Skip to content

NIS 2 Directive (EU) 2022/2555

The new EU Directive to strengthen the cyber resilience of the European Union - to what organizations it applies, the requirements and how Rheintec supports you to comply

To what organizations NIS2 applies

The NIS 2 Directive mandates compliance for a wide range of sectors, categorized into Essential and Important Entities. Essential Entities include critical sectors such as healthcare, energy, and digital infrastructure, while Important Entities encompass areas like postal services and food production. Healthcare organizations, due to their critical nature, fall under the Essential Entities category, necessitating stringent cybersecurity measures.

To determine whether your healthcare organization needs to comply, consider factors such as the number of employees and annual turnover. Essential Entities typically have over 250 employees or an annual turnover exceeding €50 million. Identifying your entity status is the first step towards compliance, ensuring that the necessary measures are implemented to meet the directive’s standards.

 

Essential Entities

Important Entities

Size of the Organization

250+ employees

     or

50 million Euro annualized revenue

     or

Balance sheet of 43 million Euro

50+ employees

     or

10 million Euro annualized revenue

     or

Balance sheet of 10 million Euro

Industry

Energy

Transportation

Banking

Financial markets infrastructure

Healthcare

Drinking water

Waste water

Digital infrastructure

ICT Service management

Public Administration (except Judiciary, parliament and central banks)

Post and courier services

Waste management

Manufacturing, production and distribution of chemicals

Food manufacturing, processing and distribution

Manufacturing of medical devices & electronic products 

Digital solutions

Research and development

 

Requirements of NIS2

In short NIS 2 requires the establishment of an Information Security Management System (ISMS) that aligns with the directive's requirements. An effective ISMS ensures comprehensive management of cybersecurity risks and the protection of sensitive or confidential data.

Here a short overview of the main requirements that need to be fulfilled by companies that fall into the scope of NIS2

  • Cybersecurity Risk Management and policies for information systems
  • Policies and procedures for the use of cryptography and, when relevant, encryption covering voice, video, and text encryption, and encrypted internal emergency communication, when appropriate
  • Information Communication Technology (ICT) Supply Chain Risk Management - security around the procurement of systems and the development and operation of systems. This means having policies in place for the assessment and qualification of third parties for their suitability
  • Defined Policies / Processes for logical and physical access management - how access is distributed and also revoked in a controlled manner
  • The use of multi-factor authentication - continuous authentication solutions
  • Policies and procedures for evaluating the effectiveness of security measures - or in other words definition of key performance indicators, regular reporting and conducting internal audits
  • Cybersecurity Incident Handling & Reporting - companies must define processes for reporting, assessing and taking appropriate actions for Cybersecurity Incidents. Significant Incidents must be reported to the applicable authorities within 24 hours
  • Cyber hygiene & Awareness - basic cyber hygiene practices such as conducting regular awareness trainings, clear screen & clear desk policies, patch management & vulnerability management as well as conducting regular reviews of access permissions
  • Backup & Disaster Recovery - business continuity management - establishing backups including overviews on where backups are performed, at what intervals and how long it takes to recover systems which were affected by disaster. An important aspect is to determine what an acceptable / tolerable duration of unavailability would be and that the recovery process is tested to be able to recover the system within a timeframe below the acceptable limit.
  • Asset Management - identification of hardware / software & information assets including their classification. Assets should be classified based on their importance for the organization which forms the basis for the associated security measures & controls to be implemented to protect these assets

 

How Rheintec supports your organization

Rheintec applies an integrated approach when it comes to establishing Information Security Management Systems (ISMS). With our proven track record we provide hands-on consulting services to support & guide you through the process. 

Our goal is to implement the ISMS into your existing business processes therefore increasing adoption of NIS 2 reuirements, governed practices & controls by your whole organization and employees

 

Roadmap to NIS2 Compliance

NIS 2 Roadmap to compliance

NIS 2 Timeline

If you’re following NIS2 as a covered organisation, you should keep the following dates in mind. Some of them will directly impact your day-to-day practices, while others could make it easier to maintain compliance by sharing new peer insight.

  • 14 December 2022: The NIS2 Directive is adopted by the European Parliament and the Council
    • The new directive expanded the scope of NIS1 and laid out new expectations for cybersecurity and added further sectors to the scope
  • 17 July 2024: The deadline for EU-CyCLONe to submit a report to the European Parliament and the Council
    • The European Union Cyber Crisis Liaison Organisation Network (EU-CyCLONe), established in 2020, supports operational coordination and management of significant cybersecurity incidents with potential cross-border implications in the EU.
    • EU-CyCLONe will be required to submit reports every 18 months thereafter. That means you can expect new EU-CyCLONe reports on or by 17 January 2026, 17 July 2027, 17 January 2029, and so on.
  • 17 October 2024: Member States are required to transpose NIS2 to their national laws
    • Each EU Member State is obliged to transpose NIS2 into their national laws, including what kind of penalties their enforcing bodies will impose on noncompliant organisations.
    • When your Member State transposes NIS2, your business will need to implement compliance policies, standards, and controls that meet those regulatory expectations.
    • Several EU member states experienced some delays in transposing NIS2 to local applicable national laws, nevertheless time is running to comply to the NIS 2 requirements by organizations in scope
  • 18 October 2024: NIS1 is repealed and fully replaced by NIS2.
    • More organisations are covered by more rules with more potential penalties.
  • 17 January 2025: The NIS Cooperation Group will establish methodologies for NIS2 peer reviews.
    • The Cooperation Group is made up of representatives of Member States, the European Commission, and ENISA. It’s responsible for providing guidance on transposing NIS2, sharing best practices, raising awareness, developing training, reporting, and more explicit tasks to help Member States and related bodies stay on top of NIS2. The outcome of the Cooperation Group’s peer reviews may influence how Member States implement the requirements of NIS2.
    • Businesses in the EU could learn new best practices from the Cooperation Group’s work and ongoing reporting.
  • 17 April 2025: Member States must deliver a list of essential and important entities to the European Commission and the Cooperation Group and update it at least every two years.
    • If your organisation is classified as an essential or important entity, you should expect increased regulatory scrutiny.
  • 17 October 2027: The European Commission will report on the functioning of NIS2 to Parliament and the Council.
    • This report is likely to include overall compliance statistics, including percentages of covered organisations that maintain compliance and gaps in implementation, in order to plan updates to NIS2.
    • Depending on the outcome of this report, your organisation could have additional NIS2 requirements after 17 October 2027.
    • The European Commission will be required to submit this report every three years thereafter. That means you can expect new NIS2 updates on or by 17 October 2030, 17 October 2033, 17 October 2036, and so on.

 

Potential penalties for noncompliant organizations

Non-compliance with the NIS 2 Directive can result in significant penalties, including fines that can reach up to 2% of the organization’s annual turnover. To avoid such penalties, healthcare organizations must ensure full compliance with the directive’s requirements. This involves a proactive approach to cybersecurity, including regular audits, continuous monitoring, and updating of security measures.

Investing in cybersecurity not only helps in avoiding penalties but also strengthens the overall security framework of the organization. By adhering to the NIS 2 Directive, healthcare providers can protect their digital infrastructure, ensure the privacy of patient data, and build trust with stakeholders. Early preparation and compliance with NIS 2 are strategic moves that contribute to the long-term stability and security of healthcare organizations.

image-png

 

Helpful links and reads

NIS2 (EU) 2022/2555 Download
NIS2 Applicability Check - BSI
Gesetzesentwurf NIS2 Umsetzungsgesetz - NIS2UmsuCG Deutschland
Netz- und Informationssystemsicherheitsgesetz 2024 – NISG 2024 Gesetzesentwurf NIS2 Umsetzungsgesetz - Österreich
DECRETO LEGISLATIVO 4 settembre 2024, n. 138 NIS2 Umsetzungsgesetz - Italien

Is your organization in scope of NIS2 and you seek for guidance?

Unsure if NIS2 applies to your business?

Schedule a free meeting with one of our consultants to find out and discover how we can support you to consistently achieve NIS2 compliance.