Doubts and clarifications about how to implement NIS2 in our companies

We recently discussed the NIS2 Directive in another Flu Project article , this time dedicated to a very similar topic, the release of the 2nd RTS package launched by the ESAs for DORA compliance. However, in today's post we want to focus on NIS2 and some of the different questions that have arisen in recent months, so save this post as an FAQ, which may be useful to you in your respective organizations.

As a reminder, when we talk about NIS2 we are referring to Directive (EU) 2022/2555: NIS 2 (v2 of Network and Information Security), aimed at increasing cybersecurity in the EU using essential sectors as a lever. It has nothing to do with the (American) NIST, whose similarity in 3 letters out of 4 is mere coincidence ;). This new regulation was created to update and repeal Directive (EU) 2016/1148 of July 6, 2016 (former NIS1 Directive).

NIS2 distinguishes two large groups to which certain requirements will apply depending on their criticality. These requirements will apply to companies in these sectors, as long as they have more than 50 workers (that is, they are at least a medium-sized company):

• High Criticality Sectors:
• Energy
• Transport
• Bank
• Infrastructure Financial markets
• Health Sector
• Drinking water
• Sewage
• Digital Infrastructure
• ICT Services (B2B)
• Public administration
• Space

• Other Critical Sectors:
• Postal and courier services
• Waste Management
• Manufacture, production and distribution of chemical substances and mixtures
• Food production, transformation and distribution
• Manufacturing: Among others, medical products.
• Digital service providers
• Investigation

However, and due to the wording of Article 2, Point 1 of the Directive, which has generated some controversy because the wording gives rise to confusion, these requirements will not only apply to these 18 sectors in medium and large organizations, but They will also apply to any organization in these sectors, regardless of size, under certain circumstances.

This hypothesis is corroborated by the publication of the National Cryptologic Center, who clarifies on this page that, regardless of their size, the measures will apply to both groups (High Criticality and Critical Sectors) in cases linked to national security and the operation of critical infrastructures, in centers that carry out research (e.g. teaching centers), in regional and local administrations (e.g. city councils), which on the other hand is something obvious, given that in many cases such as in towns and small cities they will not reach 50 employees but their services are more than essential for citizens and the state, etc. In the following capture of the CCN website you can consult these details: 

In this same publication you can download a very interesting infographic that links the National Security Scheme (ENS) with NIS2, and in which they clarify that in the eyes of the administration, a company that has the ENS certified at its High Level will be considered as "compliant" with the NIS2 Directive, so if you already have this certification, you will have already done your homework:

Likewise, it clarifies that those companies that have ENS Medium and Basic certifications must emphasize the issues of continuity and supplier management, as defined by the Directive itself.

To begin to understand what NIS2 is about, I recommend 2 of the official publications that we have in Spanish, the official translation of the directive itself :

And the CCN-STIC Guide 892 which was published just a few days ago: