The NIS Directive 2 (NIS2) is an updated EU directive aimed at enhancing cybersecurity across the European Union. But what are the additional requirements for a company that has already obtained the ISO 27001:2022 certificate?

As the number of cyber-attacks increases and digitization expands, the original directive (NIS) has been updated to version NIS2. Consequently, NIS2 sharpens the minimum requirements for a higher level of IT security and covers a wider range of sectors, companies, and public entities.

The European Parliament approved the new version of the Network and Information Security Directive (NIS2) in November 2022. The deadline for EU member states to transpose NIS2 into national law was October 17, 2024.

However, most EU member states have not been able to complete the implementation on time. In November 2024, only six member states had informed the Commission that the implementation was complete. This means that until the national laws implementing the directive are adopted, the obligations of the NIS2 Directive do not apply. Nevertheless, it is only a matter of time before the laws related to NIS2 are adopted in the EU member states, and in Finland, for example, this is expected to happen during the first quarter of 2025.

With this regulation, the parliament aims to increase awareness and sharpen obligations as well as strengthen the minimum requirements for risk management, reporting obligations, and information exchange. The requirements cover, among other things, response planning and business continuity preparation, supply chain security, incident management methods, encryption, and vulnerability disclosure.

NIS2 replaces the original NIS Directive from 2016 and introduces several key changes such as:

1. Expanded Scope: NIS2 covers more sectors, including energy, transport, banking, health, digital infrastructure, and public administration. This means more organizations are required to comply with the directive. Essential entities are organizations that are critical to the economy and society and whose disruption could have significant impacts. These entities are required to comply with stricter cybersecurity measures and are subject to proactive supervision by authorities. Important entities are organizations that are critical but not as vital as essential entities. They still need to adhere to high cybersecurity standards but face slightly less stringent regulations compared to essential entities.
   
   
2. Enhanced Security Requirements: Organizations must implement comprehensive cybersecurity measures, including incident detection, vulnerability disclosure, and data encryption.
   
   
3. Reporting Obligations: Significant cybersecurity incidents must be reported within 24 hours, followed by a detailed report within 72 hours, and a final report within a month.
   
   
4. Increased Accountability: Management bodies have a crucial and active role since they must approve and oversee cybersecurity measures, and they may face personal liability if the requirements are not met. Authorities can impose administrative fines of up to 10 million EUR or 2% of the total global annual turnover of the company.
   
   

Companies with more than 250 employees automatically fall under the scope of NIS2, regardless of their revenue. Companies with more than 50 employees and an annual turnover or balance sheet total of more than 10 million euros are also subject to NIS2, but with certain exceptions. If the authorities assess that a small company provides a critical function or service, such as providers of public electronic communication networks or trust service providers, this company must also comply with NIS2 requirements. We believe that over time, at least the companies that belong to critical business sectors such as banks, health, energy, transport, etc. (Essential Entities), will require back-to-back NIS2 compliance from all their vendors, such as Plentics.

If a company already has an ISO 27001:2022 certificate, such as Plentics, it is well on its way to NIS2 compliance. ISO 27001 provides a comprehensive framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Since Plentics uses its ISO 27001-certified Plentics solution internally, the compliance support is even stronger. While ISO 27001 certification does not automatically ensure NIS2 compliance, it covers the cybersecurity requirements set by NIS2, such as risk management and security controls. Thus, we assume that Plentics is already NIS2 compliant. This would, of course, be super good news for us! Stay tuned!