The days when an antivirus and common sense were enough to guarantee an organization’s cybersecurity are long gone. Especially if you work in a critical sector. That’s why the NIS2 Directive (2022/2555) of the European Union establishes cybersecurity obligations for these key activities… and the consequences of non-compliance.
These consequences are significant, so let’s analyze the regulation, when it applies, and how to implement it.
- What is the NIS2 Directive and What Changes from NIS1?
- Who Is Required to Comply with the NIS2 Directive
- NIS2 Compliance for Small Businesses and Microenterprises
- Key Cybersecurity Requirements of NIS2
- System Security According to NIS2
- Incident Response and Management According to NIS2
- SIEM and IPS/IDS as Key Elements for Complying with the NIS2 Directive
- Log Collection Requirements Under NIS2
- How Pandora FMS and Pandora SIEM Help Ensure NIS2 Compliance
What is the NIS2 Directive and What Changes from NIS1?
Increasingly sophisticated malicious actors (state-sponsored or otherwise), the omnipresence of malware, and the proliferation of data breaches make one thing clear:
The European Union must enhance its cybersecurity management in critical sectors, and the NIS1 directive was no longer sufficient.
For that reason, the new NIS2 Directive was approved in November 2022, affecting what are known as essential and important entities. Member states are now implementing it according to the following timeline:
- 16/01/2023. Entry into force.
- 18/10/2024. Repeal of NIS1. Adoption and publication of measures by member states.
- 17/01/2025. National CSIRT (Computer Security Incident Response Team) networks begin operations, and the sanctioning regime is established.
- 17/04/2025. Deadline for compiling the register of essential and important entities. Communication of their number to the Commission and Cooperation Group. Start of evaluations of national cybersecurity strategies (at least every 5 years).
What Changes from NIS1?
- Stricter security requirements.
- Increased compliance control.
- Higher penalties (up to 10 million euros or 2% of revenue for essential entities, and 7 million euros or 1.4% of revenue for important entities).
- Expansion of what is considered an essential or important entity.
This last point is crucial because many organizations that were not covered under NIS1 are now within the scope of NIS2.
Who Is Required to Comply with the NIS2 Directive
The directive generally applies to medium and large companies, whether public or private, that operate in highly critical sectors (as defined in Annex I of the Directive) and other critical sectors (as listed in Annex II).
Therefore, the first factor to consider is the size of the organization:
- A medium-sized company has between 50 and 250 employees and a turnover of up to 50 million euros, or a balance sheet exceeding 43 million euros.
- A large company exceeds these thresholds: more than 250 employees and a turnover or balance sheet of 43 million euros or more.
And which sectors are considered critical and highly critical?
The list is more extensive than that of NIS1, which, for example, classified the energy sector as highly critical. Now, under NIS2, this category has been expanded to include urban heating and hydrogen systems, which were excluded under NIS1.
Annex I establishes that highly critical sectors include:
- Energy
- Transportation
- Healthcare
- Banking
- Drinking and wastewater
- Financial and digital infrastructure (domain providers, cloud services, etc.)
- B2B ICT service management
- Certain public administrations
- Space
Annex II includes as critical sectors:
- Postal and courier services
- Waste management
- Manufacturing, production, and distribution of chemicals and food
- Manufacturing of key products (medical devices, electrical and electronic products, IT equipment, machinery, and transportation)
- Digital service providers (search engines, online marketplaces, and social media providers)
If an organization is medium or large and operates in these sectors, NIS2 should be at the top of its priority list.
Our practical recommendation is to download this guide from INCIBE, which provides a clearer breakdown of these Annexes by activity. That way, you’ll only strain your eyes as much as necessary while navigating the lines of the Directive.
NIS2 Compliance for Small Businesses and Microenterprises
After reviewing the above, the question is clear: “If I am a microenterprise or small business, does this mean I am exempt?”.
The correct answer is the most dreaded one: “It depends.”.
The law states that small businesses and microenterprises that play a key role in society, the economy, or certain types of essential services are also required to comply.
These are considered critical entities (as defined in Article 6 of Directive EU 2022/2557), which provide essential services where “an incident would have significant disruptive effects”. In such cases, even a smaller organization would fall under the directive’s scope.
However, NIS2 itself, in Recital 20, implicitly acknowledges that this definition is complex. For this reason, each EU member state must determine whether a small business is critical and provide it with guidelines and information to ensure compliance.
Practical Recommendation: If there is any suspicion that the above might apply to an organization, no matter how small, it is best to check with INCIBE or a similar agency in the relevant country.
Key Cybersecurity Requirements of NIS2
If an organization is required to comply, the next logical question is: «To what exactly?».
The regulation establishes minimum requirements in Article 21.2. These aim to unify European security standards and cover the entire cybersecurity process: from prevention to incident response, including information system defense, business continuity assurance, and staff awareness and training.
Each EU country must integrate NIS2 into its national laws, and the directive leaves room for interpretation, which creates uncertainty in the daily work of CISOs. This is especially challenging when the directive states that measures must be: proportional to the size, cost, and risk of the activity and take into account the state of the art.
As is always the case with technology, practical guidelines cannot be too specific because, by the time they are written down, they are likely already outdated. Hence the phrase “taking into account the state of the art,” which essentially means staying at the cutting edge of technology.
Moreover, what is considered proportional may be subject to the interpretation of the authority enforcing the regulation. Therefore, it is wise to err on the side of caution with these practical considerations.
System Security According to NIS2
Organizations must demonstrate their capability to defend critical infrastructure, which involves two main aspects.
The first aspect is building a strong infrastructure, essentially a castle with resilient walls, well-managed by the NOC (Network Operations Center), which mainly involves:
- Hardening servers and endpoints, securing each element with best practices.
- Effective access management to those walls, with multi-factor authentication and a strict access and identity policy for both users and devices.
- Encryption systems, backups, redundancies, and other necessary measures for resilience and business continuity as required by NIS2.
The second aspect is that once these robust walls are built, they must be actively defended, which includes:
- Using EDR (Endpoint Detection and Response).
- Implementing Intrusion Detection and Prevention Systems (IPS/IDS) for proper security monitoring.
- Utilizing SIEM (Security Information and Event Management).
Incident Response and Management According to NIS2
This is another key area of the law, requiring:
- Rapid and clear communication of incidents (to the previously mentioned CSIRT) within 24 hours or less from the moment of discovery.
- Proper management of these incidents.
Given the significant penalties imposed by NIS2 for non-compliance in these areas, it is worth exploring this topic in greater depth.
SIEM and IPS/IDS as Key Elements for Complying with the NIS2 Directive
For a critical organization, using SIEM systems and threat detection systems is essential for achieving adequate defense.
When combined with EDRs that protect endpoints, and IDS and IPS that operate at the network and host levels, a system like Pandora SIEM becomes the brain of your security operation, because it:
- Collects logs: From networks, servers, and even the office coffee machine—because someone thought it was a good idea to buy a “smart” one.
- Correlates events: If someone in Bangladesh accesses the server in Barcelona and that “employee” downloads a suspicious file, the SIEM connects the dots and takes action, alerting and mitigating the threat. Pandora’s AI features, for example, make that correlation even more effective.
- Generates automatic reports, so you don’t have to burn your eyes staring at Excel during an audit.
In this way, you ensure that you are always considering “the state of the art” and its ongoing advancements.
Log Collection Requirements Under NIS2
We may excel in security, but the old proverb always holds true: It’s not a question of if an incident will happen, but when it will happen.
The incident response and communication requirements set by NIS2 necessitate proper log collection, storage, and management, which will also be crucial for passing the mandatory reviews and audits.
Yes, Chapter VII (Article 32) is explicit about this, and organizations must be able to pass these audits and reviews—even in the absence of incidents. This means collecting, storing, and easily reviewing logs while ensuring their integrity and authenticity.
For a critical organization, this requires professional tools that make this process seamless.
The temptation to use free applications is strong, but they are insufficient against today’s threats facing key sectors… and they won’t help avoid the auditor raising an eyebrow and reaching for the “non-compliant” stamp.
How Pandora FMS and Pandora SIEM Help Ensure NIS2 Compliance
Anything less than best security practices, supported by advanced tools, is insufficient for a critical organization. It complicates operations and makes legal compliance challenging.
That’s why Pandora SIEM provides:
- Advanced security monitoring with real-time threat detection.
- AI-supported security event correlation, leading the way in best practices and security technology as required by NIS2.
- Audit-ready reporting to demonstrate regulatory compliance during audits and controls.
- Centralized log collection and analysis with long-term retention, enabling clear communication in the event of an incident and easier incident resolution by quickly identifying what happened, how, and where.
NIS2 is Europe’s answer to an increasingly turbulent global cybersecurity landscape. But let’s face it: technology laws often lag behind and can sometimes be ambiguous in scope and interpretation.
This creates nightmares for CISOs and compliance professionals, but the solution is clear: Stay ahead of the legislation.
Lead the way in best practices and tools, so that when the next regulation arrives with its thousand pages of rules, you are already a step ahead—and it doesn’t come crashing down on your head.
This way, you’ll ensure that legal requirements don’t join forces with malicious code to complicate your day-to-day operations.
Siempre con un teclado entre manos, desde el primer ZX Spectrum que abrí de par en par para ver cómo funcionaba, la tecnología ha sido mi pasión y trabajo, de lo que hablo y lo que escribo.
Always with a keyboard in my hands, ever since I opened up my first ZX Spectrum wide to see how it worked, technology has been my passion and my work, what I speak about and what I write about.
