Introduction

The NIS 2 Directive marks a significant step in the EU’s ongoing efforts to strengthen cybersecurity across Member States. It builds on and replaces the original NIS Directive (Directive (EU) 2016/1148), the first EU-wide legislation designed to improve the security of network and information systems. Officially published on December 27, 2022, the updated directive took effect on January 16, 2023, setting the stage for a more comprehensive and resilient cybersecurity framework.

One of the most notable changes in NIS 2 is its broader scope and stricter requirements, designed to keep pace with the rapidly evolving digital landscape. EU Member States were required to transpose the directive into their national laws by October 17, 2024, a critical milestone in ensuring a unified approach to cybersecurity across Europe. By reinforcing protections for critical infrastructure and addressing emerging cyber threats, NIS2 aims to create a safer and more resilient digital environment in an increasingly interconnected world.

Objectives

The NIS 2 Directive aims to:

  • Create a consistent level of cybersecurity across all EU Member States by establishing common minimum standards and requirements for risk management, incident reporting, and security measures.
  • Strengthen cybersecurity within the EU across public and private sectors.
  • Expand the scope of protection, focusing on critical services such as healthcare, energy, transport, public administration and other essential sectors that contribute to the stability and security of the EU.

Key Elements

  • Enhanced Cybersecurity Measures: Organisations are required to implement technical and organisational measures to prevent, detect, and respond to security incidents.
  • Mandatory Reporting: A key focus is on mandatory reporting of incidents to national authorities to enhance the collective security posture of the EU.
  • Supply Chain Security: The Directive recognizes the importance of securing the supply chain and requires entities to assess and mitigate risks associated with third-party providers and dependencies.
  • Sector-Wide Coverage: The Directive applies to both public and private sectors, encompassing a wide array of services and sectors that play a crucial role in EU’s infrastructure and economy.

Does NIS 2 apply to my organization?​

It is important to note that the NIS 2 Directive is a binding legal act issued by the European Union that requires EU Member States to implement specific cybersecurity requirements. Unlike standards, which provide a framework in support of regulations and are not mandatory, like ISO certifications, the NIS 2 Directive sets mandatory requirements that must be transposed into national law within a specified timeframe, ensuring compliance across all Member States.

 

 

 

Type Essential Entities Important Entities
Definition

Large organisations in highly critical sectors (Annex I of NIS2 Directive)

GR: Φ.Ε.Κ. – Εθνικό Τυπογραφείο

 Medium-sized enterprises in high criticality sectors (Annex I) and certain large/medium-sized enterprises in specified sectors (Annex II of NIS2 Directive)
Sectors

Annex I Sectors:

  • Energy

  • Transport

  • Banking

  • Infrastructure for the financial market

  • Health care

  • Drinking water

  • Wastewater

  • Digital infrastructure

  • Management of ICT services (B2B)

  • Government

  • Space

  • Annex II Sectors:

    • Postal and courier services

    • Waste management

    • Manufacture, production and distribution of chemicals

    • Production, processing and distribution of food

    • Manufacture

    • Digital providers

    • Research

ICT PROTECT: NIS 2 Gap Analysis & Compliance Roadmap

This section describes the methodology that is proposed to be followed by the ICT PROTECT consultants in order to conduct NIS 2 Gap analysis and define the Compliance Roadmap.

Phase I: Information Security Documentation Gap Analysis ​

During this phase, a brief review (documentation) of the current status will be conducted, in order to identify the security controls, policies and procedures that are in place by the Client and to depict deficiencies and/or non-compliance with the NIS 2 security requirements. ​

In particular, the required actions (organizational controls), that will have to be implemented by Client will be defined, so as to comply with the NIS 2 security requirements (NIS 2 Directive Articles 20 and 21).​ ​

Activities:​

  • Review existing ISMS documentation​

Deliverables:​

  • D1: Documentation Review Gap Analysis

Phase II: Technical Gap Analysis – NIS 2 Compliance Roadmap​

Goal:​

​The main goal of this phase is to identify any gaps of the existing technical controls of the Client against the NIS 2 security requirements (NIS 2 Directive Articles 20 and 21) and best practices. Specifically, the purpose of this phase is:  ​

  • to confirm that the Client has effectively implemented the planned security controls   ​
  • to confirm that the Client conforms with the requirements of the NIS 2 security rules,  ​
  • to identify any grey areas that need further protection​

Activities:​

Conduct workshops with key personnel in order to confirm the efficiency of technical controls required by NIS 2 directive, including (but not limited):​

  • Access Control,
  • Backup,
  • Incident Management,
  • BCP and DRP,
  • Vulnerability Management and Patch Management,
  • Log Management,
  • Encryption, etc.​

Deliverables:​

  • D2: Technical Gap Analysis – NIS 2 Compliance Roadmap