Cybersecurity: How to prepare for the NIS2 Directive

– Mia Louise Bukholt, Principal Cybersecurity Consultant, & Michael Rask Christensen, Principal Cybersecurity Consultant, NNIT

The EU’s NIS2 Directive makes the cybersecurity requirements companies have to fulfil more stringent. The extensive new rules will apply to far more companies and sectors, and breaches will incur larger fines. We explain how you can prepare for the new requirements below.

In our digital age, cybersecurity threats are a major concern for businesses, governments, and individuals. This is why the EU is updating the previous NIS Directive to NIS2. We give you and your company answers to some of the most pressing questions about the far-reaching directive below.

What is the NIS2 Directive?

NIS2 expands cybersecurity requirements and sanctions in order to harmonize and streamline the level of security across member states. The directive builds on the EU’s previous cybersecurity rules from 2016 (NIS), and expands the number of companies and sectors deemed to be critical to society.

At the same time as requirements for cyber preparedness are being raised for companies, the potential sanctions are also increasing, and member states also have to ramp up monitoring of compliance with the rules.

The NIS2 Directive means your company has to prepare for new and stricter requirements regarding management responsibility for risk management, business continuity, and reporting to the authorities.

Who is covered by the NIS2 Directive?

NIS2 will apply to far more companies than previously. The old directive covered companies in seven sectors. The new rules will apply to 16-18 sectors. The table at the bottom of this page shows the sectors covered.

According to a survey conducted by the Danish Industry Foundation, over 1,000 Danish companies will be covered by NIS2 (whereas only 150 companies were previously covered). One reason why the group of covered companies is expanding is because the directive introduces supply chain responsibility. This means that suppliers to NIS2 companies must be able to account for their handling of IT security.

What requirements does NIS2 place on your business?

NIS2 sets a number of ‘minimum requirements’ that must be met. Member states may choose to set higher standards than these minimum requirements. Companies in the energy sector, for example, are already subject to stricter requirements than those described in NIS and in the upcoming NIS2.

The directive can be broadly divided into four categories:

When does NIS2 take effect?

The directive was adopted at the end of 2022. EU member states have 21 months to implement the directive in their own legislation. Member states must therefore have national legislation in place by 17 October 2024.

It is not yet known when the executive orders will be in place in Denmark, but NNIT strongly recommends that companies begin preparing as soon as possible.

What happens to companies that fail to comply with NIS2?

The fines under the NIS2 Directive have been significantly increased. The size of the fines depends on whether your company belongs to the ‘sectors of high criticality’ category or ‘other critical sectors’ (see the table below). Fines of up to €10,000,000 or 2% of total international turnover can be imposed on companies in the first category. For the second category, fines can be up to €7,000,000 or 1.4% of total international turnover.

It can also be costly for companies that wait too long to start preparing for NIS2. The work will be time and resource-intensive, particularly for companies that have not previously been covered.

What can your company do to prepare for NIS2?

If your company is (or might be) covered by the NIS2 Directive, we encourage you to get started as soon as possible.

We recommend that your company addresses these points:

1. Are you covered or not?
A first step is to determine whether your company is covered by the NIS2 Directive, i.e. if you work in the critical sectors that are subject to cybersecurity requirements (see the table below). If your company was covered by the previous directive (NIS), you can start by doing a gap analysis to determine what is lacking. Even if your company is not directly covered, you might still be impacted if you are a supplier to a company in one of the critical sectors.

2. Create an overview of your business processes.
Once you have determined that you are covered by NIS2, start by creating an overview of your business processes related to information security. This will enable you to assess risk in each process, so you get an idea of where the risk of a severe incident is greatest. Use this risk assessment to prioritize cybersecurity for key processes (and make plans for processes you cannot address in this round).

3. Make an implementation and maintenance plan.
You do not have to address all areas immediately, but you have to be able to show the authorities that you have a plan for the business processes and systems that have not yet been made secure. You have to be able to show that you systematically monitor and address any cyber threats that arise.

4. Implement the planned security measures.
Remember that the aim of NIS2 is to increase cybersecurity for important European companies. You must therefore make sure to implement security measures when weaknesses are identified. Cybercriminals will not be stopped by detailed plans, but only by effected measures.

A good way to ensure your company meets the NIS2 requirements is to attain ISO 27001 certification (the NIS2 Directive specifically refers to ISO 27001). If you want an indication of how secure your IT infrastructure is, you can follow the 18 CIS Critical Security Controls, which list good measuring points.

How will the NIS2 Directive be enforced by the authorities?

Under NIS2, the authorities in Denmark will be expected to more strictly monitor compliance with the directive by the companies that are subject to it. The authorities have to monitor that these companies:

• Have formulated cybersecurity policies
• Ensure that cyber incidents are handled
• Have a business continuity plan—i.e. a plan for how operations can be restored if one or more critical systems are put out of action
• Are managing their supply chain responsibility—i.e. compliance by their suppliers with the NIS2 requirements.
• Regularly conduct (and undergo) risk assessments of their IT systems
• Have secured their IT systems (security, network, and information systems)
• Undertake employee cybersecurity and compliance training.

Overview: Which sectors are covered by NIS?

The directive divides the companies (or entities) covered into two categories: ‘sectors of high criticality’ and ‘other critical sectors’.

Can we help you?

NNIT is ready to help your company prepare for NIS2. Whether you need gap analysis of what you lack in order to comply with the legislation, risk assessment of your cybersecurity, or implementation of systems such as Zero Trust cybersecurity, NNIT’s security experts can help you.

We work with leading partners such as Microsoft, Cisco, and Palo Alto to assess and secure your infrastructure and data, based on your unique risk profile.