NIS2 is a comprehensive European Union cybersecurity directive mandating stringent security protocols for essential and important entities. Implementing this NIS2 Directive requires a formalised risk management framework and robust incident reporting, delivering the business benefit of legal compliance and heightened operational resilience across EU infrastructure.
What is NIS2?
The NIS2 Directive is a new European Union law that aims to improve cybersecurity across the EU. It’s a follow-up to the original NIS Directive. NIS2 expands the types of businesses and organizations that must follow strict security rules. The main goal is to make Europe more resilient to cyber threats by requiring key services to have strong security measures in place.
Examples
- Hospitals and healthcare providers: They must protect patient data and keep their systems running smoothly.
- Energy companies: They need to secure power grids to prevent blackouts.
- Digital service providers: Companies like online marketplaces or cloud computing services must secure their platforms.
Context
The NIS2 Directive was created because cyber threats are growing. The old NIS law was not enough. NIS2 makes the rules tougher and adds more businesses. This ensures that a cyberattack on one key service won’t cause a domino effect across Europe. It works with other laws, like the GDPR (General Data Protection Regulation), to protect data and services.
How to implement NIS2
As a Lead Auditor, I have found that aligning your ISMS with the NIS2 Directive is the most effective way to ensure legal compliance across the European Union while strengthening organisational resilience. This 10-step roadmap enables you to implement the mandatory risk management measures and reporting obligations required by the directive, ensuring your technical controls satisfy both ISO 27001 auditors and national regulators.1. Audit Organisational Scope for Entity Classification
Audit the organisational footprint to determine “Essential” or “Important” entity status: This identifies the specific level of regulatory oversight and the potential scale of enforcement penalties. Technical actions include:
- Verifying headcount and annual turnover against the NIS2 sector-specific size-cap rules.
- Identifying critical services provided within the EU member states.
- Mapping dependencies on digital service providers and critical infrastructure.
2. Formalise Management Accountability and Governance
Formalise senior management responsibility for cybersecurity risk management measures: This ensures that leadership is legally accountable for non-compliance and that security budgets are approved. Necessary steps involve:
- Conducting mandatory cybersecurity training for board members and senior executives.
- Establishing a formal Governance, Risk, and Compliance (GRC) reporting structure.
- Documenting management approval for all high-level security policies.
3. Provision an All-Hazards Risk Management Framework
Provision a technical risk management framework that addresses both cyber and physical threats: This satisfies the NIS2 requirement for an “all-hazards” approach to system security. Key requirements include:
- Integrating technical vulnerability data into a centralised Risk Register.
- Performing technical gap-analyses against the NIS2 minimum security requirements.
- Documenting risk treatment plans for all identified critical assets.
4. Establish Incident Handling and 24-Hour Reporting
Establish formal incident response protocols to meet the mandatory 24-hour “Early Warning” notification window: This ensures the organisation can notify national authorities of significant incidents within the legal timeframe. Technical actions include:
- Configuring SIEM alerts to trigger internal incident response playbooks.
- Formalising the 72-hour full incident notification report template.
- Conducting quarterly tabletop exercises to test reporting speed and accuracy.
5. Audit Supply Chain Security and Third-Party Risk
Audit the security posture of all critical suppliers and service providers: This addresses the NIS2 mandate to manage risks within the entire supply chain. Necessary steps involve:
- Integrating security requirements into all new and existing supplier contracts.
- Provisioning a Supplier Risk Register to monitor third-party technical vulnerabilities.
- Verifying that key partners have adequate business continuity and incident response plans.
6. Provision Multi-Factor Authentication and Zero Trust
Provision Multi-Factor Authentication (MFA) and granular access controls for all networked systems: This implements the “Hygiene” requirements of NIS2 to prevent unauthorised access. Technical requirements include:
- Enforcing MFA for 100% of administrative and remote access points.
- Implementing Identity and Access Management (IAM) roles based on the Principle of Least Privilege.
- Revoking access automatically for employee mover or leaver events.
7. Implement Cryptography and Encryption Standards
Implement technical standards for encrypting data at rest and in transit: This provides a critical safeguard for sensitive information and satisfies data security requirements. Implementation involves:
- Enforcing AES-256 encryption for all digital archives and backups.
- Mandating TLS 1.3 for the secure transfer of information between organisational systems.
- Establishing robust cryptographic key management to prevent data loss.
8. Formalise Business Continuity and Crisis Management
Formalise a Business Continuity Plan (BCP) that includes technical disaster recovery protocols: This ensures the organisation can maintain or restore operations during a significant cyber event. Key requirements include:
- Configuring immutable backup solutions to protect against ransomware.
- Testing the restoration of critical services from backups every six months.
- Documenting an emergency communication plan for internal and external stakeholders.
9. Execute Cyber Hygiene and Awareness Programmes
Execute mandatory cyber hygiene training for 100% of the organisational workforce: This reduces the risk of human error leading to system compromise. Implementation involves:
- Conducting regular phishing simulations to test employee vigilance.
- Providing specific technical training for staff with administrative privileges.
- Recording all training completions as objective audit evidence.
10. Audit Effectiveness and Regulatory Compliance
Audit the NIS2 implementation through an independent technical assessment: This verifies that controls are effective and provides the citable evidence required for regulatory inspections. Verification methods include:
- Performing a full internal audit of the NIS2-aligned ISMS annually.
- Executing a technical vulnerability assessment of all public-facing assets.
- Updating the technical Risk Register based on audit findings and new threat intelligence.
NIS2 FAQ
What is the NIS2 Directive?
The NIS2 Directive is the EU-wide legislation establishing a high common level of cybersecurity across the Union by expanding the scope of regulated sectors and increasing enforcement. It mandates that essential and important entities implement specific risk management measures, with potential fines reaching up to €10 million or 2% of global turnover.
What is the difference between ISO 27001 and NIS2?
ISO 27001 is a voluntary international standard for information security management, while NIS2 is a mandatory legal directive with specific regulatory reporting requirements. While ISO 27001 provides the framework (ISMS), NIS2 dictates legal obligations for incident notification windows (24-hour early warning) and supply chain security that are legally binding in EU Member States.
Which organisations must comply with the NIS2 Directive?
NIS2 applies to “Essential” and “Important” entities in 18 critical sectors, including energy, health, finance, and digital infrastructure. Generally, this includes all medium and large enterprises with more than 50 employees or an annual turnover exceeding €10 million that operate within the defined sectors providing critical services to the European internal market.
What are the NIS2 incident reporting timelines?
Entities must follow a strict three-stage reporting process: an early warning within 24 hours, a formal incident notification within 72 hours, and a final report within one month. This ensures that national CSIRTs (Computer Security Incident Response Teams) are notified of significant threats quickly enough to mitigate cross-border contagion within the EU infrastructure.
Does NIS2 hold management accountable for cybersecurity?
Yes, NIS2 mandates that senior management bodies are personally accountable for the implementation and oversight of cybersecurity risk management measures. Article 20 specifies that management must approve security measures, undergo regular training, and can be held liable for non-compliance, ensuring security is a board-level governance priority rather than just a technical IT issue.
Relevant ISO 27001 Controls
NIS2 does not directly map to ISO 27001 controls. However, many of the security measures required by NIS2 align with the principles and controls found in ISO 27001. Some relevant controls include:
- ISO 27001:2022 Annex A 5.7 Threat Intelligence: Understanding and responding to cyber threats.
- ISO 27001:2022 Annex A 5.21 Managing Information Security In The ICT Supply Chain: Having a plan for what to do when something goes wrong.
- ISO 27001:2022 Annex A 5.23 Information Security For Use Of Cloud Services: Protecting data stored in the cloud.
- ISO 27001:2022 Annex A 8.15 Logging: Keeping records of system activities to find problems.
- ISO 27001:2022 Annex A 8.12 Data Leakage Prevention: Stopping sensitive information from getting out.
| Related ISO 27001 Control / Concept | Relationship Description |
|---|---|
| ISO 27001 Annex A 5.7: Threat Intelligence | Active Defense: NIS2 emphasizes the need for organizations to understand and respond to cyber threats proactively, which is the primary objective of this control. |
| ISO 27001 Annex A 5.21: ICT Supply Chain Security | Resilience Requirement: NIS2 expands focus on supply chain security, requiring entities to manage risks from third-party ICT products and services. |
| ISO 27001 Annex A 5.23: Cloud Services | Sector Inclusion: Digital service providers and cloud computing services are specifically targeted by NIS2, making this control critical for their compliance. |
| ISO 27001 Annex A 8.15: Logging | Incident Detection: Maintaining system records is essential under NIS2 to identify security problems and fulfill strict incident reporting obligations. |
| ISO 27001 Annex A 8.12: Data Leakage Prevention | Protection Goal: Supports the NIS2 requirement to protect sensitive information and prevent the unauthorized outflow of data from critical entities. |
| ISO 27001 Annex A 5.31: Legal and Regulatory Requirements | Regulatory Basis: NIS2 is a mandatory EU directive; this control requires organizations to identify it as a legal obligation within their ISMS. |
| Glossary: GDPR | Legislative Synergy: NIS2 works alongside GDPR to ensure a unified approach to data protection and service resilience across the European Union. |
| Glossary: Cybersecurity | Primary Focus: The NIS2 Directive is fundamentally designed to raise the level of cybersecurity and resilience for essential and important entities. |
| ISO 27001 Glossary of Terms (Main Index) | Parent Directory: The central index where NIS2 is categorized as a vital external legal and regional security requirement. |
The Tools We Use.
100% Audit Success. Zero AI Guesswork.
About the author
