10 Distinct EU NIS2 Directive requirements in 2026

Leave a Comment / compliance and regulations

What is EU NIS2, or the Network and Information Systems Directive 2?

Page Contents

NIS2, or the Network and Information Systems Directive 2, is a comprehensive European Union (EU) cybersecurity legislation that came into effect on January 16, 2023. It is officially titled “Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union”. NIS2 is designed to enhance and standardize cybersecurity practices across EU member states, addressing the limitations of its predecessor, the original NIS directive.

The Network and Information Systems Directive 2 (NIS2) is a comprehensive European Union cybersecurity legislation that came into effect on January 16, 2023. It aims to enhance and standardize cybersecurity practices across EU member states. A key aspect of NIS2 is its classification of entities into two categories:

NIS2 Essential Entities (EE)

Essential entities are typically larger organizations operating in critical sectors. They include:

Large enterprises with over 250 employees or annual turnover exceeding €50 million in sectors such as energy, transport, banking, healthcare, and digital infrastructure.

  • Public administration entities
  • Trust service providers
  • DNS service providers
  • Public electronic communication networks
  • Critical entities as defined by the Critical Entities Resilience (CER) Directive

NIS2 Important Entities (IE)

Important entities are generally medium-sized organizations or those in sectors considered less critical. They include:

  • Organizations with 50-250 employees or annual turnover between €10-50 million.
  • Entities in sectors such as postal services, waste management, food production, manufacturing of medical devices and electronic products, and digital service providers.

Both essential and important entities are subject to NIS2 requirements, including implementing cybersecurity risk management measures and incident reporting protocols. However, essential entities face more stringent supervision, while important entities are subject to ex-post supervision based on evidence of non-compliance.

NIS2 significantly expands the scope of cybersecurity regulation compared to its predecessor, covering approximately 160,000 entities across Europe. This broader coverage aims to create a more robust and unified cybersecurity framework across the EU, addressing evolving digital threats and enhancing cyber resilience.

What ar the key EU NIS2 directive requirements in 2025?

  • Conduct regular risk assessments of network and information systems
  • Implement appropriate technical and organizational security measures
  • Develop policies and procedures for risk analysis and information system security
  • Establish vulnerability handling and disclosure processes
  • Implement robust incident handling and crisis management procedures
  • Report significant incidents within strict timelines (with three specific sub-requirements)
  • Implement multifactor authentication (MFA)
  • Ensure effective use of cryptography and encryption
  • Develop and maintain business continuity and disaster recovery plans
  • Implement access control policies and procedures

Conduct regular risk assessments of network and information systems

Key Questions to Ask:

  • How frequently are we conducting comprehensive risk assessments?
  • Are we using industry-standard methodologies (e.g., NIST SP 800-30, ISO 27005) for our risk assessments?
  • Do we have an up-to-date and accurate inventory of all our digital assets?
  • How are we incorporating threat intelligence into our risk assessment process?
  • Are we considering both internal and external threats in our assessments?
  • How are we evaluating and prioritizing the identified risks?
  • Do we have a process for continuous monitoring and updating of our risk assessments?
  • How are we integrating the results of our risk assessments into our overall security strategy?
  • Are we considering emerging technologies and their associated risks in our assessments?
  • How are we ensuring that our risk assessment process covers our entire supply chain and third-party dependencies?

Asset Inventory

Asset Inventory for NIS2 compliance involves a systematic and detailed cataloging of an organization’s digital assets. This process is crucial for establishing a comprehensive understanding of the attack surface and potential vulnerabilities. Here’s a technical explanation of the key components:

Comprehensive cataloging of all hardware, software, data, and network components:

Hardware Inventory:

  • Utilize network discovery tools (e.g., Nmap, Lansweeper) to identify all connected devices
  • Implement agent-based inventory systems on endpoints for detailed hardware specifications
  • Use SNMP polling for network device information
  • Maintain records of physical attributes, including serial numbers, locations, and ownership

Software Inventory:

  • Deploy software asset management (SAM) tools to track installed applications
  • Utilize package managers and application whitelisting solutions for software discovery
  • Implement continuous monitoring for unauthorized software installations
  • Track software versions, patches, and end-of-life dates

Data Inventory:

  • Implement data discovery tools to identify and classify sensitive information
  • Use data loss prevention (DLP) solutions for continuous data monitoring
  • Maintain data flow diagrams to understand information movement within the organization
  • Document data retention policies and storage locations (on-premises and cloud)

Network Component Inventory:

  • Use network mapping tools to create topology diagrams
  • Implement network configuration management systems
  • Document all network devices, including routers, switches, firewalls, and load balancers
  • Maintain records of IP addressing schemes, VLANs, and network segmentation

Classification of assets based on criticality and sensitivity:

  • Implement a multi-tier classification system (e.g., Critical, High, Medium, Low)
  • Use data classification tools to automatically categorize information assets
  • Develop a risk-based approach to determine asset criticality:

Consider factors such as business impact, regulatory requirements, and data sensitivity

Utilize business impact analysis (BIA) methodologies

  • Implement tagging systems for easy identification of asset classification levels
  • Establish data handling procedures based on classification levels

• Utilization of automated discovery tools and configuration management databases (CMDBs):

Implement automated network discovery tools (e.g., Nessus, OpenVAS) for continuous asset detection

Deploy agent-based inventory management systems on endpoints

Utilize cloud-native tools for discovering assets in cloud environments (e.g., AWS Config, Azure Resource Graph)

Implement a CMDB solution (e.g., ServiceNow, BMC Helix) to centralize asset information:

Ensure CMDB integrates with discovery tools for real-time updates

Implement automated reconciliation processes to maintain CMDB accuracy

Use CMDB for tracking relationships between assets and services

Implement API-driven integrations between inventory tools and security information and event management (SIEM) systems

Utilize configuration management tools (e.g., Ansible, Puppet) to maintain and track system configurations

• Threat Modeling:

Identification of potential threat actors and their capabilities

Analysis of attack vectors and techniques (e.g., MITRE ATT&CK framework)

Assessment of the likelihood of various threat scenarios

• Vulnerability Scanning:

Regular automated scans using vulnerability assessment tools

Penetration testing to identify exploitable weaknesses

Code review for custom applications to detect security flaws

• Impact Analysis:

Evaluation of potential consequences of successful attacks

Consideration of financial, operational, and reputational impacts

Use of quantitative and qualitative risk assessment methodologies (e.g., FAIR, OCTAVE)

• Risk Evaluation:

Prioritization of risks based on likelihood and impact

Use of risk matrices or heat maps for visualization

Alignment with organizational risk appetite and tolerance levels

• Documentation and Reporting:

Creation of detailed risk assessment reports

Development of risk registers and treatment plans

Regular updates and reviews of risk assessments (at least annually or after significant changes)

Implement appropriate technical and organizational security measures

Network Security

Network security involves implementing multiple layers of defense to protect an organization’s digital infrastructure. Next-generation firewalls (NGFW) provide advanced threat protection by combining traditional firewall capabilities with intrusion prevention systems and application awareness. Intrusion detection and prevention systems (IDS/IPS) monitor network traffic for suspicious activities and can automatically block potential threats. Network segmentation techniques, such as VLANs and micro-segmentation, isolate different parts of the network to contain potential breaches. Secure DNS configurations, including DNSSEC and DNS filtering, protect against DNS-based attacks and malicious domain resolution.

Endpoint Security

Endpoint security focuses on protecting individual devices that connect to the network. Endpoint detection and response (EDR) solutions provide real-time monitoring and analysis of endpoint activities, enabling rapid threat detection and response. Application whitelisting and software restriction policies limit the execution of unauthorized applications, reducing the risk of malware infections. Full-disk encryption protects data on endpoints even if devices are lost or stolen. Mobile device management (MDM) solutions enable organizations to secure and manage mobile devices used for work purposes, enforcing security policies and protecting corporate data on personal devices in BYOD environments.

Access Control

Access control measures ensure that only authorized users can access specific resources. Multi-factor authentication (MFA) adds an extra layer of security by requiring multiple forms of verification before granting access. Privileged access management (PAM) solutions control and monitor access to critical systems and sensitive data by administrators and other privileged users. Identity and access management (IAM) systems centralize user identity management, enabling efficient provisioning, de-provisioning, and access control across multiple systems. Network access control (NAC) solutions enforce security policies on devices before they connect to the network, ensuring only compliant devices gain access.

Data Protection

Data protection measures safeguard sensitive information from unauthorized access or exfiltration. Data loss prevention (DLP) tools monitor and control the movement of sensitive data, preventing unauthorized transfers or leaks. Encryption for data at rest and in transit, using strong algorithms like AES-256 and protocols like TLS 1.3, ensures data confidentiality even if intercepted. Database activity monitoring (DAM) solutions track and audit database access and changes, detecting suspicious activities. Secure backup and recovery systems ensure data availability and integrity in case of system failures or cyber incidents, including protection against ransomware attacks.

Security Monitoring

Security monitoring enables organizations to detect and respond to threats in real-time. Security information and event management (SIEM) systems aggregate and analyze log data from various sources, providing a centralized view of security events. User and entity behavior analytics (UEBA) use machine learning to detect anomalous behavior that may indicate a security threat. Threat intelligence platforms integrate external threat data with internal security information, enabling proactive threat detection and response. Continuous monitoring tools assess an organization’s security posture in real-time, ensuring ongoing compliance with security policies and standards.

Organizational Measures

Security Governance

Security governance establishes the framework for managing and implementing cybersecurity within an organization. A dedicated information security team leads the development and implementation of security strategies. An information security management system (ISMS) aligned with ISO 27001 provides a systematic approach to managing sensitive information. Comprehensive security policies and procedures define the rules and guidelines for protecting organizational assets. A security steering committee, comprising senior management, oversees security initiatives and ensures alignment with business objectives.

Risk Management

Risk management involves identifying, assessing, and mitigating cybersecurity risks. A formal risk assessment process evaluates potential threats and vulnerabilities to organizational assets. Regular vulnerability assessments and penetration testing identify and address security weaknesses in systems and applications. A vendor risk management program assesses and mitigates risks associated with third-party vendors and service providers. An enterprise risk register centralizes information about identified risks, their potential impacts, and mitigation strategies, enabling informed decision-making and resource allocation.

Incident Response

Incident response capabilities enable organizations to effectively manage and mitigate cybersecurity incidents. A computer security incident response team (CSIRT) is responsible for coordinating the organization’s response to security incidents. Incident response plans outline the steps to be taken during various types of security incidents, and regular testing ensures their effectiveness. Automated security orchestration and response (SOAR) tools streamline incident response processes by automating routine tasks and integrating various security tools. Established communication protocols ensure timely and appropriate reporting and escalation of incidents to relevant stakeholders.

Security Awareness and Training

Security awareness and training programs aim to create a security-conscious culture within the organization. A comprehensive security awareness program educates all employees about cybersecurity risks and best practices through various channels such as e-learning modules, newsletters, and workshops. Role-based security training provides specialized knowledge to IT and security personnel based on their specific responsibilities. Regular phishing simulations and social engineering tests assess employees’ ability to recognize and respond to common cyber threats. A security champion program designates individuals across departments to promote security awareness and serve as liaisons between the security team and other business units.

Compliance and Audit

Compliance and audit processes ensure adherence to regulatory requirements and internal security policies. Continuous compliance monitoring tools automate the assessment of systems and processes against relevant standards and regulations. Regular internal and external security audits provide independent evaluations of the organization’s security posture and identify areas for improvement. A process for tracking and implementing security controls from relevant frameworks (e.g., NIST, CIS Controls) ensures comprehensive coverage of security best practices. A comprehensive security metrics program measures and reports on various aspects of the organization’s security performance, enabling data-driven decision-making and demonstrating the effectiveness of security investments to stakeholders.

Develop policies and procedures for risk analysis and information system security

Organizations need to establish formal documentation outlining their approach to risk management and system security. This includes creating risk assessment methodologies, security policies covering areas like data protection and acceptable use, and standard operating procedures for security operations. These documents should align with frameworks like ISO 27001 or NIST Cybersecurity Framework.

Establish vulnerability handling and disclosure processes

Entities must implement a structured approach to managing vulnerabilities, including a coordinated vulnerability disclosure (CVD) program. This involves setting up a vulnerability reporting mechanism, prioritizing and addressing identified vulnerabilities, and collaborating with security researchers and CSIRTs. The process should include a clear timeline for vulnerability assessment, remediation, and public disclosure when appropriate.

NIS2 Incident Response and Reporting (2 main sub-requirements, with 3 specific timelines)

Implement robust incident handling and crisis management procedures

Organizations must establish a comprehensive Incident Response Plan (IRP) that outlines the steps to detect, analyze, contain, and mitigate security incidents. This includes defining roles and responsibilities within a Computer Security Incident Response Team (CSIRT), creating playbooks for different incident types, and implementing automated security orchestration and response (SOAR) tools. Regular tabletop exercises and simulations should be conducted to test and refine these procedures.

Report significant incidents within strict timelines:

NIS2 mandates a three-tiered incident reporting structure to ensure timely communication of cybersecurity events:

Initial warning within 24 hours

Organizations must provide an early alert to the relevant national Computer Security Incident Response Team (CSIRT) or competent authority within 24 hours of becoming aware of a significant incident. This initial notification should include basic details such as the incident type, potential impact, and any immediate actions taken. The use of standardized reporting templates and secure communication channels is crucial for efficient information sharing.

Detailed notification within 72 hours

Within 72 hours, entities must submit a more comprehensive incident report. This should include a detailed description of the incident, its impact assessment, indicators of compromise (IoCs), affected systems and services, and ongoing mitigation efforts. The report should also outline any potential cross-border impacts and the estimated recovery time. Utilizing threat intelligence platforms and incident management systems can facilitate the compilation of this information.

Final report within 30 days

The final report, due within 30 days of the incident, must provide a thorough post-incident analysis. This includes a root cause analysis, a complete timeline of events, the effectiveness of response measures, lessons learned, and long-term remediation plans. The report should also detail any data breaches, financial impacts, and steps taken to prevent similar incidents in the future. This comprehensive report aids in improving overall cybersecurity posture and sharing valuable insights with the broader security community.

Security Measures

Implement multifactor authentication (MFA)

Organizations must deploy MFA across all critical systems and user accounts. This involves implementing at least two independent authentication factors, such as something you know (password), something you have (security token), and something you are (biometrics). Advanced MFA solutions may include risk-based authentication, which adapts security requirements based on user behavior, location, and device characteristics. Implementation should cover remote access, privileged accounts, and cloud services, utilizing protocols like FIDO2 or TOTP for enhanced security.

Ensure effective use of cryptography and encryption

Entities must implement robust encryption protocols to protect data at rest and in transit. This includes using industry-standard algorithms like AES for data encryption, TLS 1.3 for secure communications, and implementing a comprehensive key management system. Organizations should also consider implementing end-to-end encryption for sensitive communications, and utilize hardware security modules (HSMs) for secure key storage. Regular cryptographic assessments and updates are necessary to maintain protection against evolving threats.

Develop and maintain business continuity and disaster recovery plans

Organizations must create comprehensive plans to ensure operational resilience in the face of cyber incidents or disasters. This involves conducting business impact analyses, defining recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical systems, and establishing alternate processing sites. Plans should include detailed procedures for data backup and restoration, emergency communication protocols, and regular testing through tabletop exercises and full-scale simulations. Integration with incident response plans is crucial for a cohesive approach to cyber resilience.

Implement access control policies and procedures

Entities must establish and enforce strict access control measures based on the principle of least privilege. This includes implementing role-based access control (RBAC), regularly reviewing and updating user permissions, and utilizing privileged access management (PAM) solutions for administrative accounts. Organizations should also implement network segmentation to limit lateral movement in case of a breach, and employ strong password policies coupled with MFA. Continuous monitoring and logging of access attempts, along with periodic access audits, are essential for maintaining a robust access control framework.

Governance and Accountability

Obtain top management approval and supervision of cybersecurity measures

Ensure management responsibility for non-compliance

Conduct regular cybersecurity training for employees and management

Supply Chain Security

Assess and manage supply chain security risks

Ensure suppliers and partners comply with cybersecurity regulations

Additional Requirements

Develop and implement security policies and procedures5

Establish monitoring and logging capabilities1

Conduct regular testing and simulations of incident response plans

Maintain documentation demonstrating compliance with NIS2 requirements2

Collaborate with other organizations and national competent authorities2

NIS2 Risk Assessment Methodology

This document outlines the approach for identifying, analyzing, and evaluating cybersecurity risks. It’s crucial for compliance with Article 21, paragraph 2, point (a) of NIS2. The methodology should:

  • Define how to identify and categorize assets
  • Establish criteria for assessing vulnerabilities and threats
  • Provide a framework for determining risk levels
  • Include guidelines for risk prioritization

The risk assessment process should consider the entity’s exposure to risks, size, and the potential societal and economic impact of incidents.

NIS2 Risk Treatment Plan

This plan is a key document that outlines how identified risks will be addressed. It’s required to comply with Article 20, paragraph 1, which mandates management approval of cybersecurity risk-management measures. The plan typically includes:

  • A list of identified risks and their priority levels
  • Proposed mitigation strategies for each risk
  • Timelines for implementing security measures
  • Resource allocation for risk treatment activities
  • Roles and responsibilities for risk mitigation

NIS2 Training and Awareness Plan

This document is essential for meeting the requirements of Article 20, paragraph 2, which mandates regular cybersecurity training for management and employees. The plan should outline:

  • Training objectives and target audiences
  • Types of training programs (e.g., general awareness, role-specific training)
  • Frequency and methods of training delivery
  • Assessment and evaluation procedures
  • Tracking mechanisms for participation and effectiveness

NIS2 Incident Management Procedure

This procedure is critical for complying with Article 21, paragraph 2, point (b) on incident handling. It should detail:

  • Steps for detecting, classifying, and responding to security incidents
  • Roles and responsibilities during an incident
  • Communication protocols (internal and external)
  • Escalation procedures
  • Post-incident analysis and reporting processes

NIS2 IT Security Policy

While not explicitly named in NIS2, this overarching policy is crucial for setting the direction for cybersecurity within the organization. It should:

  • Define the organization’s approach to information security
  • Outline key security objectives and principles
  • Establish high-level security requirements
  • Define roles and responsibilities for security management
  • Provide a framework for more specific security policies and procedures

NIS2 Business Continuity Plan

Required by Article 21, paragraph 2, point (c), this plan ensures the organization can maintain or quickly resume critical functions during and after a cyber incident. It should include:

  • Business impact analysis results
  • Recovery time objectives for critical systems and processes
  • Procedures for activating the continuity plan
  • Roles and responsibilities during a crisis
  • Testing and update schedules for the plan

NIS2 Supply Chain Security Policy

This policy addresses the requirements related to supply chain security management. It should outline:

  • Criteria for assessing supplier cybersecurity risks
  • Security requirements for suppliers and third-party service providers
  • Procedures for monitoring and auditing supplier compliance
  • Incident response coordination with suppliers
  • Access Control Policy

This policy is crucial for implementing the principle of least privilege and ensuring appropriate access to systems and data. It should cover:

  • User authentication requirements (e.g., multi-factor authentication)
  • Access rights management procedures
  • Regular access reviews and audits
  • Procedures for revoking access when no longer needed

NIS2 Cryptography and Encryption Policy

This policy addresses the NIS2 requirement for effective use of cryptography and encryption. It should define:

  • Standards for encryption algorithms and key lengths
  • Procedures for key management and storage
  • Guidelines for when and how to use encryption
  • Compliance with relevant data protection regulations

NIS2 Monitoring and Logging Policy

This policy is essential for detecting and investigating security incidents. It should specify:

  • Types of events to be logged
  • Log retention periods
  • Procedures for log analysis and correlation
  • Measures to protect the integrity of logs

By developing and implementing these documents, organizations can establish a comprehensive framework for cybersecurity risk management and incident reporting, aligning with the requirements of the NIS2 Directive.

0/5 (0 Reviews)

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top
Talk To An SME