Cyber Security

The most comprehensive cybersecurity directive in Europe.

The NIS2 Directive represents the most comprehensive EU cybersecurity directive to date. With strengthened requirements for risk management and incident reporting, broader coverage of sectors and entities, and significant penalties for non-compliance, hundreds of thousands of EU organizations will need to reassess their cybersecurity posture.

Everything You Need to Know About the NIS2 Directive

What is the NIS2 Directive?

NIS2 Directive

In response to growing cybersecurity threats, the European Union introduced the NIS2 Directive (Directive on the Security of Network and Information Systems) as an update to previous regulations. Proposed by the European Commission in 2020, the directive came into effect on January 16, 2023.

The primary goal of the NIS2 Directive is to ensure a high level of protection for networks and information systems that are critical for the functioning of society and the economy. It aims to reduce the risk of cyber threats and improve resilience against cyber attacks across Europe.

The directive imposes stricter requirements and obligations for providers of essential and important services, and EU member states are required to compile a list of these entities.

The main purpose of the NIS2 Directive is to increase the resilience of European companies against cyber threats. This is achieved by enforcing compliance with security standards, mandatory reporting of significant cyber incidents, and strengthening cooperation among member states.

Differences Between NIS2 and the Original NIS Directive

The original NIS Directive provided only a framework for cybersecurity, which organizations used to develop their own security measures. Although it aimed to improve cybersecurity within the EU, its implementation was challenging, with varying levels of resources and execution across member states. As a result, cybersecurity resilience varied, with some countries progressing faster than others.

The NIS2 Directive addresses these shortcomings by introducing stricter cybersecurity requirements, significantly higher penalties for non-compliance, and expanding the number of sectors covered.

NIS2 Directive in Croatia

In accordance with the obligation to align with the European Directive 2022/2555 on cybersecurity, Croatia adopted a new Cybersecurity Act (NN 14/2024). This law represents a significant step toward strengthening the protection of information systems within the national infrastructure.

The law emphasizes that organizations must consider the vulnerabilities of their suppliers and service providers, as well as the overall quality of products and security practices. It is also necessary to review the results of risk assessments of critical ICT supply chains, systems, or products, conducted by the Cooperation Group with support from the European Commission and ENISA.

What Are the Requirements of the NIS2 Directive?

Key Cybersecurity Requirements in the EU

To ensure a high level of cybersecurity within the European Union, key requirements have been defined that covered entities must meet. These requirements include:

Risk Management
Corporate Responsibility
Reporting Obligations
Business Continuity

Meeting these requirements is essential to achieve the minimum level of cybersecurity mandated by the NIS2 Directive. Each requirement involves specific measures for compliance.

Risk Management

Organizations are required to conduct risk assessments and develop appropriate security policies and measures. The goal is to identify, evaluate, address, and ultimately reduce cyber risks. Measures that organizations should implement include incident management, strengthening supply chain security, improving network security, enhancing access controls, and data encryption.

Corporate Responsibility

Company management must maintain a high level of awareness regarding risks and protective measures. They are responsible for the security of information systems, ensuring proper monitoring, approval, and implementation of cybersecurity measures.

Reporting Obligations

One of the directive’s goals is to improve cooperation among member states. Therefore, essential and important entities are required to disclose information on security incidents that significantly affect service provision or service users. The directive specifies guidelines, content, and reporting schedules, establishing a framework for the reporting process. Rapid reporting of security incidents enables organizations and relevant authorities to prepare for cyber threats and take necessary protective actions. Specific reporting deadlines are set to ensure a swift response and minimize potential damage.

Business Continuity

Essential and important entities must have business continuity plans to continue providing critical services and processes during and after cyber incidents. These plans should define crisis management teams and include security procedures and system recovery measures following incidents.

Minimum Prescribed Security Measures

Cybersecurity Measures According to the NIS2 Directive

The NIS2 Directive prescribes cybersecurity measures aimed at reducing differences in resilience among organizations covered by this regulation. In accordance with Article 21 of Directive (EU) 2022/2555, organizations are required to implement operational, technical, and organizational measures, including:

Risk and Information Security Policies: Organizations must develop clear policies for risk management and information security assurance.
Cryptography and Encryption: These measures are mandatory and must have defined policies and procedures.
Post-Incident Planning: Organizations must define activities and measures to be taken after an incident, manage backups, and establish crisis management procedures. This includes measures such as Recovery Time Objectives (RTO), Recovery Point Objectives (RPO), and plans for access to resources and their functions. These activities present significant challenges for operational companies, such as those in electricity distribution or water supply, as many lack clearly defined incident management procedures.
Incident Management Processes: Organizations must establish procedures to effectively detect, respond to, and recover from security incidents.
Supply Chain Protection: In accordance with regulations, key suppliers must be identified, risks arising from their relationships analyzed, and their impact on operations understood.
Cyber Hygiene and Training: Organizations should develop procedures to maintain cyber hygiene and provide regular cybersecurity training for employees.
Securing Communication Channels: Communication channels must be protected against eavesdropping or interception. This includes using multi-factor authentication or continuous authentication solutions, as well as ensuring secure voice, video, and text communications.
Human Resource Security: This includes access control policies and asset management.
Information Systems Security: Security measures should be applied during the adoption, development, and maintenance of information systems, including vulnerability management procedures.
Evaluation of Risk Management Measures: Organizations should establish policies and procedures to assess the effectiveness of their cybersecurity risk management measures.

According to the Cybersecurity Act, organizations are required to consider the vulnerabilities of their suppliers and service providers, as well as the overall quality of their products and security practices. They must also review the results of risk assessments of critical ICT supply chains, systems, or products, conducted by the Cooperation Group, the European Commission, and ENISA. In addition to the above requirements, the Cybersecurity Act also prescribes specific additional obligations for managing domain name registration data. These requirements define the responsibilities of registrars and registries of national top-level domains.

Who Does the NIS2 Directive Apply To?

Categories of Important and Essential Entities under the NIS2 Directive

The NIS2 Directive sets criteria for identifying essential and important entities that provide services critical to the functioning of society. The specific criteria for categorization are determined by the national legislation of EU member states. In this context, the Cybersecurity Act defines essential and important entities based on the size of the organization and the sector in which it operates.

Essential Entities

Generally, essential entities include organizations with more than 250 employees, annual turnover exceeding €50 million, and total assets greater than €43 million. However, these criteria may vary depending on the sector. For example, organizations whose service disruption could endanger health and safety are classified as essential entities regardless of these thresholds. According to the NIS2 Directive, essential entities operate in the following sectors:

Energy: oil, natural gas, hydrogen, electricity supply, centralized heating and cooling.
Transport: air, rail, road, and maritime transport.
Banking: excluding central banks.
Financial market infrastructure.
Healthcare: including the manufacture of pharmaceuticals and vaccines.
Space.
Water supply: drinking and wastewater.
Digital infrastructure: DNS service providers, top-level domain registries, Internet exchange points, data center providers, cloud computing services, content delivery networks, and public electronic communications networks.
ICT service management.
Public administration: central, regional, and local authorities, if chosen by the member state.

Important Entities

Important entities are subject to variable criteria depending on the sector. This category includes organizations with 50 to 250 employees, annual turnover up to €50 million, and total assets up to €43 million. These entities are not classified as essential but operate in critical sectors. Additionally, important entities include all companies with 50 or more employees, annual turnover and assets exceeding €10 million, providing significant services. This category also includes trust service providers and public electronic communications network providers or publicly available electronic communications service providers not classified as essential entities. Important entities operate in the following sectors:

Postal and courier services.
Waste management.
Chemicals: production and distribution.
Food industry: production, processing, and distribution.
Medical device manufacturing: may become critical in public health emergencies.
Manufacture of computers, electronic and optical products, electrical equipment, machinery, and transport vehicles.
Digital service providers: online marketplaces, search engines, and social media platforms.
Education: private and public institutions.
Research.

IMPORTANT: The size criteria are not exclusive; an entity may fall under the directive if it meets special conditions specified in the Cybersecurity Act, for example, if it is the sole provider of a critical or important service.

Why the NIS2 Directive?

Environment Before the Introduction of NIS2

The digital transformation of business, accelerated by the Covid-19 pandemic, led to a dramatic increase in cyber threats. Systems that were previously offline became dependent on ICT technology, making them attractive targets for attacks from various sources, both within and outside the European Union. Successful cyberattacks can cause system outages, resulting in significant damages to organizations and society as a whole.

Limitations of the NIS Directive

Although the NIS Directive established a framework for implementing cybersecurity, changes in the cyber environment highlighted the need for its revision. The previous version of the NIS Directive was subject to constant updates. During one of these revisions, it was observed that member states applied the provisions differently, resulting in some companies enjoying strong protection against cyber threats, while others remained vulnerable. It was also identified that organizations in certain countries lacked sufficient cyber resilience to potential attacks and could not maintain business continuity during and after incidents. Such incidents often resulted in catastrophic consequences due to the absence of adequate incident and crisis management processes. Furthermore, the situation was worsened by insufficient understanding of current threats and challenges, as well as poor information sharing among EU member states. All of this indicated an urgent need for the introduction of the NIS2 Directive.

NIS2 as the Successor to the NIS Directive

NIS2 was introduced to address the shortcomings of the previous NIS Directive and to achieve a higher, more uniform level of cybersecurity across EU member states. The directive aims to ensure that organizations are resilient to cyberattacks and can continue operations even in the event of attacks on their processes and infrastructure. This directive marks the beginning of a more intensive fight against cybercrime. The number of essential and important entities covered by the regulation has increased tenfold, and the requirements they must meet have been strengthened, further reinforcing the security network within the European Union.

What is the Compliance Deadline?

Deadlines for NIS2

The NIS2 Directive came into effect in January 2023. EU member states have until October 17, 2024, to implement its provisions into national law and establish criteria for categorizing entities. Once categorization criteria are published, member states must compile a list of all entities covered by the directive and notify them in a timely manner. Upon receiving notice of their categorization, essential and important entities will be required to implement all requirements within a timeframe set by national legislation. The average compliance period for NIS2 is 12 months, meaning there is limited time remaining. It is therefore crucial to plan organizational, technical, and financial activities to ensure timely preparation for the NIS2 Directive.

Deadlines for the Croatian Cybersecurity Act (ZKS)

The Croatian Parliament adopted the requirements of Directive (EU) 2022/2555 on measures for a high common level of cybersecurity, integrating them into the Cybersecurity Act (ZKS, NN 14/2024). The Act was published on February 7, 2024, in the Official Gazette and came into force on February 15, 2024. Following the entry into force of the Act, supplementary regulations will be issued to define in detail the cybersecurity measures that entities must implement. These regulations and their deadlines include:

National Cyber Crisis Management Program: to be published three months after the ZKS, defining procedures for managing large-scale incidents.
Government Implementation Regulation on Entity Categorization: includes maintaining a list of essential and important entities and a special registry, to be published nine months after the ZKS comes into force.
Cybersecurity Exercise Implementation Plan: to be adopted 12 months after the ZKS.
Medium-Term Strategic Planning Act: to be adopted two years after the ZKS.

For companies, the most critical is the Government Implementation Regulation on entity categorization. After publication, competent authorities will notify covered entities of their categorization by February 15, 2025. Categorized entities must implement the measures defined in the ZKS within one year. According to Article 37 of the Cybersecurity Act, once notified of their categorization, essential and important entities on the list must begin reporting security incidents to the competent CSIRT (Computer Security Incident Response Team) within 30 days. Entities should already be planning how to comply with the Act and its secondary regulations. Time for compliance is continuously running, and every day without action poses a risk for entities that have not yet started preparing to implement the provisions of the law. Prompt action is essential to avoid sanctions and ensure business continuity. Deadlines wait for no one, so immediate steps toward compliance are necessary.

What Penalties Does the NIS2 Directive Prescribe?

Penalties under the NIS2 Directive

Under the NIS2 Directive (Directive (EU) 2022/2555), violators face severe penalties proportional to the severity of the infringement. The Croatian Cybersecurity Act adopts these penalties from the NIS2 Directive, which can be divided into several categories:

Corrective Measures

Each EU member state has its central authority responsible for the sector in which the entity operates, which may impose non-monetary penalties, including:

Warnings regarding legal violations.
Binding instructions or orders requiring the remediation of identified deficiencies or legal breaches.
Issuance of orders to conduct security audits of implemented cybersecurity measures.
Disclosure of information regarding cybersecurity breaches.

The Croatian Cybersecurity Act adds two additional corrective measures:

Order from the competent authority to cease activities that violate the law.
Order to implement recommendations from a cybersecurity audit report or security analysis.

Financial Penalties

The directive also prescribes substantial financial penalties. EU member states have the autonomy to determine the exact amounts, provided they comply with the minimum thresholds defined by NIS2. Maximum penalties for essential entities must be at least €10 million or 2% of global annual turnover, whichever is higher. For important entities, the maximum penalty must be at least €7 million or 1.4% of global annual turnover, also depending on which value is greater.

Sanctions for Company Management

According to Article 20 of Directive (EU) 2022/2555, the management boards of essential and important entities are required to approve cybersecurity risk management measures, supervise their implementation, and regularly participate in training to acquire the necessary knowledge and skills to assess and manage risks. If the organization fails to comply, board members can be held personally accountable, including the possibility of temporary bans from holding managerial positions. Company management may be personally liable for any incident occurring within the organization. Therefore, it is critical to ensure a high level of cybersecurity resilience across all sensitive areas. In case of non-compliance with NIS2 requirements, board members may face industry-specific bans or be required to disclose information about the violation, including a list of responsible individuals.

Contact us with confidence!

Request a free quote!

Free quote