CYBERSECURITY A-Z
What Is NIS2?
To understand the EU-NIS2 Directive (NIS2), you first need to understand its predecessor, the EU-NIS Directive. Proposed in 2013, NIS was enacted in August 2016. It focused on achieving a high common level of cybersecurity measures and information security for critical infrastructure across European Union member states.
It sets goals to improve national cybersecurity capabilities, enhance cooperation between member states. And, it mandates operators of essential services (OES) and digital service providers (DSPs) to adopt appropriate security measures. Entities, such as providers of electricity, transport, water, waste management, energy, healthcare, and digital infrastructure services, fall under its scope. Noncompliance with security requirements can result in substantial fines.
NIS2 is a supercharged version of NIS. Introduced in 2022, NIS2 came into effect in 2023, and then became law in 2024. As Europe’s most comprehensive cybersecurity directive, NIS2 continues and expands NIS “to build upon and rectify the deficiencies of the original NIS directive.”[i] Specifically, NIS2 expands on NIS in three major ways:
- More affected sectors. NIS2 expands the number of covered sectors from 7 to15.
- Stricter requirements. It dramatically increases the requirements for enforcing cybersecurity risk management.
- Worse repercussions for violators. NIS2 non-compliance can lead to heavy fines and legal ramifications for management teams.
Sectors Covered by NIS2
| Energy | Digital Infrastructure | Space |
| Health | Public Administration | Food |
| Transportation | Digital Providers | Manufacturing |
| Finance | Postal Services | Chemicals |
| Water Supply | Waste Management | Research |
The NIS2 Directive organization summarizes the new regulation this way: “With stricter requirements for risk management and incident reporting, wider coverage of sectors, and more hard-hitting penalties for non-compliance, hundreds of thousands of European Union organizations will need to reassess their cybersecurity posture.”[ii]
Included in that are policies and procedures for communications, including the use of encryption and multi-factor authentication for identity management.
The Importance of NIS2 – Supply Chain Impact
NIS2 extends to companies that may not directly fall under its scope due to some pretty specific demands around supply chain security. “In the past, we have seen that not all companies can properly identify how others could impact them. So, the new directive wants organizations to identify all components and their providers that could impact the organization within the product or service it provides. Organizations then need to establish the risk of those components and act accordingly.”[iii]
The Three Pillars of NIS2
NIS2 is built upon three main pillars, which can also be viewed as responsibilities. The pillars include the following:
Member State Responsibilities
NIS2 establishes information systems responsibilities which it places on each EU member state, including event reporting mechanisms, designated competent authorities, and preparedness measures.
Company Responsibilities
For companies that fall under the umbrella of “critical to the functioning of society,” NIS2 requires them to implement comprehensive cybersecurity practices and supply chain security measures for information systems. However, security professionals are aware that incident reporting is currently a gap that NIS2 Directive must address. According to the Federation of European Risk Management Associations (FERMA), the EU needs to provide a more streamlined and consistent set of requirements when it comes to reporting on cyber incidents, ensuring it is easy, safe and secure for organizations to provide such information.[iv] Moreover, Philippe Cotelle, Chair of the Digital Committee at FERMA, stated that there are no technical specifications for risk measures organizations should take in relation to incident reporting, and no specification consider the insurance implications.[v]
Cooperation and Information Exchange
Article 14 of NIS2 dictates the establishment of the Cooperation Group. The group, composed of representatives of EU Member States, the Commission, and ENISA (the EU agency dedicated to enhancing cybersecurity in Europe) must perform 19 specific ongoing tasks to optimize information sharing among all NIS2 stakeholders.
Article 14 also states that the European External Action Service shall participate in the activities of the Cooperation Group as an observer and that the European Supervisory Authorities (ESAs) and the competent authorities under Regulation (EU) 2022/2554 may participate in the activities of the Cooperation Group in accordance with Article 47(1) of that Regulation.[vi]
Where appropriate, the Cooperation Group may invite the European Parliament and representatives of relevant stakeholders to participate in its work.
NIS2 Vs. the EU’s DORA
While DORA refers to itself as an act, it is actually a regulation that will hold powerful sway over EU member states beginning in January of 2025. Both DORA and NIS2 focus on establishing and maintaining resilience of systems within critical infrastructure entities. “It’s [DORA is] this idea that if your systems are disrupted, whether by a cyber attack or anything else, critical services across the EU can continue to function,” stated Andrew Pattison, the head of GRC consultancy at IT Governance Europe.[vii]
Yet, DORA and NIS2 vary by their sector scope. While NIS2 covers 15 sectors, DORA solely addresses financial entities and their information and communication technology (ICT) supply chains.
NIS2 Vs. the U.S.’s NIST 2.0
In comparing NIS2 against the U.S.’s NIST 2.0, one can see several major similarities and differences. Regarding their differences, the most important relates to enforcement. NIST 2.0 has no enforcement to back its framework and recommendations to improve cybersecurity at organizations across the U.S. By contrast, NIS2 is a mandatory directive across the EU that forces specific compliance requirements of information systems onto organizations operating in designated critical sectors. Thus, NIS2 is a regulation, and NIST 2.0 is merely a guideline or framework.
Key Differences Between NIS2 and NIST 2.0
Regulatory Status
NIS2 is legally binding and requires compliance from designated “essential” and “important” entities within the EU, while NIST 2.0 is a voluntary framework that organizations can adopt to improve their cybersecurity posture.
Scope
NIS2 focuses on 15 specific sectors, while NIST 2.0 applies to a broader range of industries and organizations – virtually any.
Enforcement
Organizations that fail to comply with NIS2 can incur significant penalties from EU regulators, whereas non-compliance with NIST 2.0 has no legal consequences.
Key Similarities of NIS2 and NIST 2.0
Risk-Based Approach
Both frameworks encourage a risk-based approach to identify, assess, and mitigate cybersecurity risks.
How They Work
Both NIS2 and NIST 2.0 prescribe several of the same specific functions, including detection, identification, protection, response, and recovery. Only NIST 2.0 adds governance to its framework.
How Forescout Helps with NIS2 Compliance
The Forescout Platform provides entities with unmatched support for NIS2 in five major ways:
Risk Management
CISOs can gain full visibility into IT, OT, and IoT assets, both managed and unmanaged, to reduce the risk of potential attacks. They can pair this with the Forescout Platform’s comprehensive capabilities for network security, risk and exposure management, and extended detection and response to strengthen security.
Incident Management
Forescout facilitates rapid threat detection and response to cybersecurity incidents with automated solutions. Real-time monitoring and incident response capabilities empower organizations to adhere to NIS2’s mandates for timely and accurate reporting.
Operational Resilience Testing
Forescout’s continuous asset monitoring and threat detection and response capabilities help organizations meet NIS2’s operational resilience requirements. By continuously assessing and adapting their cybersecurity posture, organizations can maintain compliance, operational strength and business continuity.
Third-Party Risk
The Forescout Platform supports organizations in any sector by providing enhanced visibility over their third-party ICT providers, enabling them to manage and secure these critical digital service contributors.
Information Sharing
Forescout enables secure incident and event reporting — and secure sharing of logs and audit data with stakeholders. Customers of Forescout benefit from Forescout Vedere Labs’ threat intelligence, which is integrated into the Forescout Platform and shared with the broader cybersecurity community.
Schedule a demo to see how the Forescout Platform continuously identifies, protects, and ensures the compliance of all managed and unmanaged cyber assets without operational disruption.
[i] The NIS2 Directive. What is NIS2? Accessed December 18, 2024 from the following source: https://nis2directive.eu/what-is-nis2/#:~:text=Introduced in 2020%2C and recently,previous EU cybersecurity directive%2C NIS.
[ii] NIS2 Directive, The NIS2 Directive Explained, Accessed December 18, 2024 from the following source: https://nis2directive.eu/
[iii] SANS. The NIS2 Mandate: What Every Organization Needs to Know, June 3, 2024. Accessed December 31, 2024 from the following source: The NIS2 Mandate: What Every Organization Needs to Know
[iv] FERMA and Infosecurity Magazine. EU Urged to Harmonize Incident Reporting Requirements, October 7, 2024. Accessed December 31, 2024 from the following source: https://www.infosecurity-magazine.com/news/eu-urged-harmonize-incident/
[v] Ibid.
[vi] NIS2 Directive. The NIS2 Directive, Final Text. Accessed December 31, 2024 from the following source: NIS 2 Directive, Article 14: Cooperation Group
[vii] Kyna Kosling and Andrew Pattison, IT Governance. DORA: What Is It, How Does It Compare to NIS 2, and How Will It Be Regulated?, May 3, 2024. Accessed December 31, 2024 from the following source: DORA: What Is It, How Does It Compare to NIS 2, and How Will It Be Regulated? – IT Governance Blog En