NIS2: Strengthening Cyber Defences Through Regulation

Image related to NIS2: Strengthening Cyber Defences Through Regulation

As Cybersecurity Awareness Month kicks off, a major new EU regulation is in the spotlight: the Network and Information Security Directive (NIS2). Building on the foundation laid in mid-2018 by its predecessor, NIS1 (the EU’s first cybersecurity law), this new regulation comes into force on 17 October 2024.

In the first of a four-part series on NIS2, Technical Director Ngaire Guzzetti and Senior Managing Consultant Sasha Henry examine the key goals of the new regulation, and what it means for organisations operating in the EU. 

Although NIS1 marked the first push for the EU to strengthen cyber resilience for essential services, it became clear that the evolving threat environment required more robust measures.

Where NIS1 mainly focused on critical sectors such as transport, energy and healthcare, NIS2 covers a broader range of industries such as manufacturing, digital services and food production. 

NIS2 also includes stricter incident reporting timelines, heavier penalties and greater accountability for senior management.  

Wider focus, deeper reach

More specifically, NIS2 introduces several obligations for organisations operating in EU member states. These organisations are classified into two main types of groups: ‘Essential Entities' and ‘Important Entities’.  

‘Essential Entities’ are considered critical elements to societal and economic functions, while ‘Important Entities’ are those that play a vital role in society’s overall functioning.

The range of sectors included in the new scope must comply with enhanced regulatory requirements, reflecting the complexity and interdependence of the things that drive our day-to-day lives.  

Corporate leadership liability 

The regulation takes a risk-based approach to cybersecurity, with organisations obliged to implement measures for incident handling, supply chain security, network defences and encryption.  

Corporate management must oversee and approve these security measures and ensure compliance through training and accountability. Leadership could be liable in case a breach occurs due to a failure to comply with NIS2; potential penalties include financial fines or even temporary bans from management roles.

Executives will need to be at the forefront of incident mitigation and incident response by ensuring the development, monitoring, and continuous improvement of cybersecurity strategies. These obligations reinforce the fundamental principle that cybersecurity is not just a technical issue but a boardroom priority.  

Tighter incident reporting requirements 

NIS2 mandates strict reporting obligations for significant cyber incidents, with organisations required to provide an ‘early warning’ within 24 hours of detection.  

Business continuity is another key focus, requiring robust plans for system recovery and crisis response in the event of a cyberattack. Baseline security measures — such as risk assessments, data encryption, incident reporting and multi-factor authentication — are also mandatory, reinforcing the EU's commitment to enhanced cybersecurity and greater awareness across sectors.

Non-compliance can result in severe penalties, including fines of up to EUR10mn or 2% of revenue for organisations considered an ‘Essential Entity’.  

Helping clients be compliant 

At CyXcel, we are supporting our clients to achieve NIS2 compliance through highest cybersecurity standards, safeguarding them from potential fines, reputational damage and personal liability. 

Cyber resilience 

Our expertise extends to developing and implementing robust cybersecurity strategies, digital transformation programmes and risk management practices. We have successfully assisted numerous clients in establishing comprehensive incident management and preparedness procedures, setting up their reporting obligations, and formulating effective response plans.  

Our meticulous business continuity, disaster recovery and crisis management planning ensure our clients can deliver their services even during cyber incidents.  

Leadership inclusion and accountability 

Recognising the importance of strong governance, we emphasise the onboarding of essential personnel and their inclusion in mandatory documentation, such as Directors and Officers (D&O) Liability insurance policies.  

Failure to reference accountable individuals in these documents can lead to serious consequences for the individuals and the organisation. It is also important to note that Chief Information Security Officers (CISOs) are not typically included under D&O, presenting a challenge, particularly with regulations like NIS2.  

Know your supply chain 

Our experts are global leaders in ensuring the security of corporate supply chains, including direct vendors and third parties. By mapping, mitigating and monitoring supplier and supply chain risks we ensure enduring business resilience and regulatory compliance. Additionally, we support the implementation of asset management practices to identify and protect critical information systems. 

By integrating expertise in technology, law, geopolitics and security, we have a unique capability to navigate the complex regulatory landscape.  

NIS2 reflects the interconnected nature of national economies, people and global communication channels. This new regulation is not just about avoiding fines; it is about building trust and safeguarding our critical infrastructure from sophisticated cyber criminals and hostile nation-state actors.  

Preparing for NIS2 also provides organisations with a strategic business opportunity: to ensure operational resilience and turn cybersecurity into a market differentiator and competitive advantage. 

Photo credit: Guillaume Périgois on Unsplash

The forthcoming articles in this four-part series on NIS2 will take a closer look at the key implications of the new regulation, specifically: 

  • Supply Chain Resilience
  • Incident Reporting Requirements  & New Approach to Business Continuity 
  • Evolution of the Insurance Market