New European NIS2 directive: stricter requirements for cyber security
Points of attention for companies
The NIS2 directive which is implemented in the Netherlands through the Cyber Security Act, introduces a number of significant changes in the field of cybersecurity For instance, the requirements for enforcement of the rules have been tightened, and sanctions apply across the EU. Furthermore, NIS2 expands its scope to include companies and organisations in new sectors. Companies and organisations subject to the directive must take adequate measures in areas such as cyber risk management, penetration testing, incident response, and recovery. Those who fail to comply with NIS2 risk financial penalties, which are partly based on the global turnover of the companies.
The NIS2 directive
The NIS2 Directive regulates companies and public authorities in the field of cyber and information security. The directive, also known as the NIS2 legislation, is transposed into national implementing measures (specifically, in the Netherlands, the Cyber Security Act) and serves as binding legislation: companies and organisations within its scope must comply with the requirements. NIS2 not only expands the cybersecurity requirements and sanctions for non-compliance in order to harmonise and streamline the security level across member states, but also introduces stricter demands for various sectors. Companies and organisations will face additional obligations regarding cyber risk management, oversight and supervision, incident response, and business continuity. Furthermore, the directive also broadens the number of organisations within its scope.
More organisations affected by NIS2
The NIS2 Directive distinguishes between ‘essential entities’ and ‘important entities’ (see table). The main difference between the two is that important entities will face lower financial penalties and will be subject to reactive supervision by authorities. Proactive supervision is reserved for essential entities. This means that an important organisation will not be subject to direct oversight by regulators and authorities unless there is cause for it, such as a cyber incident or reports from external bodies like auditors or other parties in the supply chain.
The scope of sectors has been expanded as the European Commission wants to cover all organisations that perform important functions in society. This means that NIS2 also applies to sectors such as food production, waste management and the entire supply chain. ‘The focus of the NIS2 directive is not so much on how cyber incidents can lead to a risk for your organisation or harm your business’, says PwC’s privacy expert Bram van Tiel, ‘but how such incidents can harm or hinder society and the functioning of other businesses. So the scope goes well beyond traditional critical infrastructure organisations. In the energy sector, for instance, the scope under NIS was always limited to companies that produce, supply or balance energy in the electricity and natural gas sectors. Under NIS2, we expect the supply chain, e.g. manufacturers of wind turbines and operators of electric vehicle charging stations, to also be covered by the requirements.’
Where do you stand in relation to NIS2?
The Readiness Assessment provides clarity. NIS2 requires you to determine whether the law applies to your organisation. With the Readiness Assessment, you do just that. And if the law does apply, you are obliged to increase the resilience of both people and systems. In doing so, you must also take into account the impact of risks on economic activity and society. We are happy to assist you with this.
NIS2 Training for Directors
The law requires both measures and insight. To make well-founded decisions on cybersecurity and effectively steer your organisation in this area, you as a director or supervisor need a solid foundational knowledge of cybersecurity and the relevant legislation. The NIS2 directive also mandates this. This training provides you with the necessary knowledge and skills.
Essential and important entities by sector
| Energy - supply, distribution, transmission and sale of electricity, gas, oil, heating/cooling, hydrogen, EV charging point operators | Essential |
| Air, rail, road and water transport (including shipping companies and port facilities) | Essential |
| Banking/finance - credit, trade, market and infrastructure | Essential |
| Health - healthcare providers, research laboratories, pharmaceuticals, medical device manufacturing | Essential |
| Water - drinking water suppliers and wastewater operators | Essential |
| Digital infrastructure and IT services - DNS, name registries, trust services, data centres, cloud computing, electronic communication services, managed services and managed security services | Essential |
| Public administration - (central, regions + local optional) | Essential |
| Space - ground-based infrastructure operators | Essential |
| Postal and courier services providers | Important |
| Waste management | Important |
| Chemical products - production and distribution | Important |
| Food - distribution and production | Important |
| Manufacturers: medical/diagnostic devices, computers, electronics, optics, machinery, motor vehicles, trailers, semi-trailers, other transport equipment | Important |
| Digital providers - online marketplaces, search engines, social platforms | Important |
| Research organisations | Important |
NIS2 requirements on organisations
The NIS2 directive sets requirements for management, risk control, business continuity and reporting to authorities. Bram van Tiel points out the main areas of concern:
‘The authorities do not notify you if this directive applies to you, your organisation must assess itself based on the criteria that include both industry elements and size considerations. If an organisation with a large market share in a particular sector is ‘important’, it may even be considered ‘essential’ because of its size.
Management in your organisation should be familiar with the directive's requirements and risk management efforts. They are given direct responsibility for ensuring that cyber risks are identified, addressed and requirements are met.
The increased risk management and resilience requirements mean that your organisation must manage risks and implement both damage prevention and mitigation measures that reduce risks and impacts. Adequate measures are expected, for example, around incident management, cyber security in supply chains and with suppliers, network security, access control, critical infrastructure protection and encryption.
Your organisation should consider how to ensure business continuity if you are hit by a major cyber incident. This includes, for example, system recovery, emergency procedures and setting up a crisis organisation.
Finally organisations must have processes in place to ensure proper reporting to authorities. Among other things, there is a hard requirement that major incidents are reported within 24 hours.’
Financial penalties
The sanctions are extended by the NIS2 directive to include AVG-like fines based on global turnover. These penalties are based on whether organisations are part of an essential entity or a important entity. They are based on a minimum of ten million euros, or two per cent of global annual turnover, whichever is higher for essential entities. For important entities, fines are based on a minimum of seven million euros or 1.4 per cent of turnover.
Furthermore, there is personal and potential criminal liability for individuals at boardroom level if they fail to comply with their obligations under the directive. Essential entities can expect ongoing supervision, including audits, reporting requirements and peer reviews. Key entities can expect supervision, mandatory audits and reporting if rules are not complied with at an organisation.
Key steps to prepare for the NIS2 directive
From our experience working with organisations across the EU, we recommend the following steps:
assess whether you will be covered by the NIS2 directive;
identify gaps in relation to the directive's requirements;
identify the measures needed to meet the obligations in management;
design a strong cyber security framework that includes organisational and technical measures;
implement both organisational and technical measures in your organisation;
design and implement monitoring mechanisms to continuously validate the effectiveness of the measures.
Contact us
Need help or advice on implementing the NIS2 directive?
Contact us
Partner Cybersecurity, resilience & privacy, PwC Netherlands
Tel: +31 (0)62 243 29 62
Follow us
