Menu

 Español

NIS2 Directive: Basic Guidance for Cybersecurity in Europe

NIS2 Directive: Basic Guidance for Cybersecurity in Europe
Hugo Figueroa González Hugo Figueroa González Published on: 21/03/2025

In an increasingly digitized world, cybersecurity has become a priority for organizations. The NIS2 Directive (Network and Information Systems Security Directive) is a European Union initiative that seeks to strengthen cybersecurity across the region, replacing the previous NIS regulation. To better understand the different levels of cybersecurity and how your organization can meet these requirements, we invite you to read our article on Cybersecurity Levels.

 

What is the NIS2 Directive?

NIS2 is an update of the NIS Directive, which came into force in 2016. Its main objective is to ensure a high level of cybersecurity in the EU, adapting to the new technological risks and threats that have emerged in the last decade. With the NIS2, the EU aims to improve cooperation between member states, increase the cybersecurity of key infrastructures and establish stricter obligations for companies to protect their information systems.

 

Why is it important to comply with NIS2?

 

Complying with the NIS2 Directive is critical to ensuring a high level of cybersecurity in EU organizations. Here are the key reasons:

  1. Critical Infrastructure Protection: NIS2 seeks to secure vital sectors such as energy, healthcare, and transportation by improving their defense against cyber-attacks.

  2. Expanding Regulation: It covers new sectors, such as medical manufacturing and public administration, meaning more organizations must comply with its requirements.

  3. Incident Prevention and Management: Establishes obligations to effectively prevent and respond to cybersecurity incidents, strengthening companies' ability to react.

  4. Avoiding Penalties: Organizations that fail to comply with NIS2 can face significant fines, up to €10 million or 2% of their global turnover.

  5. New Responsibilities: Companies, regardless of size, must assume expanded responsibilities for cybersecurity management.

Complying with NIS2 not only protects organizations but also contributes to a safer digital environment across the EU.

 

Benefits of NIS2

 

The NIS2 Directive offers important advantages for organizations in the European Union:

  1. Strengthening Cybersecurity: It establishes a common level of protection for critical infrastructures against cyber-attacks.

  2. Improved Cooperation: Encourages collaboration between Member States and the European Commission to exchange threat information.

  3. Expanded Scope: Includes previously unregulated sectors, such as medical manufacturing and food supply.

  4. Clarity on Responsibilities: Defines obligations and responsibilities for essential service providers, improving governance.

  5. Reduced Penalties: Helps avoid severe fines for non-compliance, protecting the financial stability of companies.

  6. Security Culture: Promotes a proactive cybersecurity mindset within organizations.

 

Objectives of the NIS2 Directive

The main objectives pursued with the implementation of the NIS2 Directive are as follows:

  1. Expand the Scope of Protection of the NIS2: A variety of additional sectors are included, such as healthcare, finance, water supply, and public administration. Unlike the previous regulations, which focused primarily on cybersecurity in the energy and transportation sectors, NIS2 seeks more comprehensive protection.

  2. Stricter Requirements: The directive sets more stringent standards for risk management, security incident notification, and communication and cooperation between member states.

  3. Clearer Definition of Responsibilities: The responsibilities of essential service providers and national competent authorities are clarified, ensuring better cybersecurity governance.

  4. Fostering European Cooperation: The NIS2 promotes collaboration between the 27 EU member states and the European Commission for the exchange of information on threats and vulnerabilities.

  5. Coordinated Action on Incidents: Emphasis is placed on the need for joint action and coordinated responses, especially in the case of large-scale cyber incidents.

  6. Creation of Risk Indicators: The Danger Indicator is established, which helps to classify the seriousness of a potential threat into critical, very high, high, medium, and low levels.

  7. Impact Indicator: An Impact Indicator will also be introduced to enable the consequences of a cyber-attack to be foreseen in advance.

 

Who is affected by NIS2?

The NIS2 Directive affects a wide variety of entities, both public and private, especially those operating in critical sectors of the economy. NIS2 classifies these entities into two categories:

Essential Entities: they include companies that manage highly critical infrastructures, such as energy, transportation, and healthcare. They also include qualified trust service providers, top-level domain name registries (DNS), and public communications network providers. These entities are required to comply with strict cybersecurity requirements, regardless of their size.

Major Entities: These are those that belong to high criticality sectors or other critical sectors that are not classified as essential. This includes industries such as finance, telecommunications and digital services, which must protect sensitive data and ensure the continuity of their operations.

All of these industries must comply with the standards set by the NIS2, which includes a commitment to cybersecurity and critical infrastructure protection. The regulations apply not only to large corporations, but also to small and medium-sized companies that are part of the value chain in these sectors.

 

Requirements to comply with the NIS2 directive.

To comply with the NIS2 Directive, companies must follow a number of specific requirements to ensure the security of their information systems and networks. These requirements include:

1. Risk assessment: Conduct periodic cyber risk assessments to identify vulnerabilities and potential threats.

2. Security measures: Implement advanced security measures, such as firewalls, data encryption and multifactor authentication.

3. Training and awareness: Provide ongoing cybersecurity training to all employees so that they are aware of best practices and can recognize potential threats.

4. Response plans: Develop and maintain cyber incident response plans, including procedures for notifying authorities and affected users.

5. Security audits: Conduct periodic security audits to ensure that implemented measures are effective against current threats.

 

Recommendations for complying with the NIS2 Directive.

Complying with the NIS2 Directive may seem challenging, but with the right approach, companies can effectively integrate these cybersecurity requirements into their operations. Here are some key recommendations to ensure your organization is aligned with the regulations:

 

1. Conduct regular cybersecurity audits:

 

- Engage an audit provider: find an outside firm to perform cybersecurity audits on a regular basis.

- Assess vulnerabilities: use automated tools to perform vulnerability scans on your systems and networks.

- Document results and corrective actions: generate a detailed report of the audits and establish an action plan to correct the vulnerabilities found.

 

2. Strengthen the resilience of digital systems:

 

- Implement intrusion detection systems (IDS): install software solutions that monitor and alert on suspicious activity on the network.

- Adopt advanced anti-malware solutions: use protection software that detects and neutralizes viruses and other malicious programs in real time.

- Establish incident response procedures: develop and test a detailed action plan for handling cyber incidents, such as security breaches or DDoS attacks.

- Create regular backups: set up automatic backups of all critical data and perform regular tests to ensure their effectiveness.

 

3. Foster a culture of cybersecurity at all levels:

 

-  Conduct monthly or quarterly trainings: organize cybersecurity training sessions for all employees, covering topics such as phishing, secure passwords and handling sensitive data.

- Create awareness campaigns: launch internal campaigns (e.g., emails or posters) that inform about cybersecurity best practices.

- Conduct attack simulations: organize simulations of cyber-attacks (such as phishing attacks) to test employee preparedness.

 

4. Collaborate with trusted technology service providers:

 

- Verify the security of your vendors: Require technology service providers (such as cloud or software providers) to provide evidence of their compliance with NIS2 standards.

- Establish service level agreements (SLAs): Include clauses in vendor contracts that ensure the protection of data and systems, as well as response to security incidents.

- Audit the security of external suppliers: Conduct periodic audits of external suppliers to ensure that they continue to comply with cybersecurity requirements.

 

Main Changes Introduced by NIS2.

1.Expansion of the scope of application: NIS2 expands the number of sectors and entities that must comply with the directive. In addition to providers of essential services, such as energy, transportation, healthcare and water, the new regulation also includes providers of digital services (such as online platforms, search engines and cloud computing services).

2. Strengthened security obligations: companies must implement more rigorous security measures. This includes the obligation to conduct risk assessments, protect networks and information systems, and establish cyber incident response plans. It also states that organizations must maintain an adequate level of cybersecurity training and awareness for their employees.

3. Notification of cybersecurity incidents: in the event of a security incident, companies must notify the national authorities within 24 hours in the case of serious incidents. This will enable a faster and more coordinated response at the European level.

4. Stiffer penalties: NIS2 strengthens penalties in the event of non-compliance. Fines can be significant, underlining the importance of adopting robust cybersecurity measures. In addition, national authorities will have greater powers to monitor and audit companies' security measures.

For more details on cybersecurity at the European level, see ENISA.

 

Penalties for Non-Compliance with NIS2 Directive
 

The NIS2 Directive imposes more severe penalties for organizations that fail to comply with the new cybersecurity regulations. These penalties can include significant fines that, in certain cases, could amount to up to 2% of the company's global turnover. In addition, senior management of organizations may face personal liability if the necessary measures are not put in place to adequately manage and mitigate cybersecurity-related risks.

 

Implementing these practices will not only enable you to comply with NIS2 requirements, but will also strengthen the protection of your technology infrastructure against future cyber threats. In an interconnected digital environment, prevention and technological adaptation are key to ensuring the integrity and continuity of your business.

If your company needs to comply with the NIS2 Directive and strengthen its cybersecurity, our team of experts is here to help.

 

 

Hugo Figueroa González
Hugo Figueroa González

Marketing and communication specialist 

All author posts

Categories

 
Related posts
NOC and SOC: Keys to network and security management
Cybersecurity
NOC and SOC: Keys to network and security management
By Sergio Darias Pérez  |  11 April 2025

We explain what a NOC is and its relevance in the detection of any security anomaly that may affect networks and IT systems

Read more
DDoS Attacks: How to Identify Them and Protect your Company
Cybersecurity
DDoS Attacks: How to Identify Them and Protect your Company
By Carolina César Piepenburg  |  28 October 2024

Find out here how to protect your organization and act against DDoS attacks.

Read more
Cybersecurity challenges in the financial sector
Cybersecurity
Cybersecurity challenges in the financial sector
By Carolina César Piepenburg  |  01 August 2024

The financial sector is the target of many cyber-attacks. Discover here some solutions to protect it.

Read more