NIS2 Compliance Audit

The NIS2 Directive (Network and Information Security) is a  European Union legal act imposing new obligations on companies in critical sectors such as energy, transport, banking, and healthcare. Its aim is to establish a common, integrated level of cybersecurity.

By October 17, 2024 (the date the new EU legal act comes into force), member states must implement appropriate measures. Failure to comply with the requirements can result in significant financial penalties and personal liability for board members. Key entities subject to the new law may be fined up to 10 million euros or 2% of their total annual revenue, whichever is higher. Ignoring the requirements of the NIS2 Directive can lead to severe financial and operational consequences, making proper preparation crucial.

Who is affected by the new NIS2 Directive?

The NIS2 Directive applies to companies in critical and important sectors that are vital for the functioning of society and the economy:

Critical Sectors:

• Energy – Production, transmission, and distribution of electricity, gas, and oil.
• Transport – Transportation services in aviation, railways, road transport, and maritime.
• Banking – Financial institutions, including banks and other entities operating in the financial services sector.
• Healthcare – Hospitals, clinics, and other medical facilities and their IT systems.
• Digital Infrastructure – Internet service providers and telecommunications infrastructure.
• Public Sector – Public administration and government institutions.

Important Sectors:

• Water Management – Supply, management, and purification of drinking water, critical for community health and life.
• Food Sector – Production, processing, and distribution of food ensuring food security.
• Chemical Sector – Production and processing of chemicals impacting public health and the environment.
• Media Industry – Television, radio services, and online platforms that inform and educate the public.
• Transport Sector – Transport services not classified as critical but important for logistics and mobility, including postal and courier services that ensure large-scale delivery of parcels and information.

See also:

NIS2 Directive – Qualifying criteria

The NIS2 Directive introduces criteria based on company size that determine whether an organization is subject to its regulations. The key indicators are the number of employees and annual revenue:

Employee Criteria:

• The NIS2 Directive applies to medium and large enterprises. A company is classified as medium if it employs at least 50 full-time employees.
• For large companies, the minimum number of employees is 250.

Revenue Criteria:

In addition to the number of employees, the directive also considers annual revenue. To fall under NIS2, a company must have annual revenue of at least 10 million euros.

For large companies, the threshold is 50 million euros in annual revenue or 43 million euros in total assets.

Challenges in implementing the NIS2 Directive and risk areas

Implementing the NIS2 Directive presents a significant challenge for companies that must align their cybersecurity management systems with new, stricter requirements to ensure adequate security and operational continuity. The complexity and variety of obligations imposed on businesses can lead to challenges in their execution, requiring not only sufficient resources (including networks and IT systems) but also advanced cybersecurity expertise. Key challenges in risk management related to the NIS2 Directive include:

• Implementing Appropriate Measures: Defining and implementing proportionate technical, operational, and organizational measures in line with the company’s characteristics.
• Handling and Reporting IT Security Incidents: Establishing procedures for incident response and ensuring the timely reporting of significant security incidents to the appropriate authorities.
• Risk Analysis Policy: Developing a policy for risk analysis and managing IT system security.
• Business Continuity: Creating plans for backup management and restoring normal operations following incidents.
• Supply Chain Security: Defining security policies for relationships with suppliers and service providers.
• Testing and Security Evaluations: Implementing regular audits and security tests to identify vulnerabilities.
• Cryptography and Encryption: Developing a policy for the use of cryptography and, where appropriate, encryption.
• Human Resource Security: Establishing policies for access control and asset management.
• Training for Managers: Providing regular training for those responsible for managing cybersecurity risks.

NIS2 Compliance Audit – support from Crowe

Crowe offers comprehensive support to help companies prepare for the implementation of the NIS2 Directive:

1. Audit and Current State Analysis:

• We assess the current level of IT security and compliance with applicable requirements.
• We identify existing gaps and areas for improvement in management systems.
• We prepare an audit report highlighting key risk areas and providing recommendations for corrective actions.

See also: