NIS2: Obligations, Fines, and Costs for EU Organisations

In an increasingly digitised world, information security has become a primary concern for governments, businesses, and citizens alike. In response to this growing threat, the European Union has enacted Directive NIS2, establishing stricter obligations, significant fines, and additional costs for companies operating in the digital space. This directive redefines the cybersecurity landscape in Europe, placing unprecedented emphasis on the prevention and management of cyber incidents.

Challenges and Responsibilities under Directive NIS2

Directive NIS2 sets clear obligations for companies in terms of preventing and managing cyber incidents. An incident will be considered significant if it has caused or may cause serious operational disruptions or financial losses, or if it has affected or may affect other individuals or entities. This underscores the importance of companies being properly equipped with computer security incident response teams and competent authorities in networks and information systems.

Companies are responsible for notifying any critical incidents to the supervisory authority within 24 hours, with a detailed report within the following 72 hours. Additionally, a final report is required within a month. This rapid notification and response are crucial for mitigating the impact of cyberattacks and protecting both companies and citizens.

Implications and Penalties for Non-Compliance

Directive NIS2 also increases the responsibility of company management in the prevention and management of cyber incidents. Members of management can be held directly and personally responsible for security breaches, reflecting the importance of a cybersecurity culture from the top of the organisation.

Penalties for non-compliance with Directive NIS2 must be effective, proportionate, and deterrent. These can range from administrative fines to temporary bans for responsible directors. For companies considered as Important or Essential Entities, fines can amount to millions of euros or a significant percentage of their annual turnover.

The Real Cost for EU Businesses

Compliance with Directive NIS2 is non-negotiable and has significant financial implications for companies. According to the impact assessment associated with the directive, it is expected that companies will increase their spending on computer security by up to 22% in the first years following its implementation. This increase in operating costs is necessary to ensure adequate protection against growing cyber threats.

Although this increase in spending may seem substantial, it is expected to be offset by a significant reduction in costs associated with cybersecurity incidents. Furthermore, the ENISA Information Security Investment Report highlights a gap in cybersecurity spending between the European Union and the United States, suggesting that there is room for improvement in Europe’s security posture.

Understanding Company Investment in NIS2: Impacts and Outcomes

Despite the challenges and costs associated, the implementation of Directive NIS2 is bearing fruit. A study on NIS conducted on organisations from various EU Member States revealed that 82% of them experienced a positive impact on their cybersecurity as a result of the directive. This underscores the effectiveness of measures driven by European legislation to protect digital infrastructure and sensitive data.

In conclusion, Directive NIS2 establishes a robust framework for addressing growing cyber threats and protecting Europe’s digital infrastructure. Although it imposes additional obligations and costs on companies, these measures are essential for safeguarding security and trust in the European digital space. At the end of the day, investing in cybersecurity is not only a legal obligation but also a strategic necessity for all companies operating in today’s digital world.

It includes all public and private entities fundamental to the economy and society, as well as those with over 250 employees and an annual turnover exceeding €50 million. It also covers those with 50 to 250 employees and an annual turnover of at least €10 million.

There are exceptions to the size rule, such as providers of electronic communications networks or services, domain name registries or DNS service providers, and sole providers in a Member State of an essential service. Additionally, entities whose service disruption could have a significant impact on public safety, public security, or public health, as well as entities in the public administration, are considered within this category.

Risk Management and Security Measures

Directive NIS2 raises the bar regarding risk management and security measures that organizations must adopt within the European Union. This comprehensive approach not only seeks to protect individual organizations’ infrastructures but also to strengthen the resilience of European society and economy against cyber threats. Below are the key components of this approach:

Minimum Set of Security Measures
Risk Assessments and Information System Security Policies
Security Procedures for Employees with Access to Sensitive or Important Data
Use of Multi-Factor Authentication
Incident Management for Prevention, Detection, and Response to Cyber Incidents
Business Continuity and Crisis Management
Testing and Auditing of Security Measures
Supply Chain Security
Cybersecurity Training

So, Is Your Company Bound by NIS2 Regulations?

Directive NIS2 represents a significant advancement in cybersecurity within the European Union, addressing growing challenges in an increasingly complex digital environment. With clear criteria and stricter requirements, this regulation not only strengthens the protection of critical infrastructures and essential organizations but also promotes a more robust and aware cybersecurity culture throughout the region. With the implementation deadline in October 2024, both Member States and affected entities must act promptly to adapt to these new regulations and ensure a safer digital environment for all. Have you already found out if your company falls within the scope of NIS2?

Related Resource

April 29, 2024

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.
trackalyzer	1 year	This cookie is used by Leadlander. The cookie is used to analyse the website visitors and monitor traffic patterns.

Cookie	Duration	Description
__hssc	30 minutes	This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
messagesUtk	1 year 24 days	This cookie is set by hubspot. This cookie is used to recognize the user who have chatted using the messages tool. This cookies is stored if the user leaves before they are added as a contact. If the returning user visits again with this cookie on the browser, the chat history with the user will be loaded.

Cookie	Duration	Description
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_gat_UA-12183334-1	1 minute	No description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 9 months 23 days 12 hours 13 minutes	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
wp-wpml_current_language	1 day	No description