The EU NIS2 directive, which calls for strengthening cybersecurity across the European Union, is now active in all member states. Join me for this 3-part blog post series  in which I’ll explain what it is, help you understand if it is applicable to your company and how you can become NIS2 compliant.

In this first part, I’ll provide an introduction on what NIS2 is, the differences from its predecessor NIS and its applicability so you can understand it and conclude if it is relevant for your company.

Intro to NIS2

The EU DIRECTIVE 2022/2555 or Network and Information Systems Directive (commonly known and referred to as NIS2 or EU NIS2 from here onwards) is a new piece of EU regulation that applies to all European Union Member States, with the goal of achieving a high common level of cybersecurity. The regulation updates the previous Network and Information Systems Directive (NIS or NIS1) from 2016 and mandates member states to adopt and rigorously enforce stricter cybersecurity requirements for entities providing critical services in the EU Region.

Unless your company is considered a small/micro entity (i.e. less than 50 employees or 10 million Euros in revenue) and does not operate in critical sectors (see table below), this article and the rest of the series is for you.

Table 1: A list of sectors under the scope of NIS2

EU NIS2 is a very broad and complex regulation, so in this post we’ll explore the specific applicability and requirements of NIS2 for organizations in more detail. 

Is it applicable to you? 

Generally speaking, the EU NIS2 applies to all medium or large public and private entities that operate in critical sectors, who provide their services or carry out activities in the EU market. Even if you don’t have an EU location, you are in scope if any of your customers are in the EU.

The EU NIS2 scope is covered in Annex I and Annex II of the Directive. Annex I lists the sectors of high criticality and Annex II covers other sectors deemed as critical (which would get your company in the scope as well).  The table presented in the previous section (Table 1)  gives you the list of sectors, but you must also to combine that with the size capping table below (Table 2) to get a full picture of the applicability: 

Table 2: The size classifications and capping of NIS2

*defined per the SME Recommendation for the EU

The EU NIS2 scoping puzzle can be generally solved using the two tables provided, but there are some considerations to be made:

• Micro and small entities are not in scope regardless of their sector, with the exception of Qualified Trust Service Providers, TLD Name registries and DNS service providers. 
• If you are already bound by another EU Directive or sector-specific directive/regulation, then these  take precedence (as some call it lex specialis principle – e.g. if you’re in scope for DORA then it takes precedence over NIS2).
• The applicability is always to the member state’s legislation (or directive transposition) rather than the Directive itself. 

A note about Essential and Important entities

Entities in scope of EU NIS2 can be further separated as Essential and Important entities depending on sector criticality and size. The requirements are the same for both types, with the main difference between Essential and Important entities being the level of supervision by Authorities. Essential entities are under proactive supervision, while Important entities are under reactive supervision (e.g. only after an incident happens).

What are the differences between NIS and NIS2? 

Technology and the digital market have evolved since the first EU NIS Directive was issued in 2016. Hence, NIS2 aims to build upon its predecessor and adjust to these changes and an evolved  threat landscape. But it also introduces several changes and improvements such as:

• Broader scope (7 sectors in NIS1 x 16 sectors in NIS2)
• Additional obligations (minimum set of requirements)
• Stricter requirements (e.g. smaller window for incident reporting)
• Personal liability for the management body 
• Increase in administrative fines

When does it start to apply?

The EU NIS2 Directive entered into force on January 16, 2023. EU Member States had until October 17, 2024 to transpose the regulation into national laws and start applying such laws as of October 18, 2024.

That concludes our first post of this series. I hope that it helped you understand and solve the puzzle to conclude if NIS2 is applicable to you or not.  Stay tuned for our second post of the series where I’ll break down the requirements and let you know how you can translate those requirements into actions and controls in your company that will facilitate your journey towards compliance.

How Canonical can help you with NIS2 cybersecurity compliance

Canonical is committed to helping organizations become EU NIS2 compliant. We’re committed to delivering trusted open source that enables organizations to put security at the heart of their stack. Through Ubuntu Pro, our comprehensive security and support subscription, organizations can receive up to 12 years of expanded security maintenance for over 36,000 packages, wherever they use Ubuntu in their stack. Ubuntu Pro also includes patching automation and compliance auditing tools like Landscape and Livepatch, as well as access to compliance and hardening features. 

Learn more about Ubuntu Pro by visiting our dedicated page, or get in touch with our team for a conversation about how we can help you meet your needs.

Further resources about EU regulations and Compliance

Thank you for reading! Below you will find more resources on EU Regulations and how to achieve security and compliance using an infrastructure hardening approach.

• Read our CISO’s comprehensive overview of the Cyber Resilience Act 
• Watch a webinar about the CRA’s impact on device manufacturers 
• Read  our Infra Hardening whitepaper to understand a little bit more on how to approach hardening.