Need cloud computing? Get started now

What Is NIS2?

What is the NIS2 Directive?

The NIS2 Directive provides EU-wide legislation on cybersecurity. NIS2 is an update to the previous Network and Information Security (NIS) Directive. Its objective is to create a common level of cybersecurity across the European Union’s Member States. Like the General Data Protection Regulation (GDPR), NIS2 aims to harmonize measures and approaches across the EU Member States to secure digital infrastructure — in this case, best practices in tackling the growing onslaught of cyberattacks.

NIS2 compliance background

Cyberattacks like ransomware and data breaches increasingly impact organizations and businesses across the EU. ENISA (European Union Agency for Cybersecurity) has published a report on the threat landscape, which warns that new forms of phishing and zero-day exploits are being used effectively to attack organizations across the EU. With a wide scope of application, NIS2 aims to improve cybersecurity across “essential and important entities” in critical sectors such as energy, retail, transport, banking, health, public administration, etc. The Directive also covers the security of supply chain and service vendors across borders.

NIS2 entered into force on 16 January 2023.The EU Member States have until 17 October 2024 to transpose NIS2 into national law, which will make it applicable.

How Akamai solutions can help organizations

NIS2 enforces the implementation of holistic and stringent security controls to reduce risk and prevent cybersecurity damage to systems and data. Requirements cover a gamut of IT systems and resources, including securing IT environments against ransomware, phishing, and unauthorized access.

Akamai security solutions provide intelligence and end-to-end protection to protect critical infrastructure operational technology (OT) and IT systems and data from breaches, security incidents, malware infection, and accidental data exposure. Akamai’s security platform provides the dynamic security needed to apply Zero Trust principles to data protection across an organization.

Akamai helps your security teams to maximize the effectiveness and ROI of your security investments by moving beyond traditional endpoint detection to provide a powerful Zero Trust solution for the security and privacy of data.

Akamai offers:

  • A global security platform that enforces Zero Trust security with comprehensive coverage of your IT, IoT, and OT environments
  • Deep visibility into assets, access, and network flows
  • Granular enforcement of security policy

Cybersecurity measures required by NIS2

NIS2 Directive Article 21 highlights that covered entities should manage cyber risk by using “appropriate and proportionate technical and organizational measures.” These measures include the following:

  • Risk analysis and information security policies
  • Thorough incident handling
  • Business continuity and crisis management
  • Robust supply chain security
  • Extensive network security
  • Vulnerability handling and disclosure
  • Policies and procedures that assess the effectiveness of cybersecurity risk management
  • Use of cryptography and encryption
  • Use of multi-factor authentication

How does NIS2 affect an organization?

NIS2 applies to any company operating in the EU, including “all public and private entities across the internal market, which fulfill important functions for the economy and society as a whole,” which “are required to take adequate cybersecurity measures.”

The Directive splits “covered entities” into two types: essential entities (EE) and important entities (IE). The difference between the two classes regarding compliance is that essential entities are subject to more stringent regulatory requirements for monitoring compliance, incident reporting obligations, and enforcement measures across information systems. Examples of each type of entity include:

Entities operating in the following sectors may be deemed essential (EE);

  • Transport
  • Energy
  • Banking
  • Health
  • Water

Entities operating in the following sectors may be deemed important (IE);

  • Postal and courier services
  • Waste management
  • Chemical production and processing
  • Food
  • Digital providers (search engines, social networking platforms, etc.)

Examples of three sectors affected by NIS2 are:

Health — Healthcare is an essential service under NIS2; therefore, a healthcare entity must adhere to stringent NIS2 regulatory requirements, including risk management measures that mitigate cyber risks and prevent damage to IT systems and data. In addition, incident management, supply chain cybersecurity, network security, access control, and data encryption are core requirements. Essential services such as healthcare organizations can use Zero Trust solutions to help adhere to these stringent security requirements. Zero Trust helps reduce compliance time by using fewer resources to achieve robust security across expanded networks and supply chains.

Retailers — The 2022 Sophos report The State of Ransomware in Retail identifies an upward trend of threats targeting the retail sector; the report found that 77% of retailers were victims of a ransomware attack in 2021. The NIS2 explicitly identifies “food production, processing and distribution” and “providers of online marketplaces”" as “important services.” As such, many retail operations will be in scope for NIS2 compliance. By enabling Zero Trust security, a retail company draws upon a comprehensive coverage of its IT environment; deep visibility into assets, access, and network flows; and granular enforcement of security policy. Using this comprehensive approach, a retailer can cover many requirements to ensure compliance with NIS2.

Third-party suppliers and service providers — Gartner predicts 45% of organizations worldwide will experience attacks on their software supply chains by 2025. The supply chain is a perfect target for hackers attempting to infiltrate the chain into an enterprise. NIS2 handles this cybersecurity risk with stringent risk management requirements for the supply chain for key information and communication technologies. NIS2 requires a proactive approach to supply chain risk management, including evaluation of the quality of the cybersecurity practices of its suppliers. Third-party suppliers should use a Zero Trust model of security to ensure that they have comprehensive security measures in place that ensure least-privilege access, for example, is enforced.

Akamai solutions

NIS2 mandates enforcing a series of cybersecurity measures and risk management activities. Measures include access control and least-privilege enforcement, robust multi-factor authentication, and measures to deter, detect, or prevent malicious code, such as ransomware. Akamai’s suite of solutions is designed to deliver Zero Trust security to support customers stop the spread of ransomware and other advanced attacks. Akamai helps to protect organizations from vulnerabilities, including increased risks from cloud computing and a distributed workforce.

Frequently Asked Questions (FAQ)

NIS2 is an EU directive providing harmonized EU-wide legislation on cybersecurity. NIS2, or Network and Information Security (NIS)2 Directive, is an update to the previous NIS Directive.

NIS2 applies to organizations that operate in the European Union across 11 essential sectors and seven important sectors. Covered entities are required under NIS2 to comply with the regulations to protect their systems from cyberattacks and ensure that they have robust incident response plans. Further details on the sectors that fall under the two categories can be found in the full text of the NIS2 Directive.

Like the GDPR, NIS2 noncompliance comes with hefty fines. For example, the  NIS2 Directive Article 34 sets noncompliance penalties as the following:

Essential entities: at least up to €10 million or 2% of the worldwide annual turnover 
Important entities: at least up to €7 million or 1.4% of the worldwide annual turnover

 NIS2 Directive Article 23 has strict cyber breach reporting rules. The regulation states that a breach notification is made “without undue delay.” The notice must be issued within 24 hours of becoming aware of a significant incident (“early warning”), and provide an initial assessment within 72 hours. This rule holds even if there is no indication of exposed personal data.

NIS Article 23 included a requirement to ensure the Directive is regularly reviewed to consider surges in cyberattacks, digital transformation, and disruption from the pandemic and remote work; the result has been an updated Directive, NIS2. The new version changes include an expanded scope of covered entities, coverage to all medium and large companies in the covered sectors, and coverage to high-risk smaller organizations. NIS2 focuses on a risk-based approach to security, covering areas such as business continuity and crisis management, vulnerability handling and disclosure, and multi-factor authentication.

Why customers choose Akamai

Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence.

Explore all Akamai security solutions