HomeBlogNIS 2 Directive: What It Is, the Parties Involved, and How to Comply
API Basics

NIS 2 Directive: What It Is, the Parties Involved, and How to Comply

Cybersecurity: Who Are the Entities Affected by the New European Directive and What Are the New Security Requirements to Comply With?

NIS 2 Directive

The NIS 2 Directive updates the old European regulation on cybersecurity and aims to strengthen the level of security for technological infrastructures in member states.

The new regulation, implemented in Italy last October, sets new requirements for companies required to ensure a high level of cybersecurity and extends the obligation to several sectors that were not involved in the NIS Directive.

To comply with NIS 2, it will be necessary to implement policies for risk analysis and cybersecurity of information systems, incident management procedures, as well as multi-factor authentication solutions and protected communication systems.

NIS 2: What Is It and What Is Its Purpose?

The NIS 2 (EU Directive 2022/2555) is a significant update of the previous NIS Directive that aims to establish a community strategy for cybersecurity.

NIS 2 came into effect on January 17, 2023, and was implemented by the Italian government with the publication of Legislative Decree No. 138 of September 4, 2024. The new directive, which aims to increase the security of European technological infrastructure and make it capable of facing increasingly sophisticated cyber threats, introduces a number of significant changes to the previous regulation.

NIS 2 strengthens security requirements, introduces new supervisory measures, and significantly expands the number of affected entities. Today, sectors not included in the old lists of essential services (OSE), such as trust service providers and data centers, are considered critical for the socioeconomic functioning of the European Union.

NIS 2: Who Does It Apply To?

According to Decree 138/2024, which came into force on October 16, the obligation to comply with NIS 2 applies to highly critical sectors, certain public administration categories, and other critical sectors.

Highly critical sectors include:

  • Energy (producers, managers, and distributors of electricity, gas, oil, district heating, hydrogen);
  • Transport, including road transport;
  • Banking sector;
  • Financial market infrastructures;
  • Healthcare (including entities conducting research and producing pharmaceuticals);
  • Potable water;
  • Wastewater;
  • ICT service management;
  • Space;
  • Digital infrastructures (including DNS providers, Top-Level Domain managers, cloud computing service providers, data centers, content delivery networks, trust service providers, public electronic communications network providers, and services accessible to the public).

Additionally, other sectors considered critical include:

  • Postal and courier services;
  • Waste management;
  • Manufacturing, production, and distribution of chemicals;
  • Production, processing, and distribution of foodstuffs;
  • Manufacturing of medical devices, computers, electronics, optics, machinery and equipment, vehicles, and other transport means;
  • Research organizations;
  • Digital service providers, such as online market providers, search engines, social network platforms, domain name registration services.

As specified in Annex III, several public entities must also comply with NIS 2, including the Presidency of the Council, ministries, tax agencies, regions, municipalities with populations over 100,000, and local health agencies.

Finally, Annex IV lists other entities affected by the changes to the European Directive, including public transport service providers, educational institutions conducting research, organizations involved in cultural activities, and public or government-controlled companies.

Does NIS 2 Apply to Small Businesses?

In some cases, the regulation also applies to small businesses. This happens if the entity is identified as a critical supplier, such as when it is:

  • A provider of public electronic communications networks;
  • A provider of public electronic communications services;
  • A trust service provider;
  • A manager of top-level domain registries or a domain name system service provider;
  • A domain name registration service provider;
  • The sole national provider of an essential service;
  • A provider of a service whose disruption could pose a significant systemic risk;
  • Critical due to its importance at the national level;
  • Critical as a systemic element in the supply chain of essential or important entities.

This list also includes those previously identified as critical under the previous NIS Directive.

How to Comply with NIS 2: The Multi-Risk Approach

The first major change of NIS 2 concerns the responsibilities for cybersecurity measures, which go beyond the IT department and become a central issue, for which management bodies are also accountable.

According to the new Directive, it is the responsibility of the company’s Board of Directors not only to approve risk management measures but also to supervise and implement them. Management bodies are also encouraged to participate in “specific training on cybersecurity topics, extending this opportunity to their collaborators in order to assess the effectiveness and adequacy of the adopted security measures.”

The measures outlined in NIS 2 are based on a multi-risk approach that must include, in the complete risk assessment, non-digital elements such as natural disasters, hardware failures, and lack of staff training.

Furthermore, the new Directive requires that the involved organizations be capable of responding to incidents and commit to notifying any event to the competent authorities “without undue delay and in any case within 24 hours of becoming aware of the incident that has a significant impact on the provision of their services.”

The Requirements of the NIS 2 Directive

The key elements of the multi-risk approach outlined by NIS 2 include:

  • Risk analysis policies and information system security;
  • Incident management;
  • Business continuity, such as backup management, disaster recovery, and crisis management;
  • Supply chain security, including security aspects related to the relationships between each entity and its direct suppliers or service providers;
  • Security in the acquisition, development, and maintenance of IT and network systems, including the management and disclosure of vulnerabilities;
  • Strategies and procedures to assess the effectiveness of cybersecurity risk management measures;
  • Basic cybersecurity hygiene practices and cybersecurity training;
  • Policies and procedures related to the use of encryption and, where necessary, cryptography;
  • Human resources security, access control strategies, and asset management;
  • Use of multi-factor authentication solutions or continuous authentication, secure voice, video, and text communications, and protected emergency communication systems by the entity, where applicable.

NIS 2: Multi-Factor Authentication (MFA)

Multi-factor authentication is one of the requirements of NIS 2: adopting a strong authentication method such as 2FA and multi-factor authentication (MFA) helps protect access to information systems and ensures the authenticity of the information.

In 2019, a Google study on accounts found that multi-factor authentications prevented 100% of automatic attacks, 96% of mass phishing attacks, and 76% of targeted attacks.

In a more recent study by Microsoft, which examined a list of users who had registered suspicious activity, it was reported that “implementing MFA provides exceptional protection, with over 99.99% of accounts with MFA remaining secure during the investigation period.”

Integrating these authentication systems is not necessarily difficult: there are methods based on the physical possession of an object (e.g., a token) and others that use the user’s physical characteristics, such as biometric data. There are also more agile systems, such as those using one-time passcodes, QR codes, and verification via SMS.

NIS 2 Directive: What It Is, the Parties Involved, and How to Comply
Share on