Posted: 17 Dec. 2024 3 min Lukuaika

Understanding NIS2: The New EU Cybersecurity Directive

Cybersecurity elevated to a board-level priority

This blog post is originally published on Directors' Institute Finland's website


Introduction to NIS2 

NIS2 is the latest EU cybersecurity directive, building upon the original NIS directive. Its primary goal is to strengthen the security of network and information systems across the EU. This directive mandates that operators of critical infrastructure and essential services implement robust security measures and promptly report any incidents to relevant authorities. By modernizing the existing legal framework, NIS2 addresses the increased digitization and evolving cybersecurity threats. It also broadens the scope of cybersecurity regulations to include new sectors and entities, enhancing the resilience and incident-response capacities of public and private organizations, competent authorities, and the EU as a whole.

 

Implementation Timeline 

EU member states had until 17 October 2024 to transpose the directive into national law. However, only a few countries have accomplished it so far. For instance, Finland has yet to implement NIS2, so far a draft proposal has been prepared. It is highly likely that Finland will complete the local implementation by the first half of 2025. You can follow the process here: HE 57/2024 vp

 

Sectors Covered by NIS2 

NIS2 applies to organizations within specific sectors that have at least 50 employees and/or an annual turnover of EUR 10 million. However, exceptions exist: if an organization is covered by the Critical Entities Resilience (CER) directive, NIS2 applies regardless of size. Entities are categorized into two groups:

  • Essential Entities: These include sectors like finance, energy, transport, and healthcare. Organizations with at least 250 employees, an annual turnover exceeding EUR 50 million, and a balance sheet total over EUR 43 million are considered essential entities.
  • Important Entities: This category includes sectors such as waste management, food, and manufacturing.

NIS2 elevates cybersecurity to a board-level priority by holding senior leadership and the board accountable for infringements.

Management Responsibilities and Sanctions 

NIS2 elevates cybersecurity to a board-level priority by holding senior leadership and the board accountable for infringements. Governing bodies of both essential and important entities must endorse cybersecurity risk management measures and oversee their implementation. Leadership can be held liable for breaches, though this liability does not override existing national laws regarding public institutions and officials. Additionally, governing bodies must ensure they have the necessary knowledge to assess cybersecurity risks and management practices, providing training opportunities as needed. Employees should also receive regular training to identify risks and evaluate cybersecurity measures' impacts.

Authorities will supervise compliance through various methods, including on-site inspections, external monitoring, and security checks. Enforcement measures can range from warnings and binding instructions to administrative fines. For essential entities, fines can reach up to EUR 10 million or 2% of the annual turnover. For important entities, fines can be up to EUR 7 million or 1.4% of the annual turnover. Governing bodies of essential entities might also face personal liability and temporary bans on managerial duties.

 

Achieving Compliance with NIS2 

To comply with NIS2, EU member states must ensure that essential and important entities implement adequate cybersecurity risk-management measures. These measures should follow an all-hazards approach, covering risk analysis, incident handling, business continuity, supply chain security, and cybersecurity training. Organizations must assess the vulnerabilities of their suppliers and service providers and report significant incidents to the authorities promptly. Compliance involves detailed reporting obligations and may require specific technical and methodological implementations.

 

Deloitte's Compliance Services 

Deloitte supports organizations in achieving NIS2 compliance by leveraging existing strengths while aligning with EU regulations. This involves assessing the regulatory impacts on various parts of the organization and stakeholders, conducting a comprehensive baseline assessment to identify key development areas, and implementing essential cybersecurity measures such as risk management and business continuity planning.

Summary

NIS2 aims to enhance cybersecurity across the EU by mandating that critical infrastructure and essential service operators implement security measures and report incidents. It expands the scope of cybersecurity regulations to more sectors, improving overall resilience. Compliance involves adopting robust cybersecurity measures, conducting thorough risk assessments, and timely incident reporting. Non-compliance can result in fines, warnings, and temporary managerial prohibitions, underscoring the directive's importance.

Contact us

Anu Laitila

Anu Laitila

Cyber Risk

Anu työskentelee Deloitten riskienhallintayksikössä ja vastaa liiketoiminnan jatkuvuuteen, kyberharjoituksiin ja turvallisuuskulttuurin rakentamiseen liittyvistä palveluista Suomessa. Hänellä on kokemusta liiketoiminnan kasvattamisesta ja oikeiden ratkaisujen löytämisestä asiakkailleen. Anun toimeksiantojen aikana hän on hankkinut kokemusta sekä julkiselta että yksityiseltä sektorilta ja erikoistunut kriittisiin infrastruktuuriorganisaatioihin kuten esimerkiksi energia-, puolustus-, rahoitus- ja valmistavasta-teollisuudessa. Anu viettää myös osan vapaa-ajastaan kyber- ja varautumisaiheiden parissa. Briefly in English: Anu is a part of the Deloitte Risk Advisory's Cyber Risk team in Finland and she is responsible for business continuity, cyber exercises, and security awareness and culture services. She is experienced in driving for business growth and finding great solutions for her clients. During Anu’s assignments, she has gained experience from both public and private sectors and specializing in critical infrastructure organizations in energy, defense, finance, and manufacturing. Anu also spends some of her leisure time in cyber and preparedness topics.

Kari Mikkola

Kari Mikkola

Cyber & Strategic Risk

Kari vastaa Suomessa Deloitten kyberturvallisuuden johtamiseen ja riskienhallintaan sekä niiden kehittämiseen liittyvistä palveluista. Hänellä on yli 20 vuoden monipuolinen kokemus kyberturvallisuuden riskilähtöisestä kehittämisestä ja johtamisesta globaaleissa yrityksissä. Toimeksiannoissaan Kari on erikoistunut liiketoiminta- ja kybersääntelyvaatimusten huomioimiseen asiakkaiden kyberkehitysohjelmissa. Shortly in English: Kari leads cyber security and risk management related services at Deloitte in Finland. He has over 20 years of diverse experience in risk-based development and management of cybersecurity in global companies. In his assignments, Kari specializes in incorporating business and cyber regulatory requirements into clients' cyber development programs.