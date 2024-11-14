Welcome to Part II of the NIS2 Directive Series. Part I focused on understanding the NIS2 Directive, what it is, and how it evolved.

However, many CISOs have been reaching out to security providers to understand how NIS2 will affect their organization. Therefore, this article will focus on the regulated sectors, how NIS2 requirements will affect those mandated industries, and what security providers can do to help them prepare and comply.

What Sectors Does NIS2 Apply?

The revised NIS2 Directive significantly expands the scope of application compared to the original 2016 version and will apply to a wider and deeper pool of entities than the current Directive.

NIS2 includes new sectors that broaden the criteria for inclusion of entities and categorizes these as Essential or Important depending on factors such as size, sector, and criticality. These two entities are divided into two groups: “Sectors of High Criticality” and “Other Critical Sectors.”

Both need to meet the same requirements with differences in governing measures and penalties.

Essential and Important entities are defined by NIS2 as follows:

Essential Entities: Defined as organizations that provide services critical to the functioning of society and the economy, and a disruption in their operations would have significant adverse impacts. Essential entities are subject to stricter obligations under NIS2.

Important Entities: While still critical, these organizations are not considered as fundamental as essential entities. A disruption in their services would have serious consequences, but perhaps not as widespread or severe. Important entities have lighter obligations compared to Essential entities under NIS2.

Entities will be defined as follows:

Large Entities: >= 250 employees or more than 50M in revenue

Medium Entities: 50 to 249 employees or more than 10M in revenue

Small & Micro Entities

Lex Specialis: May apply where sectoral regulations are at least equivalent

CER: Entities designated as Critical entities under Directive (EU) 2022/2557, (CER Directive) shall be considered Essential entities under NIS2

Annex 1: Sectors of High Criticality (Essential Entities)

Energy

Sectors: Electricity; District Heating & Cooling; Gas; Hydrogen; Oil. Including providers of recharging services to end users

Inclusion Large Entities: Essential Medium Entities: Important

Exclusion: Small & Micro Entities

Transport

Sectors: Air (commercial carriers; airports; Air Traffic Control); Rail (infra and undertakings); Water (transport companies; ports; Vessel Traffic Services) Road (ITS); Special case: Public Transport only if identified as CER

Inclusion Large Entities: Essential Medium Entities: Important

Exclusion: Small & Micro Entities

Banking

Credit Institutions (DORA lex specialis)

Inclusion Large Entities: Essential Medium Entities: Important

Exclusion: Small & Micro Entities

Financial Market Infrastructure

Sectors: Trading venues, central counterparties (DORA lex specialis

Inclusion Large Entities: Essential Medium Entities: Important

Exclusion: Small & Micro Entities

Health

Sectors: Healthcare Providers; EU Reference Laboratories; R&D of medicinal products; Manufacturing of basic pharma products and preparations; Manufacturing of medical devices critical during public health emergency.

Inclusion Large Entities: Essential Medium Entities: Important

Exclusion: Small & Micro Entities

Drinking water

Inclusion Large Entities: Essential Medium Entities: Important

Exclusion: Small & Micro Entities

Waste Water

Sectors: Only if it is an essential part of entities’ general activity

Inclusion Large Entities: Essential Medium Entities: Important

Exclusion: Small & Micro Entities

Digital infrastructure

Sectors: Qualified trust service providers; DNS service providers (excl. root name servers); TLD name registries : Large Entities: Essential Medium Entities: Essential Small & Micro Entities: Essential Providers of public electronic communication networks : Large Entities: Essential Medium Entities: Essential Small & Micro Entities: Important Non-qualified trust service providers : Large Entities: Essential Medium Entities: Important Small & Micro Entities: Important Internet exchange point providers; cloud computing service providers (including ISP and Cloud); data centre service providers; content delivery network providers : Large Entities: Essential Medium Entities: Essential Small & Micro Entities: Not in Scope



ICT-Service Management (B2B)

Sectors: MSPs, MSSPs

Inclusion Large Entities: Essential Medium Entities: Important

Exclusion: Small & Micro Entities

Public Administration Entities

Sectors: Central Governments : Excludes judiciary, parliaments, central banks, defence, national or public security All Entities: Essential Regional Governments : Risk based. (Optional for Member States of local governments) All Entities: Important



Space

Sectors: Operators of ground-based infrastructure (by Member Sates

Inclusion Large Entities: Essential Medium Entities: Important

Exclusion: Small & Micro Entities

Annex II: Other critical sectors

Postal and Courier Services

Waste Management: Only if principal economic activity

Only if principal economic activity Chemicals: Manufacture, production, distribution

Manufacture, production, distribution Food: Wholesale and industrial production and processing

Wholesale and industrial production and processing Manufacturing: (in vitro diagnostic) medical devices; computer, electronic, optical products; electrical equipment; machinery; motor vehicles, trailers, semi-trailers; other transport equipment (NSCE C 26-30)

(in vitro diagnostic) medical devices; computer, electronic, optical products; electrical equipment; machinery; motor vehicles, trailers, semi-trailers; other transport equipment (NSCE C 26-30) Digital Providers: Online marketplaces, search engines, social networking platforms

Online marketplaces, search engines, social networking platforms Research: Research organizations (excl. education institutions); Optional Member States: education institutions

Research organizations (excl. education institutions); Optional Member States: education institutions Domain Registration: Entities providing domain name registration services

The category an entity belongs to has significant practical implications. The activities of entities classified as Essential will be subject to much stricter and proactive oversight, including random raids, special security checks, and requests for proof of compliance. For non-compliance with NIS2, Essential entities may face a fine of up to €10 million or 2% of global annual turnover.

Entities classified as Important are subject to less stringent controls. For Important entities, the penalties are slightly more modest of up to €7 million or 1.4% of global annual turnover.

How Should Companies Start Preparing for NIS2?

NIS2 requires EU Member States to legally amend their national legislation by October 17, 2024. So, the deadline is here. For those organizations who are feeling a bit behind the eight ball, companies and other entities can start preparing now by:

Align Practices

Take a strategic approach to assess cybersecurity readiness and align with NIS2. Evaluate current security practices and ensure measure are in place to identify and mitigate potential threats effectively.

Understand Compliance Requirements

Determine if your organisation falls under NIS2 as Essential or Important, as this defines your obligation. Review how NIS2 is implemented in your country and follow guidance from national cybersecurity authorities to ensure compliance.

Develop Cyber Security Measures

Implement technical, operational, and organisational measures to manage risks and prevent incidents. Offensive security solutions can play a critical role in being proactive and adhering to NIS2 requirements.

Role of Offensive Security to Comply with NIS2

Offensive security solutions like penetration testing services, attack surface management, and red teaming help to proactively identify vulnerabilities and strengthen defenses, supporting compliance with NIS2.