The NIS2 Directive represents a fundamental step in the European Union’s cybersecurity strategy, expanding the existing regulatory framework and seamlessly integrating with the principles of Governance, Risk Management, and Compliance (GRC).
The Directive is currently in the spotlight for several reasons. First and foremost, it marks a significant update to the previous 2016 NIS Directive by broadening its scope and introducing stricter cybersecurity requirements. This change is necessary in a context where cyber threats are constantly evolving, and critical infrastructures require stronger protection. Officially coming into force on October 16, 2024, the directive mandates that companies prepare to comply with the new security and risk management requirements.
With its extension to 15 critical sectors—including energy, transportation, healthcare, and digital services—a significantly larger number of organizations will need to comply with the regulations. This expansion means that companies must now tackle more complex challenges in managing cybersecurity.
Key Points of the NIS2 Directive
Expansion of Scope
NIS2 involves a significantly larger number of entities, including essential service operators and digital service providers, with the goal of protecting critical sectors such as energy, transportation, and healthcare.
Security Obligations
Companies must implement technical and organizational measures to manage cybersecurity risks. This includes the timely reporting of significant incidents within 24 hours and the submission of a detailed report within 72 hours.
Integration with Other Regulations
The directive aligns with existing regulations such as GDPR and DORA, creating a coherent regulatory framework for data protection and operational resilience.
Focus on the Supply Chain
Organizations must ensure the security of their supply chain by assessing supplier vulnerabilities and implementing appropriate security practices.
Implications for GRC
A crucial point of NIS2 is the obligation for the management bodies of organisations to approve the risk management measures adopted. This implies that the board of directors must not only be involved in the definition of security policies, but also receive specific training to understand cyber risks and their implications on the services offered. This direct responsibility of top management marks a significant change in the way cyber security is perceived and managed within organisations.
Risk Management with NIS2
In NIS2 risk management, we do not only address ‘cyber’ risks, as often mentioned, but take a multi-risk approach. This approach aims to go beyond simply defending against cyber attacks, embracing a broader view that includes physical risks, environmental risks, supply chain risks and operational risks resulting from human error or process disruptions.
NIS2 promotes proactive risk management, requiring companies to conduct ongoing assessments of their risks and take appropriate technical and organisational measures. Required practices include the implementation of multi-factor authentication, encryption and supply chain security. This implies a constant review of vulnerabilities, not only internally, but also extended to suppliers, so that every link in the chain is adequately protected.
Compliance and Sanctions
With the coming into force of NIS2, companies must comply with specific requirements by 17 October 2024. Penalties for non-compliance can be severe, up to EUR 10 million or 2 per cent of global annual turnover for the most serious violations. This puts great pressure on organisations to ensure that appropriate measures are implemented and that there is clear documentation of security practices.
Audit and Reporting
NIS2 also establishes strict requirements for incident reporting, requiring companies to report significant events within 24 hours and provide a detailed analysis within 72 hours.
In conclusion, the NIS2 Directive not only strengthens cybersecurity measures across Europe but also serves as a catalyst for the effective implementation of GRC systems. Through a holistic risk management approach and increased accountability, companies can enhance their operational resilience and better protect their critical infrastructure.
This integrated approach is essential for addressing the growing challenges in the cybersecurity landscape and ensuring a high level of protection for citizens and organizations across the European Union.
The cybersecurity threat numbers
In 2024, cyber attacks in Europe showed a significant increase, with different forms of threats affecting various sectors. More than 11,079 cyber incidents were recorded in the European Union, showing an increase over the previous year. In particular, 29% of global attacks targeted Europe, an increase from 23% in 2023. The most vulnerable sectors included public administration, which suffered 20% of attacks, and the transport and telecommunications sectors, with a 45% increase. The European water system was also targeted, demonstrating the magnitude of the threats.
Cyberattacks in the Banking Sector
The European banking sector has faced a significant increase in cyberattacks, with the number of incidents nearly doubling in 2023 compared to the previous year.
This surge is attributed to an increasingly hostile cyber environment, characterized by more sophisticated and aggressive attacks from authoritarian states and cybercriminal groups.
In particular, distributed denial-of-service (DDoS) attacks and ransomware have become some of the most common threats, with ransomware locking banks out of their own data. Specific examples of attacks in the banking sector include targeted incidents against third-party service providers, which can compromise the security of the banks themselves.
The European Central Bank (ECB) conducted its first cybersecurity stress test on 109 European banks, highlighting the need to improve resilience and controls to mitigate cyber risks. This test revealed that banks must continuously invest in protection systems and incident management to counter growing threats.
Additionally, in the first half of 2024, there was a global increase in cyberattacks, with Europe accounting for approximately 29% of attacks worldwide. This marks a rise from 23% in 2023, indicating that European banks must remain vigilant and prepared to respond to an ever-evolving cyber landscape.
Cyber Resilience Act: Strengthening NIS2 and the EU Cybersecurity Strategy
To further strengthen the NIS2 framework and the European cybersecurity strategy, the Cyber Resilience Act recently came into force. It is the first EU legislation imposing cybersecurity obligations on products with digital components.
The Act aims to enhance security by requiring mandatory software updates and consumer support, ensuring greater transparency of cyber risks. Products that comply will carry the CE marking, with key provisions becoming applicable from December 11, 2027.
