NIS2 stands for “Network and Information Security Directive” and is a continuation and expansion of the previous EU cybersecurity directive NIS1.
The aim of NIS2 is to strengthen the collective cybersecurity level of EU member states by increasing cybersecurity enforcement requirements for critical infrastructure sectors. Taking effect on 17th October 2024, the NIS2 Directive aims to establish a higher level of cyber security and resilience within organizations of the European Union. NIS2 largely follows the same principles as NIS but with several important additions, bringing more sectors into scope and providing guidelines to ensure uniform ratification into local law across EU member states.
The NIS2 directive expands coverage of the following water transport:
- Inland, sea and coastal passenger and freight water transport companies, as defined for maritime transport in Annex I to Regulation (EC) No 725/2004 of the European Parliament and of the Council(10), not including the individual vessels operated by those companies
- Managing bodies of ports as defined in Article 3, point (1), of Directive 2005/65/EC of the European Parliament and of the Council(11), including their port facilities as defined in Article 2, point (11), of Regulation (EC) No 725/2004, and entities operating works and equipment contained within ports
- Operators of vessel traffic services (VTS) as defined in Article 3, point (o), of Directive 2002/59/EC of the European Parliament and of the Council(12)
NIS2 includes requirements for:
-
Protecting network and information systems, including both IT and OT
-
Cyber incident reporting, initial report to be filed typically within 24 hours
-
Risk management governance
-
Safeguarding supply chains
Non-compliance may lead to:
-
Fines up to Euros 10,000,000 or 2% of the global annual revenue of the company (higher of them)
-
In some cases, the top company executives may be held personally liable
The most significant change around incident reporting is how the NIS2 Directive details a mandatory multi-stage incident reporting process and the content that must be included.
Initial notification: Within 24 hours.
An initial report must be submitted to the competent authority or the nationally relevant CISRT within 24 hours of a cybersecurity incident. The initial report should indicate whether an unlawful or malicious act caused the incident. This first notification is intended to limit the potential spread of a cyber threat.
Follow-up notification: Within 72 Hours.
A more detailed notification report must be communicated within 72 hours. It should contain an assessment of the incident, including its severity, impact, and indicators of compromise. The impacted entity should also report the incident to law enforcement authorities if it were criminal.
Final report: Within one month.
A final report must be submitted within one month after the initial notification or first report. This final report must include:
- A detailed description of the incident
- The severity and consequences
- The type of threat or cause likely to have led to the incident
- All applied and ongoing mitigation measures