BreadcrumbHomeResourcesBlog NIS2 Compliance: The Requirements, Penalties, Deadline + Instructions You Need To Know Before October 2024 November 17, 2023 NIS2 Compliance: The Requirements, Penalties, Deadline + Instructions You Need to Know Before October 2024Security & ComplianceInfrastructure AutomationBy Robin TatamThe compliance landscape for organizations in the European Union (EU) is heating up again – this time with the second landmark Network and Information Security (NIS2) Directive, set to take effect on October 17, 2024. But what does NIS2 compliance entail? What's the difference between the original NIS1 vs. NIS2? Who needs to comply with NIS2, and what are the penalties for not complying with the new directive?In this blog, we’ll answer your burning questions, set the record straight, and lay out your options for getting ahead of NIS2 compliance.Table of ContentsWhat is the NIS2 Directive?NIS1 vs. NIS2: What’s New in NIS2Who Needs to Comply with NIS2 Requirements?What NIS2 Means for Your ITHow to Get Ready for the NIS2 DeadlineHow Puppet Automation Can Work for NIS2 ComplianceTable of Contents1 - What is the NIS2 Directive?2 - NIS1 vs. NIS2: What’s New in NIS23 - Who Needs to Comply with NIS2 Requirements?4 - What NIS2 Means for Your IT5 - How to Get Ready for the NIS2 Deadline6 - How Puppet Automation Can Work for NIS2 ComplianceBack to topWhat is the NIS2 Directive?The NIS2 Directive is an updated directive focused on creating robust cybersecurity in the European Union (EU). The purpose of NIS2 is to help EU organizations defend against cyberattacks by instituting stronger security standards in their infrastructure. The NIS2 Directive deadline is October 17, 2024.NIS2 DeadlineThe NIS2 Directive deadline is October 17, 2024. By that date, the requirements of NIS2 must be implemented into law by each EU member state.NIS2 PenaltiesPenalties for not complying with the NIS2 Directive can carry administrative fines of up to 10 million euros (or 2% of the company’s annual revenue, whichever is higher). Failure to prove NIS2 compliance can also result in sanctions and audits.An incident under NIS2 could also be considered a breach under GDPR, in which case NIS2 will not impose a monetary fine for that same incident. However, NIS2 may impose other non-financial penalties for the same incident.Why is NIS2 Important?NIS2 is focused on three main goals: Increasing cyber resilience, streamlining cyber resilience, and improving the EU’s preparedness to deal with cyberattacks. It includes cybersecurity expectations for EU member states and consequences for failing to meet those expectations.Back to topNIS1 vs. NIS2: What’s New in NIS2NIS2 (2024) is the second version of the NIS Directive (introduced in 2016). The difference is that NIS2 expands into more industry sectors, adds guidelines for implementing the directive, defines penalties for noncompliance, and adds more specific language around cybersecurity expectations.The first Network and Information Systems Directive (NIS) was introduced in 2016 as the first EU legislation on cybersecurity. NIS1, as it’s sometimes called in light of its successor, contained more room for interpretation and defined no financial penalties for noncompliance. Without a prescriptive baseline or penalties, implementation of NIS1 was inconsistent across EU member states.NIS2 tightens some of those gaps and standardizes requirements and definitions across member states. Here are some of the differences between NIS1 and NIS2 that highlight what makes NIS2 worth paying attention to:More Organizations CoveredMany of the changes in NIS2 are intended to expand its reach beyond its direct scope by requiring mitigation of cyber risks within the IT supply chain. Specifically, NIS2 expands the scope of the original NIS to include additional industries and digital service providers. That means organizations in the EU that weren’t subject to the NIS Directive are now subject to NIS2 requirements.Click here to jump to a list of organizations subject to NIS2 compliance >>New PenaltiesOn top of a widened scope, NIS2 added financial penalties not included in the language of NIS1: NIS2-noncompliant entities can be fined up to 10 million euros or 2% of the company’s annual revenue, whichever is higher.Liabilities for ManagementNIS2 also includes more comprehensive and explicit cybersecurity requirements than NIS1. It specifically targets new governance and accountability obligations for management. Under NIS2, management bodies at entities subject to NIS2 can now be held liable if the entity fails to comply.Individuals at the C-level can be held personally liable if they’re proven guilty of gross negligence after an incident. Member states can require organizations to publicly identify individuals responsible and, in cases of repeated violations, even ban individuals from management positions.New DefinitionsNIS1’s distinction between "operators of essential services" (OES) and "digital service providers" (DSP) disappears in NIS2. It's replaced by a distinction between "essential" and "important" entities.Back to topWho Needs to Comply with NIS2 Requirements?Entities subject to NIS2 compliance expectations include businesses in critical sectors including energy, healthcare, transport, banking and finance, postal, manufacturing, digital infrastructure, and more.NIS2 Essential + Important OrganizationsThe NIS2 Directive classifies organizations as either “essential” or “important” entities based on their size and the criticality of the industry they exist in or the services they provide.The exact classification of an individual organization will depend on the role they provide in society, the economy, and dependency of other sectors. In general, NIS2 defines essential and important organizations along these lines:Essential organizations have more than 250 employees and an annual turnover of at least 50 million euros (or a balance sheet total of at least 43 million euros). Essential organizations will be proactively monitored to determine adherence to NIS2 legislation.Important organizations have between 50 and 250 employees and an annual turnover not exceeding 50 million euros (or a balance sheet total not exceeding 43 million euros). Important organizations will be subject to supervision after the fact if there are indications that an incident has occurred. Consequences may be applied if it is determined that the organization was non-compliant. Here’s a list of NIS2 essential and important entities, as well as their coverage under NIS1 and NIS2: NIS2 Essential EntitiesEntityCovered in NIS1? Covered in NIS2? Energy SomeYes District heating and cooling No Yes Oil and gas Yes Yes Hydrogen No Yes Transport (air, rail, water road) Yes Yes Banking Yes Yes Financial market infrastructures Yes Yes Health Some YesHealthcare providers Yes Yes EU reference laboratories No Yes Drug research and development No Yes Basic pharmaceutical products and preparations No Yes Emergency medical devices No Yes Drinking water Yes Yes Wastewater No Yes Digital infrastructure Yes Yes Information and Communication Technology services (ICT) management No Yes Public administration No Yes Space travel No Yes NIS2 Important EntitiesEntity Covered in NIS1? Covered in NIS2? Postal and courier services No Yes Waste management No Yes Chemical manufacturing, production, distribution No Yes Food production, processing, distribution No Yes Medical device manufacturing No Yes Computer, electronic, optical product manufacturing No Yes Electrical equipment manufacturing No Yes Machinery and equipment manufacturing No Yes Motor vehicle, trailer, semi manufacturing No Yes Transportation equipment manufacturing No Yes Digital providers Some Yes Online marketplaces Yes Yes Search engines Yes Yes Social networking platforms No Yes Research institutions No Yes List credit: Stibbe, “The revised Network and Information Security Directive: enhancing EU cybersecurity standards”Critical + Very Critical Sectors in NIS2NIS2 defines sectors like healthcare, government, and digital infrastructure as “very critical,” while sectors like manufacturing, chemicals, and research are considered “critical.”In addition to essentiality and importance, an organization subject to NIS2 will be classified by the criticality of the sector in which it operates. Typically, only large organizations (>250 employees, >€50 million turnover) in very critical sectors are considered essential. But the distinction isn’t based only on size, industry, or sector, but a combination. For example, under NIS2, you could be a medium-sized organization in a very critical sector and be considered important rather than essential.Take a look at the list below for an overview of sectors considered very critical or critical under NIS2: NIS2 Sectors by Criticality Sector NIS2 Criticality Energy Very critical Transport Very critical Banking Very critical Financial market infrastructure Very critical Healthcare Very critical Drinking water Very critical Wastewater Very critical Digital infrastructure Very critical ICT services management Very critical Government Very critical Space travel Very critical Postal and courier services Critical Waste management Critical Chemical manufacturing, production, distribution Critical Food production, processing, distribution Critical Manufacturing (machinery, equipment, transportation, etc.) Critical Digital providers (online marketplaces, search engines, social networking platforms, etc.) Critical Research institutions Critical List credit: Eversheds Sutherland, “Unlocking cybersecurity: Everything you need to know about the NIS2 directive”Where your organization falls in that classification matrix – essential, important, critical, very critical – will influence how and when the enforcement of NIS2 requirements occurs, what regulatory bodies enforce NIS2 compliance, and what penalties you could face for NIS2 compliance failure.Back to topWhat NIS2 Means for Your ITLike any new compliance expectation, the NIS2 Directive will require effort to achieve and maintain. For organizations subject to NIS2 – particularly organizations with large or complex IT estates – it’ll mean more than for others.More Resources Spent On ComplianceOrganizations without a CISO will need to consider hiring one, which puts further tension on an already-strained labor market. You should also expect to spend time researching tools that can help you manage compliance in an increasingly complex compliance landscape.Learn how compliance as code makes big compliance challenges manageable with fewer resources >>Multi-Stage Reporting on Security + ComplianceThe detailed provisions of NIS2 outline the procedure and timeline for reporting security incidents with a phased approach to ensure prompt reporting to the relevant authorities.Early warning (24 hours): Within 24 hours of becoming aware of a significant incident, a filing must be made to the competent supervisory authority who will respond back within 24 hours with guidance on possible mitigation measures if requested.Incident notification (72 hours): Within 72 hours of becoming aware of a significant incident, an update must be provided with an initial assessment of severity and impact as well as indicators of compromise.Final report (one month): Within one month of the incident notification, a final report must be submitted to include detailed information, its severity and impact, threat details or root cause, mitigation efforts, and cross-border impact.Back to topHow to Get Ready for the NIS2 DeadlineOn October 17, 2024, your organization will likely be subject to new rules for preventing and reporting security incidents. Luckily, there’s a lot you can do now to smooth out the process down the line.Assess Your Current Compliance StateIn anticipation of NIS2 coming into force, an organization must first determine if they perform business activities that will be affected. IT teams will need to work with security and audit to assess the current state of their security controls and mitigate risk in alignment with the new regulation. This can have implications that reach beyond the immediate entity due to the explicit requirement in NIS2 to address supply chain risk.Establish IT Risk Management + Response PoliciesOrganizations in EU member states must establish policies that comply with NIS2, enforce them continuously, and report on incidents quickly. Here are a couple of the best practices and tools to make NIS2 compliance simpler across hybrid infrastructure:Risk analysis Policies regarding basic security hygiene (see below)Access controls like zero trust, role-based access control (RBAC), and multi-factor authentication (MFA)Cryptography and encryption Policies for assessing the effectiveness of risk management efforts Cybersecurity education and training (under NIS2, management bodies of both essential and important entities are required to undergo cybersecurity training)Incident response planning/crisis managementTake a look at some popular security automation tools (not just Puppet's) that can make your team more proactive about compliance >>Refresh Your Basic IT Security HygieneWhile it sounds basic, entities are expected to demonstrate good security hygiene to comply with any compliance regulation, including NIS2. Practices like establishing a cybersecurity education program, implementing backup management and disaster recovery, and testing backups can supplement established policies that assess the effectiveness of their risk management procedures.Back to topHow Puppet Automation Can Work for NIS2 CompliancePuppet can automate and enforce zero trust security, RBAC, MFA, compliance scanning, and configuration drift remediation across hybrid infrastructure to ensure compliance with NIS2 and other compliance expectations.An important stage of incident mitigation and containment is to scan your infrastructure to seek out a configuration misstep. Doing this under pressure and at scale is virtually impossible without automation.Define + Enforce Continuous Compliance, Including Popular FrameworksPuppet can scan the infrastructure and document the current compliance state, down to each individual server. When a misconfiguration is discovered anywhere in your Puppet-managed servers, Puppet automatically remediates it to quickly bring your servers back into a compliant state.That lets you define your own IT compliance, including by coding configurations that comply with popular security frameworks like CIS Benchmarks and DISA STIGs. That means that when you configure security standards like zero trust, RBAC, and MFA into your infrastructure using code, Puppet can routinely scan your hybrid systems and enforce the configurations from your primary server to make sure they all conform to it. Whether you’re managing hundreds of servers or hundreds of thousands, Puppet’s agent-based automation keeps it all aligned with your established policies.Get Instant Visibility + Comprehensive Compliance ReportingPuppet's real-time compliance reporting in action.Additionally – and this is crucial for meeting any compliance standard or regulation – Puppet generates logs and reports of your IT compliance. When you use Puppet for compliance, you get a single pane of glass to monitor your compliance state at any time. All the documentation you need for an audit – the paper trails your team used to spend hours and days chasing down – is suddenly right at your fingertips, continuously updated and ready for auditors’ eyes.The best way to get ready for NIS2 is to beef up your overall IT security and compliance. Request a demo of Puppet for compliance or get in touch with our team to start building the perfect Puppet plan for your peace of mind.DEMO PUPPET PUPPET PRICINGBack to top
Robin Tatam Senior Director of Product Marketing, Puppet by Perforce Robin Tatam (CISM CPFA CTSP CTMA PCI-P) is a Product Marketer at Puppet by Perforce, where he promotes the benefits of managing compliance using Puppet. Prior to his role with Puppet, Robin worked as a Security Evangelist, and was a globally recognized SME and five-time IBM Champion. Robin also loves travel and cultural exploration, is an accomplished photographer, and considers himself an amateur mixologist.