NIS2 Compliance Readiness for Organizations across the European Union

NIS2 Compliance Readiness for Organizations across the European Union
May 15, 2024 14 mins

NIS2 Compliance Readiness for Organizations across the European Union

NIS2 Compliance Readiness for Organizations across the European Union

The expansive scope, stringent sanctions and pivotal role of management related to the new NIS2 Directive provide a strong foundation to protect against evolving cyber risks.

Key Takeaways
  1. NIS2, effective on October 18, 2024, aims to enhance the resilience of critical sectors across the EU.
  2. The directive places significant emphasis on personal accountability for stakeholders in cybersecurity risk management and includes harsh financial penalties for non-compliance.
  3. Organizations must implement 10 crucial cybersecurity measures to comply with the new legislation.

Organizations across the European Union (EU) are pressed to comply with the upcoming Network and Information Systems Directive (NIS2),1 a legislation focused on increasing cybersecurity. Failure to meet the requirements outlined in the new directive could result in significant fines and reputational damage.

The NIS2 Directive expands its scope beyond the EU NIS Directive to cover more sectors such as supply chains, food production and public administration, and focuses on the need for consistent implementation across all EU member states. NIS2 also introduces size-cap rules. This means that all medium-sized and large entities operating within covered sectors are now subject to the directive's provisions. This expansion aims to improve cybersecurity across infrastructure and industries that are critical to the economy.

Quote icon

The primary objective of NIS2 is to enhance the cyber resilience of organizations across the EU by fostering a proactive stance on cybersecurity and ensuring stronger collaboration between organizations and their third-party vendors.

Amine Menaa
Cyber Consulting Head Nordics, Cyber Engagement Leader, EMEA

Main Changes Under the NIS2 Directive

  • 1. Broader Scope
    • NIS2 expands the scope to include more sectors and services as either "essential" or "important" organizations. 
    • Companies with headquarters outside of EU member states (with or without subsidiaries) that provide products to EU member states in scope of NIS2 must comply.2
    • Cybersecurity risk management is expanded to include supply chain security.
  • 2. Stricter Requirements
    • NIS2 introduces more stringent cybersecurity risk management measures. 
  • 3. EU-wide Cooperation
    • The directive serves as the foundation for establishing the European cyber crisis liaison organization network.3
Quote icon

The NIS2 not only urges organizations to improve their own cyber resilience, but also hopes to foster cooperation among sectors so that companies can share information and advice about future threats and how to handle them.

Juliette Roest
Consultant, Cyber Risk, Netherlands

Under NIS2, organizations must adhere to stringent security requirements to ensure cyber resilience. These requirements include robust risk management practices, business continuity planning, corporate accountability and reporting obligations.

NIS2 Requirements

  • Risk Management
    • Organizations are mandated to take decisive actions to adhere to the new directive and mitigate cyber risks effectively. 
    • This involves implementing robust incident management protocols, bolstering supply chain security, fortifying network defenses, enhancing access control mechanisms and adopting encryption practices. 
    • Proof of implemented cybersecurity policies, such as the results of security audits and the respective underlying evidence, are also required.
  • Business Continuity
    • Entities must strategize on ensuring uninterrupted business operations in the event of significant cyber incidents. 
    • This entails formulating comprehensive plans for system recovery, establishing emergency protocols and assembling a dedicated crisis response team.
  • Corporate Accountability
    • NIS2 imposes accountability on corporate management to oversee, endorse and undergo training on the organization's cybersecurity measures. Failure to address cyber risks adequately could lead to penalties for management, including potential liability and temporary bans from managerial roles.
  • Reporting Obligations
    • The directive delineates specific reporting obligations and timelines. Non-compliance with these reporting procedures may result in administrative fines. 
    • Timely notifications to the Computer Security Incident Response Team are crucial, with deadlines set at 24 hours, 72 hours and one month. Companies should facilitate the assessment of damage severity and ensure all stakeholders are informed of their roles in the notification process.
NIS2 Reporting Obligations

Greater Liability and Obligations Ahead

Management bodies are responsible for overseeing and approving cybersecurity measures, as well as ensuring compliance with the directive. Failure to fulfil these responsibilities can result in significant financial penalties, highlighting the importance of proactive engagement from senior leadership.

"Cybersecurity risk management knowledge is often lacking, especially at smaller companies,” says Juliette Roest, Cyber Risk Consultant for Aon in the Netherlands. “While the IT department tends to be responsible for information security management, they generally do not have an overview of business needs and the risks associated with those needs.”

Implementing NIS2 governance encourages management and board members to effectively oversee company risks and provide all the necessary information and resources to ensure resilience in the event of a cyber incident.

€10M

or 2 percent of the total global annual turnover is the maximum fine that can be imposed on essential entities for non-compliance of the NIS2 directive.

Source: Article 32 – Supervisory and enforcement measures in relation to essential entities

Quote icon

While senior leadership and the board were always held accountable, the new directive will make them formally liable for any infringements. This directive underscores the pivotal role of cybersecurity as a board-level concern.

Jenni Parry
Associate Director, Cyber Risk, EMEA

Case study: NIS2 Gap Analysis Helps Major Manufacturing Company Interpret and Implement Required Controls

What’s the Story?

When a large Nordic multinational manufacturing company found itself under the scope of NIS2, it sought Aon’s help to identify its main cyber risks and assess the current status and preparedness of security controls, cyber risk management and governance.

Why it Matters

Multinational organizations face potentially significant impact in every country that they operate in. Therefore, compliance with the NIS2 directive would help the manufacturing company to improve its cyber resilience across all territories.

Outcomes

Aon successfully developed a risk and security assessment, including a NIS2 gap analysis with concrete actions to take. The manufacturing company received a board-ready report to present the current status and requirements for leadership to ensure they are prepared.  

Take Action to Improve Cybersecurity Resilience Now

The NIS2 Directive encompasses a comprehensive array of measures, spanning operational cyber risk management, cyber hygiene, incident response, incident reporting and supply chain security. 

NIS2 Requirements Actions to Consider
Effective cybersecurity risk management measures Optimize finite budget investments to help achieve better maximum return on security investments.
Policies on risk analysis and information system security Develop or review appropriate risk management systems and ensure they are aligned with enterprise risk management frameworks.
Effective general risk management measures Develop frameworks for risk assessments at an organizational level, combined with scenario-specific stress testing, to examine overall risk management for:
  • Business continuity management
  • Backup management
  • Crisis management
  • Disaster recovery
Basic cyber hygiene Provide an assessment of your firm’s cyber posture and general hygiene practices, as well as cybersecurity training to evaluate and pinpoint risk and security control gaps.
Multi-factor/continuous authentication Provide strategic support for the selection, adoption and deployment of appropriate multi-factor or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems.
Policies and procedures for the use of cryptography and encryption Implement the use of encryption, in particular end-to-end encryption, where necessary.
Supply chain security Align cyber risk in the supply chain to your existing corporate risk appetite framework and develop a company-specific approach to better analyze and target improved supply chain cyber resilience.
Comprehensive cyber incident management protocols Analyze your incident response preparedness, including the prevention, detection and response to incidents.
Effective cyber incident reporting Assess your incident reporting capabilities, responsiveness and design or adjust existing incident reporting procedures to ensure alignment with new regulatory requirements. This includes awareness and training of employees on cyber threats and phishing.
Security in network and information systems Systematically hunt generic and targeted threats within the network and information systems acquisition, development and maintenance, including vulnerability handling. Monitor the internet for leaked assets and threats.

Start preparing for the NIS2 Directive now by elevating your cyber resilience and asking the following questions: 

  1. Is my company affected by NIS2?
  2. Is our risk management at the right level for NIS2?
  3. Can my company report cyber security incidents properly?
  4. What is the state of my company's supply chain risk management when it comes to cyber security?

"Regardless of your organization's classification as essential or important, it is imperative for every entity to thoroughly examine the requirements outlined in NIS2,” advises Amine Menaa, Cyber Engagement Leader and Aon's Cyber Consulting Head Nordics, EMEA. “Proactively assess their compliance well in advance of the October 2024 implementation deadline.” 

Aon’s Thought Leaders
  • Amine Menaa
    Cyber Consulting Head Nordics, Cyber Engagement Leader, EMEA
  • Jenni Parry
    Associate Director, Cyber Risk, EMEA
  • Juliette Roest
    Consultant, Cyber Risk, Netherlands

General Disclaimer

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

More Like This

View All
Subscribe CTA Banner