NIS2 Cybersecurity Directive: Elevating Defenses to Create Long-Term Resilience

Cybersecurity continues to be a hot button topic for private enterprise and public authorities, as the permeation of threats become more widespread and advanced. As a result, the European Union launched the NIS2 Directive in late 2024, replacing the Security of Network and Information Systems Directive that had been in effect for the past 8 years.

 Its scope includes more digital business lines and services, while imposing stricter cybersecurity measures and reporting requirements. The aim is to bolster resilience against cyberattacks for businesses operating across EU member states and to provide a common framework for new security standards – ultimately to achieve more stability, protection, and long-term security for the EU block.

Traditionally, cyber regulations have primarily targeted industries such as banking and insurance, given their critical role in the economy and their handling of sensitive information. However, NIS2 is expanding its reach to new sectors, including manufacturing, energy, water management, healthcare and transport. This broader scope underscores the widespread nature of cyber threats today and the necessity for robust cybersecurity measures across various industries to prevent catastrophic scenarios that could potentially impact society at large.

The NIS2 directive includes measures that hold top management liable in the event of a security incident. It requires management to oversee, approve and be trained on an organization’s cybersecurity measures. Authorities can hold management personally liable if gross negligence is proven after an incident. The consequences of non-compliance have caused many businesses to seek help in determining whether they are within scope of the directive and how to meet the requirements.

This point of view provides background to help ensure you are update-to-date on the core components of NIS2 so you can prepare your path forward to compliance and a strengthened cyber posture

NIS2 introduced key cybersecurity requirements to ensure protection

Organizations must develop effective incident handling protocols to manage and respond to security breaches. Policies must be in place for the secure acquisition, development, and maintenance of network and information systems, including vulnerability handling and disclosure. Other components and processes include:

• Businesses must provide an early warning within 24 hours of detecting a significant incident, indicating if it may be unlawful or have cross-border impacts.
• Within 72 hours, they must submit a detailed incident notification with an initial assessment of severity and impact.
• A final report must be submitted within a month and include a thorough incident description, root cause, mitigation measures, and cross-border effects.

Regular assessment of cybersecurity risk-management measures is crucial, alongside basic cyber hygiene practices and continuous employee training. Member States are responsible for ensuring that entities consider the specific vulnerabilities and cybersecurity practices of their suppliers, supported by coordinated security risk assessments of critical supply chains.

The stakes are high for failing to prevent breaches, as demonstrated by a major incident in France last year. Two service providers for medical insurance companies were targeted by hackers in one of the country’s largest-ever cyberattacks, with sensitive information on more than thirty-three million people being exposed.

Businesses in scope and addressing the risk

The directive categorizes entities which are in scope of the directive as “essential” or “important,” depending on the size and type of business. The categorization determines the scope of measures that apply to the business and the level of fines that would apply for non-compliance. Excluded from the directive are entities related to defense or national security, public security, and law enforcement. Also excluded are judiciary, parliaments, and central banks.

A report by the European Union Agency for Cybersecurity (ENISA) highlighted the organization industries that were most the frequent target of cyber criminals – it included public administration as the most (19%), the health sector (8%) and digital infrastructure and manufacturing (each 7%). What is important to note is that every organization is exposed and at risk today, and cyber safeguarding measures are critically important for any organization or entity to be prepared.

While there is no one-size-fits all approach to meeting the new requirements, the first step is to untangle its dense legal language using in-house expertise or external experts. Once an organization has a firm understanding of the requirements, work can begin with a gap assessment (checking the existence and the quality of processes and policies on cybersecurity). Beyond a gap assessment, businesses may need help in evaluating supply chains, quantifying risks with financial exposure and other requirements enforced through NIS2. These elements become more complex but are essential to taking a holistic view of one’s entire ecosystem and potential risk areas.

Planning your cyber resilience agenda

Complying with the complex new directive and positioning an organization to repel or recover from cyberattacks can be more manageable with in-house, dedicated cyber experts that know the complexities and core technologies. However, these skills are in extremely high demand, and it may be necessary to turn to the help of a solution’s provider that has the tools and expertise to guide planning and operational efforts.

Using insight that comes from assessing thousands of companies’ cyber exposure and analysis of a wealth of data, the team at Zurich Resilience Solutions can provide an evaluation of a business’s security posture and help management decide which solutions are needed to strengthen resilience against cyberattacks and meet the NIS2 requirements.

Want to learn more and ensure you’re as prepared as possible? Our team of advisors understands the landscape and how you can best be ready with a plan of action.

For more information, contact one of our experts today.