Navigating the Main Compliance Challenges of the NIS 2 Directive

The Network and Information Systems (NIS 2) Directive aims to bolster cyber risk management across the European Union. The legislation, which becomes effective on October 18th, 2024, builds on 2016’s first version while removing some of its ambiguities. Despite the bit of extra clarity, NIS 2 compliance can still feel daunting—like just another compliance headache on top of regulations like GDPR and PCI DSS. This article goes through four key challenges of NIS 2 compliance and offers tips to help your business navigate them successfully.

Key NIS 2 Compliance Challenges

Expanded scope

The first big change is a dramatically expanded scope of organizations that NIS 2 applies to compared with the first version of the directive. And this expanded scope presents a challenge in terms of figuring out if your organization falls under it. Newly added sectors include space, wastewater, and public administration as highly critical sectors. Added to other critical sectors are digital providers, food companies, waste management companies, manufacturers, postal and courier services, chemical companies, and research organizations.

There is clear justification for expanding the variety of organizations that need to comply with the directive. Back in 2016, threats like ransomware were around, but they were nowhere near as frequent. Attack surfaces have also expanded through digital transformation and remote work arrangements. Disparate services and sectors are now more connected and potentially exposed to attack than ever.

For NIS 2, a critical starting point to consider is the size of your organization. If you have fewer than 50 employees and less than €10 million in annual revenue, you’re a micro or small organization. For this category, only exceptional circumstances require compliance—for example, if your company is the sole provider of a service that’s essential to maintain critical societal or economic activities.

Companies with 50 to 250 employees and €10-50 million in annual revenue are mid-size, according to the EU. Large companies have more than 250 employees and more than €50 million in annual revenue. You can then use this helpful table to figure out if the EU deems your business an Important entity or critical entity.
Stronger security measures

According to the official EU document, essential and important entities must take an “all-hazards approach that aims to protect network and information systems and the physical environment of those systems”.
In practice, this means adopting security measures that include:

  • Proper vulnerability handling and disclosure
  • Basic cyber hygiene practices and cybersecurity training
  • Incident response and recovery
  • Regular testing and auditing
  • Policies around the use of encryption to protect data
  • Multi-factor or continuous authentication solutions

These risk management measures are more detailed and prescriptive in NIS 2 than they were in the first version. And it’s important to note that the wording states your organization needs to at the very least adopt these measures as a bare minimum to adequately reduce cyber risks from the EU perspective (if you fall under the compliance scope, that is).
Incident reporting obligations

Article 23 of the document is a lengthy one, but it’s also where you’ll see one of the major challenges of NIS 2 compliance—meeting strict and specific incident reporting obligations. The rather wordy definitions say that you only need to report “significant incidents”, which are basically those that might cause or did cause severe financial loss, operational disruption, or material/non-material damage to other legal or natural persons.

Unfortunately, the clarity introduced by this revised version of NIS somewhat breaks down in this section because it’s not transparent as to what constitutes severe financial loss or operational disruption. In general, the best advice is to err on the side of caution and report incidents that even have the potential to fall into the vague definition.

With all of this in mind, the instructions for reporting are as follows:

  • Provide an initial early warning to the CSIRT in a member state or competent authority without undue delay and within a maximum of 24 hours of becoming aware.
  • Provide a more detailed significant incident notification within 72 hours maximum of becoming aware of the incident.
  • Submit a final report no later than one month after sending in the significant incident notification.

These obligations call for a well-rehearsed incident response plan with clear lines of communication. Creating templates and checklists can help ensure consistency and completeness when creating relevant reports. It’s also worth training any staff tasked with incident response on your reporting process.
Increased management accountability

Another notable NIS 2 compliance challenge is coming to terms with increased accountability at the management level. In fact, rather than just saying that those in senior management positions have ultimate responsibility for cyber risk, the directive goes as far as introducing personal responsibility for compliance failures.

Punishments include administrative fines and temporary bans from management positions. The types of tasks that management bodies need to perform to avoid these punitive measures include things like getting training to properly identify risks and assess cybersecurity risks, and supervising how risk management measures are implemented.

By holding top management accountable, NIS 2 is trying to ensure that cybersecurity isn’t relegated to an operational concern. Instead, this accountability tries to make sure cybersecurity gets integrated into the strategic decision-making process of organizations. It’s a change that’ll perhaps put more stress on those in senior management, but if it drives a more security-first culture at companies, it’ll prove to be a positive change across the EU.
Need Help with NIS 2 Compliance?

At 60 pages and a ton of legal speak, the full NIS 2 Directive is a complex but important piece of legislation. At DIESEC, we’re more than happy to help you overcome some of the key challenges of NIS 2 compliance, including the ones mentioned here (and others besides). Our GRC services help you manage compliance challenges with outside expertise and a fresh set of eyes.

Contact us today to find out how we’ll help.