The deadline to get compliant with the EU’s NIS 2 Directive is here. And this isn’t just a minor update from its NIS 1 predecessor—it’s a major expansion that carries with it new challenges and obligations.

The directive now covers a whopping 300,000 organizations, up from just 20,000 under NIS 1. Sectors like aerospace, public administration, digital services, postal and courier services, and food production are now included. Organizations are classified into “essential” or “important” entities based on size and criticality to the economy.

Security teams need to determine where their organization fits. If your company is classified as essential, with more than 250 employees or €50 million in revenue, you’re looking at regular security audits and ongoing monitoring. Important entities will face audits, but only when there’s suspicion of violations.

Regardless of where your company is classified, it’s critical to know what the new mandates entail and what areas of security they will impact.

Supply Chain Security and Risk Management

Software supply chain attacks have become a major concern. Gartner recently released a report, entitled “Mitigate Enterprise Software Supply Chain Security Risks” that supports echoing this sentiment. They project a 200% rise in the cost of these attacks to $138 billion by 2031. Even more alarming statistics reveal that nearly two-thirds of U.S. businesses fell victim to such breaches between May 2022 and April 2023.

And these risks are all too real. High-profile incidents like the SolarWinds Orion attack in 2020, which compromised 18,000 organizations globally, the Kaseya ransomware attack of 2021 affecting up to 1,500 businesses, and the far-reaching Log4j vulnerability have demonstrated just how exposed our software supply chains are—and the devastating consequences that follow.

To mitigate these challenges, the NIS 2 is placing a strong emphasis on securing ICT supply chains, Security teams must now assess the risks posed by third-party service providers and suppliers, ensuring they have robust cybersecurity policies in place. It’s not just about internal security anymore—it’s about the entire ecosystem of partners your organization relies on.

Companies should review and update contracts with suppliers to include cybersecurity risk management clauses. They should make sure vendors are meeting the same security standards as your organization, and regularly evaluate their practices to identify and mitigate vulnerabilities in your supply chain.

Incident Reporting and Management Accountability

One of the most critical changes under NIS 2 is the new incident reporting requirements. Organizations must submit an early warning within 24 hours of discovering a significant incident, followed by an incident notification within 72 hours, and a final report within a month. This rapid timeline requires security teams to have a well-prepared incident response plan that enables swift action and clear communication.

NIS 2 also imposes direct obligations on management bodies, including the C-suite and board of directors. Senior leaders must be involved in cybersecurity decision-making, approve risk management measures, and undergo cybersecurity training. Failure to meet these obligations could result in hefty fines and personal liability, so it’s crucial that security teams ensure their leadership is actively engaged in cybersecurity strategy.

Extraterritorial Reach and Compliance

Like the GDPR, NIS 2 has extraterritorial implications. Even if your organization is not based in the EU, you may still fall under the directive’s scope if you provide services within the EU. This means that companies outside Europe cannot afford to ignore NIS 2.

It is critical for organizations to assess whether their business activities in the EU bring them within the directive’s scope and to take steps to ensure compliance with its requirements.

Fines and Penalties

Non-compliance with NIS 2 can lead to substantial fines, similar to those imposed under the GDPR. Violations can result in fines of up to €10 million or 2% of an organization’s total global turnover, whichever is higher. Given these penalties, it’s essential that security teams take NIS 2 seriously, especially smaller companies that lack the resources to incur such hefty fines.

What Security Teams Can Do to Prepare

• Assess Scope: Determine whether your organization qualifies as an “essential” or “important” entity under NIS 2 and review which obligations apply to you.
• Review Incident Response Plans: Ensure you can meet the 24-hour, 72-hour, and one-month reporting requirements for significant security incidents.
• Engage Leadership: Make sure your C-suite and board are aware of their responsibilities under NIS 2, and that they are actively involved in approving and overseeing cybersecurity risk management efforts.
• Secure the Supply Chain: Audit your supply chain for vulnerabilities and ensure contracts with suppliers include adequate cybersecurity provisions.
• Monitor Member State Progress: Keep an eye on the implementation status of NIS 2 in each EU member state to ensure compliance with local variations of the directive.

NIS 2 Directive brings significant changes and increased obligations for organizations across the EU and beyond. Security teams must act now to assess their classification, strengthen supply chain security, ensure compliance with incident reporting requirements, and engage senior leadership in cybersecurity efforts. By preparing for these new mandates, organizations can avoid costly penalties and bolster their overall security posture.

Author Bio:

Graham Rance is a Global Sales Engineering EMEA at CyCognito. Graham's career is marked by progressive leadership and technical roles, including Consulting Engineering Lead for EMEA at BitSight Technologies, Senior Sales Engineer at Imperva, and Systems Engineer at Fortinet with a focus on the Financial Services vertical. Prior experiences include significant stints as an Independent Network Security Professional for Streym Ltd, Director and Area Manager at Citi, and VP of Architecture and Infrastructure at SGX, not to mention earlier roles at Barclays Bank, Merrill Lynch, and Societe Generale.