How Businesses Can Comply With NIS 2 Ahead Of Its October Implementation Deadline

Just over a month remains for European countries and businesses to prepare for the enforcement of the second iteration of the European Union’s Network and Information Systems (NIS) directive.  

The law, set to be implemented by October 17th, 2024, aims to improve each EU member state’s ability to tackle cybercrime, facilitate block-wide cybersecurity intelligence sharing and cooperation, and ensure businesses in critical sectors take cybersecurity seriously. But what does this mean in practice? 

A Broader Approach To Cybersecurity Risk Management

When the EU introduced the original NIS Directive in 2016, it aimed to shore up critical infrastructure cybersecurity across the political bloc.  

However, recognising that cybersecurity threats have increased dramatically over the past few years and now impact virtually every industry, European lawmakers have expanded the scope of the NIS requirements in the second version of the directive.  

NIS2 covers a broader range of industries — including food production, waste management, postal services, research, manufacturing, aerospace, public administration, and many others — and considers the supply chain security risk created by digital service providers.  

It splits sectors into two areas: essential and important. The “essential” label describes highly critical industries like energy and financial services, previously outlined in NIS1. These organisations will employ over 250 people and generate revenue of more than €50 million a year.  

On the other hand, the “important” category covers an additional range of vital industries, such as postal and courier services and research organisations. Businesses in this category will generally be medium-sized, employing over 50 people and generating yearly revenue of more than €10 million.  

Under this law, EU member states must also ensure they are prepared to handle serious cybersecurity incidents. Namely, they must establish cyber incident response teams and a national network and information systems (NIS) authority. Through the NIS Cooperation Group, the directive aims to improve collaboration and intelligence sharing between member states on cybersecurity matters. 

Nick Palmer, a solutions engineer at threat intelligence platform Censys, describes NIS 2 as an upgraded version of NIS 1 that aims to improve the collective cybersecurity of every EU member state. He tells ISMS.online:  “It’s designed to tackle some gaps and mismatches that came to light with the original rules. As our digital world grows and cyber threats get more sophisticated, the EU realised it needed to strengthen its defences.” 

 As part of a more comprehensive cybersecurity approach across the EU, Ed Parsons — VP of global markets and member relations at non-profit ISC2 — explains that it includes risk management, corporate accountability, incident reporting and business continuity planning requirements. He says: “Key security practices mandated by NIS 2 include supply chain security, network protection, encryption, multi-factor authentication, vulnerability management, and cybersecurity training.” 

Why Compliance Is Paramount

Because cybersecurity threats are rapidly increasing in volume and sophistication worldwide, some experts believe complying with NIS 2 is in the best interests of businesses across all industries.   

Dave Joyce, CEO of data recovery software provider Macrium, says its approach to cross-sector cyber resilience seems genuine in light of today’s complex online threat landscape. He is particularly encouraged by its “comprehensive approach to cybersecurity” in the corporate landscape, adding that it doesn’t just focus on “known threats”.  

“NIS 2 emphasises securing the entire supply chain and carefully considering how suppliers handle data—a concern highlighted by incidents like the CrowdStrike breach, which exposed gaps in disaster recovery practices,” explains Joyce.  

Joyce says compliance is the key to maintaining business continuity, customer trust and EU market access, as well as avoiding fines of up to €10 million or 2% of yearly international revenue. He continues: “Ultimately, NIS 2 compliance fosters a safer digital environment and contributes to a more secure global cyber ecosystem.” 

Palmer of Censys is another firm believer in the NIS 2 directive and its positive impact on the European business landscape. He points out that following these robust requirements will lower the chances of businesses falling victim to cybercrime and the fallout that would ensue, such as disrupted operations, reputational damage and financial loss. 

“Compliance also plays a vital role in building and maintaining trust with customers, partners, and stakeholders, as it demonstrates a commitment to data security and operational resilience,” he says. “In the competitive EU market, non-compliance could result in being cut off from lucrative opportunities or losing contracts to more compliant competitors.” 

Meanwhile, Parsons of ISC2 argues that NIS 2 adherence will better prepare businesses to deal with emerging cyber threats, boost their overall understanding of cybersecurity incidents and how they can impact day-to-day operations, and help them establish a seamless process for responding to and reporting threats.  

How NIS2 Applies To UK Organisations

Although the UK has left the EU, the NIS 2 directive will still affect many British firms. According to Ann Keefe, regional director of UK & Ireland at IT firm Kingston Technology, this includes UK-based firms that trade with EU member states. She says they must follow NIS 2 requirements if “they don’t want to be caught out” by EU regulators.  

However, even if a British firm doesn’t have EU business interests, following the comprehensive NIS 2 requirements could be in their best interests. Rob O’Connor, technology lead and CISO of EMEA at global tech firm Insight, points out that the UK’s upcoming Cyber Security and Resilience Bill will have some crossover with NIS 2. He suggests adopting the NIS 2 standards could be a “cost-effective” way to deal with rising cybersecurity risks.  

For UK organisations impacted by the NIS 2 security risk management and reporting requirements, Palmer of Censys says they will need to implement sophisticated cybersecurity measures, conduct regular risk assessments, and ensure the security of their supply chains.  

“They need to report significant security incidents to EU authorities within strict timeframes, cooperate during investigations, and may need to appoint an EU representative to manage regulatory communications,” he says. “Contracts with EU clients should include NIS 2 compliance clauses, ensuring that the organisation meets legal obligations and protects against cyber threats.” 

Preparing For NIS 2

With the NIS 2 compliance deadline quickly approaching, businesses that haven’t started preparing for its arrival must do so now. But what steps does this involve? According to Parsons of ISC2, the first step is to determine whether a company needs to comply with NIS 2 itself or whether the law applies to its suppliers.  

To do this, he says they must assess whether the business operates in an “essential” or “important” sector per the NIS definitions. Parsons adds that companies subject to the NIS directives must then identify and mitigate cybersecurity risks as part of a wide-ranging risk assessment.  

“Based on the risk assessment, appropriate technical and organisational measures must be implemented. Companies need to prepare for incidents by creating response plans and processes for reporting significant incidents to relevant authorities,” he says. 

Echoing similar thoughts, Joyce of Macrium urges businesses to assess their cyber posture and ask themselves whether they currently have the means to recover from an incident as quickly as possible.  

If not, he recommends implementing a cyber incident recovery plan reinforced with a backup solution, recovery point objectives (RPO) and recovery time objectives (RTO). RPO refers to the maximum data loss a business can sustain following a cyber attack, while RTO is the maximum time companies can manage without IT networks and services.  

As NIS 2 focuses specifically on supply chain security risks, Joyce advises businesses to evaluate how their suppliers and partners approach cybersecurity matters. He also adds that companies must teach their staff how to identify and report cybersecurity threats, adding that “clear structures for responsibility and reporting are essential.”  

He concludes: “Compliance is not a one-off task; it requires ongoing maintenance and vigilance, so businesses should stay informed about evolving requirements and foster a culture of continuous improvement in cyber resilience.”