Navigating the NIS 2 Directive

The NIS 2 Directive [1] represents a significant advancement in cybersecurity regulations across the EU. If you’re an SME (small to medium-sized enterprise) [4], it is essential to understand these new requirements, as they aim to improve cybersecurity resilience across various sectors. This guide provides a concise overview of what SMEs need to know about NIS 2 and how it may affect their operations.

1. From NIS 1 to NIS 2: What’s Changed?

Under the NIS 1 Directive [2], only large businesses in critical sectors were required to follow cybersecurity rules. With NIS 2, the scope has widened, introducing the “size-cap rule”:

• Micro and small enterprises are generally excluded, unless they operate in specific sectors listed in Annex I [5] or II [6] of the Directive.
• Medium-sized enterprises, particularly those providing essential services [Section 7.1] or important services [Section 7.2] or operating in the supply chain of critical sectors, now fall under the NIS 2 framework.

Regardless of their size, the following types of businesses must comply with NIS 2:

• Providers of public electronic communications networks and services.
• Trust Service Providers.
• Top-Level Domain name registries and DNS service providers

Overall, a large number of entities, crucial for socio-economic life at EU and national level, fall under the scope of NIS2 Directive, either directly (medium-sized enterprises carrying out their activities within the sectors of NIS2) or indirectly, as part of the supply chain of entities directly under the scope.

In brief the NIS 2 Directive:
“lays down obligations for all Member States to adopt a national strategy on the security of network and information systems;”

2. Assistance to SMEs. You are not alone.

SMEs or other essential and important entities under the scope of NIS2 Directive are not alone on this path. The EU and national authorities will provide guidance and support to assist smaller businesses meet the requirements of the NIS2. This assistance may include trainings, workshops, access to best practices materials and other resources tailored to the SMEs needs.

The compliance of an SME with the NIS2 Directive is a challenging task especially for SMEs that have not taken any cybersecurity measures under considerations and are focused only on their main business focus. Being compliant with the NIS2 may be costly and may involve significant financial investments that small SMEs cannot afford. The technical expertise for applying new cybersecurity measures may not be present within an SME which may lead to extra investing funds for external consultants or hiring new personnel with the appropriate skills.

Towards that direction the EU has funded a series of projects from the DEP (Digital Europe Programme) funding programme [3], like GR-SME-SOC to provide SOC (Security Operation Center) services for small and medium enterprises that are willing to improve their cybersecurity posture and assist them on being compliant with the NIS 2 Directive.

3 NIS 2 Obligations

3.1 Stricter cybersecurity measures: What SMEs Must Do

NIS 2 introduces a range of cybersecurity risk-management measures that apply to entities within its scope. Here’s an indicative list of what SMEs need to implement:

• Multi-factor authentication (MFA) to secure systems.
• Risk analysis and information system security policies.
• Supply chain security to protect critical dependencies.
• Cyber-hygiene measures, such as ensuring regular updates and secure configurations.
• Incident handling protocols, including reporting security breaches.

3.2 Reporting Obligations: Be Ready to Act Quickly

One of the most important aspects of NIS 2 is the requirement to report cybersecurity incidents. The timelines are strict:

• Early warning within 24 hours of detecting an incident.
• More detailed information must follow within 72 hours.
• In some cases, an interim report may be requested, with a final report due within one month.

Failing to meet these deadlines can result in penalties, so SMEs should ensure they have clear incident-reporting processes in place.

3.3 Governance & Accountability: Leadership Is Key

NIS 2 places responsibility directly on the top management of businesses. Leaders are expected to:

• Approve and oversee the implementation of cybersecurity risk management measures.
• Regularly undergo and provide cybersecurity training for employees.
• Be held accountable for non-compliance with NIS 2 requirements.

This means cybersecurity is no longer just an IT issue—it’s a top-level responsibility that management must prioritise.

3.4 Managing Supply Chain Risks

Under NIS 2, businesses must also focus on supply chain security. SMEs play a crucial role in wider supply chains, so they need to assess risks related to their suppliers and partners. The Directive highlights coordinated security risk assessments, meaning SMEs must identify critical dependencies and work with partners to mitigate potential vulnerabilities.

4 European Cybersecurity Certification Schemes

Finally, NIS 2 encourages the use of European cybersecurity certification schemes for ICT products and services. SMEs may be required to procure certified products or services, adding an extra layer of security to their operations.

5 Conclusions: Prepare Now, Stay Compliant

For SMEs, compliance with NIS 2 may seem challenging, but with the right approach, it’s an opportunity to strengthen your cybersecurity measures. By focusing on risk management, incident reporting, and supply chain security, and ensuring top management is accountable, SMEs can navigate the demands of NIS 2 and improve their resilience against cyber threats. Benefits from being compliant with NIS 2 Directive also include:

• Enhanced Cybersecurity: Compliance with the directive will ultimately strengthen the cybersecurity of SMEs, protecting them from increasing cyber threats like ransomware and data breaches.
• Competitive Advantage: SMEs that meet NIS2 requirements may gain a competitive edge, as larger companies will prefer to work with partners who have strong cybersecurity standards in place.
• Market Confidence: Compliance can boost the trust and confidence of clients, investors, and stakeholders in an SME’s ability to protect sensitive data and operate securely.