On October 17, 2024, a new and ambitious piece of legislation aimed at enhancing cybersecurity across EU Member States will enter into force. It’s called the NIS2 Directive(yeni pencere) (Network and Information Security Directive 2), and it will significantly expand the scope of the previous cybersecurity legislation (the 2016 NIS Directive) to cover more sectors — including healthcare, energy, transport, and digital infrastructure.
What is NIS2?
The NIS2 Directive mandates strict cybersecurity compliance for essential and important sectors in the EU. Non-compliance can result in fines up to €10 million or 2% of global revenue, with additional personal liability for senior management (this is a minimum figure – individual member states could level even larger fines). The global average cost of a data breach is $4.45 million, according to IBM.
Why does NIS2 matter?
Businesses that fail to comply with NIS2 not only face huge fines, but also increased risks of cyberattacks. A study by Accenture(yeni pencere) shows that 68% of businesses face weekly cyberattacks, and the cost of non-compliance, including legal fees and reputational damage, could exceed €10 million.
So what should my organization do?
Proton’s suite of secure, encrypted tools can help your business avoid these penalties and protect your data. Let’s schedule a meeting(yeni pencere) to explore how Proton can simplify your NIS2 compliance and keep your business safe.
Importantly, it’s not just companies based in the European Union that must comply with the new legislation. Any business that falls within the scope of NIS2 and wants to do business in the EU(yeni pencere) must also meet its requirements. This includes companies in the post-Brexit UK.
Much like GDPR(yeni pencere), this is likely to have a “ripple effect”, as companies around the world upgrade their cybersecurity posture to comply with NIS2. The expectation is that this will result in the EU-based legislation driving improved security standards globally.
In this article, we look at how NIS2 will impact your business or organization, and how Proton’s services can help it meet its compliance requirements.
- Who must comply with NIS2?
- NIS2 obligations
- What are the penalties for non-compliance?
- What are the main differences between NIS and NIS2?
- Where to start your NIS2 compliance journey
- NIS2 is a positive step forward
- How Proton can help with NIS2 compliance
Who must comply with NIS2?
The NIS2 Directive applies to a broad range of organizations critical to the EU’s societal and economic functions. These organizations are divided into two categories:
- Essential entities: These are organizations that operate in sectors vital for society, and which must comply with stricter cybersecurity regulations.
- Important entities: These organizations play significant roles in the running of society, but are not as critical as Essential ones. They include organizations in the these sectors:
As a general rule, small to medium businesses (SMBs) with less than 50 employees and an annual turnover below 10 million euros are exempted from NIS2. However, certain types of organizations must comply regardless of their size.
NIS2 obligations
NIS2 aims to standardize cybersecurity practices across the EU and strengthen the resilience of critical infrastructure and public services against growing cyber threats. To this end, qualifying organizations must meet the following requirements:
Risk management
Organizations must implement appropriate technical and organizational measures to manage risks to their networks and information systems. These measures should address security across the supply chain, incident prevention, and resilience in the event of unexpected circumstances.
Incident reporting
Organizations are required to report significant cybersecurity incidents to national authorities within 24 hours of detection, with more detailed reporting to follow within 72 hours.
Supervision and enforcement
Essential entities are subject to continuous supervision by authorities, while important entities are supervised reactively (that is, only when non-compliance is suspected). Management bodies are also responsible for overseeing cybersecurity measures, and can be held liable for failures.
Supply chain security
Organizations must assess and secure their supply chains to ensure that third-party vulnerabilities do not compromise their cybersecurity. This includes performing due diligence on suppliers and partners.
Governance and accountability
Management must approve and oversee cybersecurity risk management measures and can face personal liability if these measures are insufficient or non-compliant with NIS2 standards.
What are the penalties for non-compliance?
Significant fines can be levied against organizations for non-compliance. These fines are tiered, based on the size of the entity and how critical a role it plays in supporting essential infrastructure.
This means that essential entities (those critical to societal or economic functions) face higher penalties, with fines of up to €10 million or 2% of their total global annual turnover, whichever is higher. Important entities still covered by the directive, but with lower societal impact, can face fines of up to €7 million or 1.4% of total global annual turnover (whichever is higher).
As noted above, the directive also holds management bodies personally accountable, meaning that individuals in management positions of affected organizations, such as executives or board members, can be held liable for non-compliance. Penalties depend somewhat on the national laws of individual EU member states, but can range from fines to (if gross negligence or intentional non-compliance is involved) criminal charges.
What are the main differences between NIS and NIS2?
NIS2 introduces several updates and improvements compared to the original 2016 NIS Directive, reflecting the growing importance of cybersecurity in an increasingly unstable and digitalized world. These updates aim to create a more resilient, secure infrastructure across the EU.
Broader scope
NIS applied to a limited number of sectors such as energy, transport, and digital infrastructure. NIS2, however, covers more sectors, including telecommunications, public administration, waste management, and food production, along with cloud services, data centers, and content delivery networks.
Unified criteria for determining coverage
NIS2 introduces uniform criteria to define which organizations must comply, including all medium and large entities within covered sectors. NIS2 removes the discretion that member states had under NIS to determine which organizations were considered “operators of essential services”.
Stricter risk management requirements
NIS2 imposes more detailed obligations for cybersecurity risk management, focusing on aspects like supply chain security, incident reporting, and operational resilience. This is more comprehensive than NIS, which was much vaguer in scope.
Enhanced incident reporting obligations
NIS2 introduces stricter timelines for incident reporting (24 hours to report an incident, and 72 hours to provide updates).
Management accountability
One of the key features of NIS2 is personal liability for managers— meaning senior leaders can be held accountable for non-compliance with cybersecurity requirements (see the penalties section above) .
Stronger enforcement and penalties
NIS2 enforces higher fines for non-compliance. Under the original NIS, fines for non-compliance were left to the discretion of each EU member state, leading to inconsistent enforcement across countries.
While NIS did require sanctions for organizations that failed to meet cybersecurity standards, these fines were generally not as high or uniform as those introduced in NIS2 (up to €10 million or 2% of total global annual turnover). Member states often imposed fines based on their national laws, which meant the maximum penalties varied significantly and were generally lower compared to NIS2’s stricter enforcement regime.
Where to start your NIS2 compliance journey
If you’re unsure where to start planning for NIS2, the following checklist provides a solid foundation for your organization’s compliance journey.
1. Identify if NIS2 applies to your organization: Review the NIS2 Directive(yeni pencere) (full text) to see if your organization is classified as an essential or important entity, based on your sector (e.g., digital infrastructure, healthcare, or energy) and the size of your organization.
2. Map out cybersecurity risks: Conduct a thorough risk assessment of your organization’s networks and information systems. Identify vulnerabilities in your IT infrastructure, supply chain, and digital services.
3. Develop and implement risk management measures: Set up technical and organizational measures to manage your identified cybersecurity risks. These should include data encryption, access controls, and staff training.
4. Enhance supply chain security: Evaluate the security of all third-party suppliers and partners. Ensure you have due diligence processes(yeni pencere) in place to manage supply chain risks.
5. Prepare for incident reporting: Set up a system to detect, report, and respond to cybersecurity incidents. You’ll need to notify relevant authorities (e.g., national cybersecurity agencies) within 24 hours of detecting a significant incident.
6. Ensure management oversight and accountability: Make sure the organization’s management body is fully engaged in overseeing and approving cybersecurity measures. Train leadership on their responsibilities under NIS2, as they can be held personally (and potentially criminally) liable for non-compliance.
7. Track regulatory updates and national legislation: Stay informed about how NIS2 is being implemented in your country. Different EU Member States may have additional requirements or stricter rules for compliance. If you’re based outside the EU, you’ll need to meet the requirements for all countries your organization does business with in the EU.
8. Perform regular cybersecurity exercises: Conduct cybersecurity drills and tests to ensure your organization is prepared to handle incidents. This will help meet NIS2’s expectations for operational resilience.
To learn more about how to keep your business secure, please consult A Practical Guide to Security for Growing Businesses, our comprehensive security ebook by cybersecurity expert and Head of Security at Proton, Patricia Egger.
NIS2 is a positive step forward
NIS2 has the potential to significantly enhance cybersecurity across the European Union, protecting both businesses and individuals from the threat of cyberattacks. It ensures that critical sectors, like healthcare, energy, transport, and digital infrastructure, are better protected, meaning the essential services people rely on daily are less likely to be disrupted by cyber incidents.
Stricter data security measures (such as encryption and incident reporting), a more consistent approach to cybersecurity across Member States, and a focus on requiring businesses to secure their supply chains, will help safeguard critical infrastructure.
Organizations may find the stricter rules onerous, but the long-term payoff is much greater resilience to the cyber challenges that the future will almost certainly bring. These include the risk of increasingly sophisticated cyberattacks (by both criminals and state-level actors), fragmented cybersecurity practices, and supply chain vulnerabilities.
And this also applies to organizations outside the EU, who must comply with NIS2 to operate inside or otherwise do business with the EU. The result will likely be an improvement of cybersecurity standards everywhere.
How Proton can help with NIS2 compliance
Recital 98 of the preamble to NIS2 states that:
“In order to safeguard the security of public electronic communications networks and publicly available electronic communications services, the use of encryption technologies, in particular end-to-end encryption as well as data-centric security concepts, such as cartography, segmentation, tagging, access policy and access management, and automated access decisions, should be promoted. Where necessary, the use of encryption, in particular end-to-end encryption should be mandatory for providers of public electronic communications networks or of publicly available electronic communications services in accordance with the principles of security and privacy by default and by design for the purposes of this Directive. The use of end-to-end encryption should be reconciled with the Member States’ powers to ensure the protection of their essential security interests and public security, and to allow for the prevention, investigation, detection and prosecution of criminal offences in accordance with Union law. However, this should not weaken end-to-end encryption, which is a critical technology for the effective protection of data and privacy and the security of communications”.
This very closely describes Proton’s suite of end-to-end encrypted privacy-first products. Proton is an industry-standard leader in the field of cybersecurity and cyberprivacy, with certifications such as ISO 27001(yeni pencere). Our Proton for Business(yeni pencere) and Proton VPN for Business(yeni pencere) plans offer an increasingly comprehensive suite of secure privacy services that can help your organization comply with the NIS2 Directive in several key ways:
Proton Mail
Emails sent between Proton Mail addresses are always end-to-end encrypted(yeni pencere) (E2EE), so only the sender and intended recipient can access them. So if your organization uses Proton Mail, all internal communication emails are automatically E2EE.
Emails to and from non-Proton Mail addresses (for example, communications with customers) are stored on our servers using zero-access encryption(yeni pencere), so neither we nor any third party can access them. We also offer optional password-secured emails for secure E2EE communications with non-Proton Mail users).
Security can be further enhanced with features such advanced account protection, activity logs for staff members. and managed user permissions and access.
Proton VPN
Proton VPN offers secure internet access, which can help your organization meet the NIS2 requirements for strict data protection and reporting incidents. It encrypts all traffic, helps defend against network-based attacks, and protects supply chains through features like Secure Core(yeni pencere) and NetShield Ad-blocker(yeni pencere), which can also protect against malware and malicious trackers.
Proton VPN’s strict (and fully audited(yeni pencere)) no-logs policy(yeni pencere) ensures that no user activity data is stored, thus minimizing the risk of sensitive information being accessed by unauthorized parties. Dedicated gateways provide secure segmented access to your organization’s self-hosted office and SaaS resources, allowing you to build a secure zero-trust security model(yeni pencere) that meets NIS2’s stringent requirements.
Activity logs(yeni pencere) and mobile device management (MDM) support(yeni pencere) further work to ensure your network resources remain secure.
Proton Pass
NIS2 emphasizes strong risk management and cybersecurity measures. By offering end-to-end encrypted password management with secure password sharing (providing a secure and auditable way to grant access to resources), Proton Pass addresses this by protecting sensitive login information and preventing credential theft.
Proton Drive
With Proton Drive, your organization can store all its sensitive files using end-to-end encryption. And with our new Docs in Proton Drive(yeni pencere) feature, you can now create, edit, and collaborate on documents that are also end-to-end encrypted. Drive therefore supports NIS2’s mandate for robust security measures to protect sensitive information from unauthorized access and cyberattacks.
Proton Calendar
Our calendar end-to-end encrypts all event details, such as titles, descriptions, locations, and attendee information, ensuring that sensitive data is protected from unauthorized access. Event invitations to staff members sent via Proton Mail are also E2EE
As with GDPR(yeni pencere) and HIPAA(yeni pencere), Proton can help your organization become fully NIS2 compliant. With its strong focus on technologies such as end-to-end and zero-access encryption across our entire ecosystem, Proton’s suite of services supports key NIS2 compliance areas, including encryption, secure communications, and robust data protection. Discover how Proton can help you with your NIS2 journey.