NIS 2 Directive - What The requirements What are the requirements of the NIS 2 Directive? Hereinafter, the rules and obligations formulated in the directive for entities falling within its scope are presented.For entities specified within its scope, the NIS 2 Directive defines rules and obligations on governance, cybersecurity risk management, and security incident reporting. Hereinafter, these are further elaborated.Titled "Governance", the NIS 2 Directive requires that the members of the management bodies of entities falling within its scope follow training to gain sufficient knowledge and skills to enable them to identify cybersecurity risks and to assess cybersecurity risk management practices and their impact on the services provided by the entity. The management bodies are obligated to approve the necessary risk treatment measures as well as to oversee their implementation, and are liable for infringements by the entity in this regard.The core requirements of the NIS 2 Directive for the entities within its scope relate to the management of cybersecurity risks. As an objective the directive describes the implementation of measures to ensure a level of security appropriate to the risks posed, in order to manage the risks to the systems which the entities use for their operations or for the provision of their services, and to prevent or minimize the impact of security incidents on recipients of their services and on other services.The technical, operational, and organizational measures to be taken shall be effective, proportionate, and based on an all-hazards approach, covering both the systems themselves and their physical environment. They shall take into account the state of the art and the relevant European and international standards. The assessment of the proportionality of the measures shall consider the degree of the entity's exposure to risks, the likelihood of occurrence and impact of security incidents, as well as the cost of their implementation.The risk management measures shall include at least the topics information security policy, risk management policy, risk treatment effectiveness assessment, asset management, human resources security, product lifecycle security, supply chain security, regular training, cyber hygiene practices, access control, multi-factor and continuous authentication, secure communications, cryptography, security incident handling, as well as business continuity and crisis management.As a further requirement for the entities within its scope, the NIS 2 Directive prescribes the reporting of significant security incidents. A security incident is considered to be significant if it has caused or is capable of causing severe operational disruption or financial loss for the entity concerned or severe material or non-material damage to third parties. Within 24 hours of becoming aware of such an incident, an early warning shall be issued. Not later than 72 hours after becoming aware of the incident, a notification shall be provided as an update to the early warning and as an initial assessment. Within one month of the provision of the notification, a final report shall be submitted, containing a detailed description of the incident. In the event of an ongoing incident at this time, a progress report shall be provided and a final report shall be submitted within one month of the handling of the incident.While the requirements of the NIS 2 Directive apply equally to all entities specified within its scope, the directive distinguishes between so-called essential and important entities with regard to supervisory and enforcement measures as well as the imposition of administrative fines. By default, an entity within the scope of the directive is considered essential if the type of the entity is explicitly mentioned in a sector of high criticality and it qualifies as large in terms of size. Otherwise, it is considered important by default. As with the definition of the scope of the directive itself, there are also exceptions to this differentiation, where certain entities are classified as essential in deviation from the default rule.For important entities, the NIS 2 Directive requests ex post supervisory measures when provided with evidence, indication, or information that the entity allegedly does not comply with the directive, and sets a maximum amount for administrative fines of 1.4 % of the worldwide annual turnover (but at least EUR 7 million). For essential entities, the directive also requests ex ante supervisory measures, such as requesting information or evidence, requesting regular external security audits, or conducting on-site inspections, and sets a maximum amount for administrative fines of 2.0 % of the worldwide annual turnover (but at least EUR 10 million). Further information Why? Why is it necessary to adopt a directive concerning cybersecurity?Learn more > Who? To whom does the NIS 2 Directive apply?Learn more > Back Back to the overview >
