of evidence and/or indications of non-compliance.

Enforcement and management liability

Management responsibility and liability

Under NIS 2, the management bodies of essential and important entities must approve cybersecurity risk-management measures, oversee their implementation and can be held liable for infringements by their organisation.

In this context, all members of management bodies will also be required to follow training on a regular basis in order to gain sufficient knowledge and skills to identify risks and assess cybersecurity risk management practices and their impact on the services provided by their organisation.

Enforcement

Under NIS2, member states must provide the appropriate national authority with the discretionary power to impose considerable fines on organisations that do not comply with the national transposition laws.

  • Essential entities: At least up to €10 million or 2% of their worldwide annual turnover

  • Important entities: At least up to €7 million or 1.4% of their worldwide annual turnover

How can PwC assist your organisation? 

PwC can assist your organisation along the entire resilience journey towards compliance with NIS 2. Through our Regulatory Readiness Assessment Framework (RRAF), we can advise you in defining your current readiness and assist you in the implementation of measures to meet the regulatory requirements under NIS 2.

Now that NIS 2 is formally adopted, all entities within scope need to plan for the task of preparing for and anticipating the national transposition measures to come. Getting a head start will allow the timely identification of any areas that require substantial investment and prioritisation.

While NIS 2 aims to harmonise regulatory requirements on cybersecurity risk management and  reporting methods, many of its obligations were already introduced in its predecessor and can be found in existing national regulations and international standards regarding cybersecurity and data protection. 

That being said, the devil is - as always - in the details and it will be essential for all entities in scope of the NIS 2 Directive to undertake a gap assessment and establish a strategy to achieve compliance within the 21-month preparation period.

How we can help

We can help you build a secure digital strategy through a combination of both offensive and defensive cyber security services from within our five main pillars:

Our services include the following: 

  • Cyber Strategy Design & Implementation
  • Cyber Governance and Risk Management

  • Policy Framework Design and Review

  • Regulatory Compliance assessments and advisory (DORA, NIS 2, MFSA ICT, GDPR)

  • Cyber Gap assessments with PCI-DSS, ISO 27001, CIS controls, and other cyber standards

  • Cyber Maturity Assessments and Health Checks with NIST CSF, CMMC, CMMI, and other cyber standards

  • ISO 27001 and cyber frameworks implementation

  • SWIFT CSP Assessments & Attestation

  • Cyber risk assessment, reporting and communication

  • Third Party/Vendor Management and cyber due diligence (supply chain cyber risks management)

  • Cyber Deals and Due Diligence

  • Cyber Security Awareness Training

Our services include the following: 

  • Threat Intelligence and Modeling

  • Incident Readiness and Response

  • Penetration Testing

  • Crisis Management

  • Forensics and Investigations

  • Ransomware Readiness Assessment

  • Ransomware Readiness Assessment

Our services include the following: 

  • Privacy Strategy, Regulation, and Compliance

  • Information Governance and Records Management

  • Data Discovery

  • Data protection Audits

  • Handling of data protection incidents and breaches 

  • DPIA's development/design

  • Periodical review of internal policies and controller - processor agreements

  • Training and awareness to staff

  • DSAR's handling

Our services include the following:

  • Identity & Access Management
  • Enterprise Security Architecture and Network/Infrastructure Security (ZT, IoT, OT) 

  • Cloud Security

  • Enterprise Visibility and Security Operations (SIEM/SOAR/Fusion)

Our services include the following:

  • Threat Detection and Response
  • Vulnerability Management

  • Identify and Access Operations

  • GRC and High-Volume Assessments  

  • Device Management and Compliance

Contact us

Bruno Curcija

Bruno Curcija

Director, Risk Assurance Services, PwC Croatia

Igor Hitrec

Igor Hitrec

Senior Manager, Risk Assurance Services, PwC Croatia

Stay connected: