Understanding the NIS2 regulation

Enhancing cybersecurity: NIS2 and its implications

In 2023 alone, nearly 10,000 unique risk profiles were added to Moody's intelligent screening database with a cyber related risk code. The NIS2 Directive is the EU's most recent legislative framework to enhance cybersecurity across the bloc. NIS2 builds on and replaces the original NIS Directive, expanding its scope and strengthening requirements to better address changing cyberthreats. NIS2 addresses several limitations of its predecessor by expanding the scope to cover more sectors and entities, introducing stricter security and reporting obligations, improving collaboration across borders, and enforcing stronger penalties to boost the EU's cybersecurity resilience.

The main goals of NIS2 are to:

Encourage cooperation and information sharing
Increase cyber-resilience across the EU
Streamline cybersecurity practices
Improve the EU's preparedness to deal with cyberattacks

By expanding its scope, introducing stricter requirements, and enforcing stronger penalties, NIS2 aims to create a more resilient digital environment. Organizations must act now to assess their current practices, develop comprehensive compliance strategies, and put in place the necessary security measures.
Implications of the directive

NIS2 provides comprehensive cybersecurity legislation across the EU thanks to its broad scope and stringent requirements. It affects more than 100,000 large and medium-sized entities across various sectors – a significant increase from the original NIS directive.

NIS2 also expands sector coverage to include essential and important entities across industries like energy, transport, banking and financial market infrastructures, health, drinking water, digital infrastructure, public administration, and space.

The directive requires relevant organizations to have appropriate technical, operational, and organizational measures in place to adequately manage cybersecurity risks. These include risk assessment and management, incident response and reporting, supply chain security, use of encryption and multi-factor authentication, as well as vulnerability handling and disclosure.
Essential sectors vs. important sectors chart

Related acts - Key differences between NIS2 and DORA

As discussed, NIS2 impacts a wide range of sectors however, there is another act – Digital Operational Resilience Act (DORA) – that focuses solely on the financial sector. It addresses the unique vulnerabilities and high stakes associated with financial operations. NIS2 extends its reach, and this expansion reflects the recognition of the interconnectedness and critical nature of sectors in today's business world.

Both aim to enhance cybersecurity, but DORA specifically emphasizes operational resilience in financial services.

Key differences between NIS2 and DORA include:

Scope; NIS2 covers multiple sectors while DORA is specifically for financial services
Implementation timeline, DORA applies from January 2025, whereas member states were required to transpose the NIS2 directive into national law by October 2024
Penalties, with NIS2 having higher maximum fines compared with DORA

Despite the October 17, 2024, deadline, only a limited number of EU countries, including Belgium, Croatia, Hungary, Italy, Latvia, and Lithuania, had transposed the directive into national law by this date. While several other member states, including France and Germany, had their drafts underway. According to the Directive: “Continued non-compliance could eventually lead to the case being referred to the Court of Justice of the European Union, which can impose financial penalties.”
NIS2 compliance and reporting requirements

NIS2 introduces a three-stage reporting process for what are termed “significant incidents”. This process includes an early warning within 24 hours of the discovery of an incident, an incident notification within 72 hours providing an initial assessment, and a final report within one month detailing the incident and mitigation efforts.

NIS2 has introduced some significant fines for non-compliance. Essential entities (such as trust service providers or public administration entities) could face fines of up to €10m or 2% of global annual turnover, whichever is higher. For important entities (all other entities that fit the criteria for NIS2), the maximum penalties are €7m or 1.4% of global annual turnover, whichever is higher.

5 considerations for achieving NIS2 compliance

Obliged organizations should conduct a comprehensive risk assessment to identify vulnerabilities and potential threats related to cybersecurity. This process involves evaluating the likelihood and impact of various cyberthreats to prioritize their security measures and response.

To do this, a robust governance framework needs to be put in place, along with a detailed implementation plan, required security measures, and regularly reviewed/updated cybersecurity practices. Businesses should also try and ensure that third party partners also comply.

Key measures include implementing strong access controls and authentication methods, ensuring supply chain security, conducting regular security audits and penetration testing, and providing ongoing cybersecurity training for employees.

Businesses need to address these 5 considerations:

Developing a thorough ICT risk management plan
Defining a transparent and robust incident reporting mechanism
Running regular resilience testing and adjustment of risk maps accordingly
Monitoring
Updates according to regulatory changes and training requirements

Identity and access management also play a crucial role in NIS2 compliance. Organizations must put in place robust authentication methods and privilege principles to reduce the risk of unauthorized systems access and data breaches.

Future considerations

To prepare for NIS2, organizations need to carefully assess their current cybersecurity posture, identify gaps in compliance, develop a roadmap for implementing necessary changes, and engage with senior management to ensure buy-in and support, and invest in training and awareness programs for employees.

Yes, there are several key challenges to implementing NIS2, including interpreting and applying the directive's requirements, allocating sufficient resources for compliance, integrating NIS2 requirements with existing security frameworks, and ensuring consistency across different EU member states. However, the directive is another step towards increased cybersecurity in a digitally-driven world.

How Moody's can help

Moody's offers a range of solutions to help companies meet NIS2 compliance requirements. Through advanced, automated compliance and third-party risk management capabilities, Moody's can help optimize entity verification, onboarding, risk monitoring, and other critical processes related to third-party risk management.

Moody's AI-powered risk intelligence and data analytics tools enable organizations to assess and understand cybersecurity risks more effectively. Moody's also provides global datasets to support a clearer picture of third-party risks – crucial for supplier-related security under NIS2.