NIS2 Baseline Cybersecurity Measures: An Overview

by | Sep 18, 2024 | Cybersecurity, Governance, Risk Management and Compliance

The title NIS2 , the game changing legislation written on a background of the European union flag

Network and Information System (NIS2) Directive is the new European cybersecurity directive aiming to raise the bar higher for collective cybersecurity in the EU internal market.

NIS2 directive became EU law on the 16th of January 2023 but it is only effectively enforceable from October 18th, 2024, when all the member states will have transposed it into their respective national laws.

The legislation targets digital service providers, and operators of essential services that are critical to society and the economy, with the objective to instil cyber resilience, ensure minimal disruption and continued availability of services on which vital societal functions depend. NIS2 is an upgrade on NIS1 which had been in force since 2018, with stronger requirements and involving more sectors, improving and streamlining report obligations, heftier penalties for non-compliance including personal professional responsibility of top managers, focus on securing business continuity, focus on supply chain risk management, and harmonised enforcement across the EU with obligatory minimum baseline requirements.

Also, NIS2 creates a more elaborate EU wide support structure for cybersecurity including mechanisms for operational cooperation between member states such as the EU-CyCLONe and frameworks of peer learning and information sharing with the establishment of a Common Vulnerability Disclosure (CVD) database.  


Despite BREXIT, NIS2 will apply to UK businesses, accessing the common market, and in scope of the legislation. For those of us based in the UK, it is of course quite tempting to want to forget that the EU still accounts for about 42-50% of the UK’s trade, and that EU-UK ties remain critical in terms of investment and supply chain for the UK economy.

NIS2 is legislation is bound to be consequential even in the UK and have a serious impact, albeit positive, on a large section of the UK business ecosystem that does export trade with the EU common market.

Similarly it is an important legislation for businesses in all other regions globally, needing to access the common market, much in the same way as the GDPR has become.

Albeit an extra pressure on lean resources, NIS2 does desirably mandate businesses to embrace a robust cybersecurity posture management enhancing digital resilience in the face of a rapidly evolving cyber threats landscape.
Businesses can then fully leverage advanced technological innovations securely and remain competitive. As they say, “Without pain, there is no gain”.

NIS2 seeks to establish a baseline of security measures in business processes within specified sectors, judged to be critical for the overall functioning of the society and the economy, to mitigate the risk of cyber-attacks and to improve their overall level of cybersecurity, and resilience. Organisations are divided into those deemed essential or of high criticality and those deemed important or critical with a variable approach as regards to how they are regulated, with the essential entities more stringently controlled including ex-ante supervision.

In scope-Essential entities

  • Energy (Electricity; district heating & cooling; gas; hydrogen; oil. Including providers of recharging services to end users),
  • Health (Healthcare providers; EU reference laboratories; R&D of medicinal products; manufacturing basic pharma products and preparations; manufacturing of medical devices critical during public health emergency),
  • Transport (Air (commercial carriers; airports; Air traffic control [ATC]); rail (infra and undertakings); water (transport companies; ports; Vessel traffic services [VTS]); road (ITS)),
  • Banking,
  • Financial market infrastructure (Trading venues, central counterparties),
  • Drinking Water supply,
  • Waste Water,
  • Digital Infrastructure (internet exchange points, DNS providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery networks, trust service providers, and public electronic communications networks and electronic communications services),
  • ICT service management (B2B, Managed service providers, managed security service providers)
  • Public Administration entities (of central governments (excluding judiciary, parliaments, central banks; defence, national or public security),
  • Space (Operators of ground-based infrastructure),

In scope-Important Entities

  • Digital Providers,
  • Postal Services,
  • Waste Management,
  • Foods,
  • Manufacturing,
  • Chemicals, and
  • Research

Essentially, NIS2 will apply to organisations in the above sectors, accessing the common market and doing business in the EU, if they meet certain size criteria, including number of employees, annual revenue, and turn-over.

Importantly, if NIS2 applies to you, then it applies to your supply chain. If you are part of the supply chain of entities in scope, you are more likely than not to be in scope.

A picture captioned, we can do it right.
We can do it right

Article 21 Cybersecurity Risk Management Measures

The actual prescription on the baseline cybersecurity measures under the NIS2 legislation are found in Article 21. Member states are required in their transposition of the directive into their national laws, to oblige the in-scope entities-essential and important, to take appropriate and proportionate technical , operational and organisational measures to manage the risks posed to the security of their network and information systems, and to prevent or minimise the impact of cyber incidents on their services and on the recipients of their services.

The NIS2 places a lot of weight on organisations tackling the cybersecurity risks that arise from their supply chain. Indeed it is one of the few items that demarcate this legislation from other recent legislations and underline the current and evolving cybersecurity threat landscape.

The measures are required to consider the state of the art in the field of cybersecurity as well as relevant European and international standards and balanced against actual risks exposure of the given entity, their size, the likelihood of occurrence of risk incidents and severity, including the magnitude of overall societal and economic impact.

Article 21 mandates an all-hazards approach to risk management and rather than pretend to a reinvention of the wheel, references are made to existing international cybersecurity frameworks such as ISO27000 and NIST SP800 series.

The following represent the minimum prescribed measures or rather the “domains of measures” since these amount not to single actionable steps or control measures but to specific domains of actions sometimes including several control measures at once.

  • a.     Strategy and governance including information security risk analysis and risk treatment policies and procedures, executive ownership, and obligatory executive cybersecurity awareness training.
  • b.    Incident handling policies and procedures including a sound cybersecurity framework that identifies, protects from, detects, responds to, and ensures recovery from network and information security threats or incidents.
  • c.     Business continuity, disaster recovery & crisis management planning including back-up solutions. 
  • d.    Supply chain security and third-party risk management policies and procedures. 
  • e.     Enforce policies and procedures to ensure security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.
  • f.       Implement continuous monitoring of risk management control measures. 
  • g.     An obligation to enforce basic cybersecurity hygiene practices and provide awareness training for employees.
  • h.     Enforce as appropriate, measures to guard against threats to the CIA (confidentiality, integrity, and availability), with the use of cryptography and encryption.
  • I.       Implement human resources security solutions including due diligence in hiring-onboarding and off-boarding, digital assets management, and identity and access management controls.
  • j.       Enforce the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems.
Microsoft and XTRATEK marketing poster for NIS2 compliance showing the image of a hand holding a tablet
NIS2 Compliance made easy with Microsoft solutions

It can be argued very persuasively that the foregoing cybersecurity measures mostly amount to common sense in the current digital climate with a rapidly evolving threat landscape. The very nature of EU directives means that the final form of the law may differ from one EU country to the other but in the case of NIS2, emphasis has been on harmonisation of cybersecurity requirements across the EU. This is translated by the fact that the above are classified as the minimum measures under the directive, meaning that the member states will have to oblige at a minimum the afore-listed areas of measures and controls, and not less stringent requirements.

NIS2 is literally a game changer in the realm of cybersecurity frameworks with potential to have a far reaching and global implication as its standards become adopted worldwide. Also, NIS2 is coming at time when the digital security landscape had never known any more turbulence historically with a recent succession of major cyber incidents and breaches with wide ranging consequences on business operations on a global scale.

Worthy of note is an uncertain aspect of the practical implementation of the directive relating to the fact that the use of certain ICT products, ICT services and ICT processes, developed in-house by the in-scope business or procured from third parties may be required to prove compliance to some of the article 21 requirements.

This relates to a bid for harmonisation and enforcement of default secure settings for ICT products, services, and processes under the European cybersecurity certification scheme, but the EU commission and the European Union Agency for Cybersecurity (ENISA) are yet to specify, if at all, what these will comprise. More clarity is also expected as the respective member states publish the actual acts of parliament or national laws transposing the legislation, with the inherent slight differences that is bound to exist.

On the other hand, it is reassuring that Microsoft products comply with Article 49 of Regulation (EU) 2019/881 underpinning the European cybersecurity certification scheme and that relying on Microsoft products and services to comply with NIS2 requirements confers a sense of security and surety.