Recognizing that vulnerabilities within supply chains can compromise the security of essential services, the European Union adopted the Network and Information Security Directive 2 (NIS2) in December 2022. This updated version, implemented in 2016, mandates that organizations implement robust measures to manage and mitigate risks associated with their third-party relationships. The NIS2 Directive went into effect in October 2024.
This post examines the types of organizations that must comply with NIS2, the penalties for non-compliance, and how to address specific third-party risk management requirements noted in NIS2.
The NIS2 Directive applies to a wide range of organizations across the European Union, focusing on entities that provide essential services or are considered important for the economy and society.
NIS2 distinguishes between two types of entities: Essential and Important.
Essential entities are those organizations that provide services critical to public safety, security, or the economy. Examples include companies in the following industries:
Essential Entities are subject to stricter requirements under the directive.
Important entities also play a vital role but are not considered as critical as Essential entities. They face less stringent oversight but still must comply with NIS2. Example industries include:
Generally, NIS2 applies to organizations based on specific criteria, such as sector and service (noted above), critical impact, and size. Medium-sized and large entities (defined by the EU as having 50+ employees or €10 million+ turnover) are automatically included. However, small and micro enterprises are not automatically covered, except where their services are highly critical (for example, a small energy provider in a remote area).
NIS2 can also apply to non-EU companies if they provide services to customers in the EU or operate infrastructure critical to EU member states. Such entities must designate a representative within the EU to ensure compliance with NIS2 obligations.
NIS2 does not apply to certain national security functions (e.g., military operations), law enforcement agencies (in some cases), or small and micro-enterprises (unless critical, as mentioned earlier).
NIS2 places significant emphasis on the security of supply chains and third-party relationships. Organizations must proactively manage risks introduced by third parties to ensure compliance and maintain the integrity of their services. To this end, NIS2 introduced several updates to its guidelines regarding scope, accountability, and penalties for non-compliance.
Broadened Scope: NIS2 extends its reach to a broader range of sectors and services, meaning more organizations must implement stringent third-party risk management practices.
Increased Accountability: Senior management is held accountable for ensuring compliance with NIS2, including overseeing third-party risk management. This underscores the need for leadership involvement in cybersecurity initiatives.
Potential Penalties: Non-compliance with NIS2 can result in substantial fines and increased regulatory scrutiny, highlighting the importance of adhering to third-party risk management requirements.
Align Your TPRM Program with 14 Industry Standards
Download this guide to review industry standards with specific TPRM requirements, and discover best practices for simplifying compliance.
The EU has defined specific areas of non-compliance with NIS2 that could lead to penalties:
NIS2 introduces significant penalties for organizations that fail to comply with its requirements. The penalties are designed to ensure organizations take cybersecurity seriously, especially in critical and essential sectors.
Fines: Non-compliance with NIS2 can result in substantial financial penalties, varying depending on the severity of the breach and the organization's size. For serious breaches, fines are typically calculated as a percentage of the organization's global annual turnover, up to €10 million or 2%, whichever is higher.
Administrative Sanctions: Regulators can impose other sanctions, such as issuing binding instructions to address deficiencies, orders to comply with specific cybersecurity measures, or, in extreme cases, suspending operating licenses.
Authorities consider several factors when determining the penalty, including the nature and gravity of the breach, intent, or negligence or if there have been previous violations. Demonstrated efforts to mitigate risks, such as implementing corrective measures or cooperating with authorities, may reduce penalties.
Notably, NIS2 explicitly holds senior management accountable for ensuring compliance. Lack of oversight or negligence at the executive level can result in personal liability, including potential legal action.
Although each EU member state is responsible for enforcing NIS2 within its jurisdiction, cross-border cooperation between national authorities exists for entities operating in multiple member states, ensuring consistent enforcement.
To avoid penalties, organizations should conduct regular risk assessments, engage their leadership and board, prepare for reporting, and train staff on sound cybersecurity practices.
Uncover SCRM Best Practices for Your Industry
This best practices guide examines SCRM priorities and requirements specific to manufacturing, retail, healthcare, technology, food and beverage, government, pharmaceuticals, life sciences, and biotech.
The NIS2 Directive includes specific recommendations and requirements for organizations to manage third-party risks effectively.
Organizations are required to establish comprehensive policies that address security-related aspects concerning their relationships with direct suppliers and service providers. This includes assessing the security posture of third parties and ensuring they adhere to appropriate cybersecurity standards. To address this requirement, develop a comprehensive framework for managing third-party risks, addressing:
As part of this, provide training and resources to your third parties to help them understand and comply with NIS2 security requirements. Encourage collaboration and knowledge-sharing about emerging threats and best practices.
Entities must conduct thorough due diligence and risk analyses to identify potential vulnerabilities third parties introduce. This involves evaluating the criticality of third-party services and their potential impact on the organization's operations. Assess the third party’s cybersecurity posture, compliance with industry standards, and incident response capabilities. Then, classify vendors based on their criticality to operations and potential risk impact.
To simplify the process, look for third-party risk management (TPRM) solutions that automate and streamline assessments and establish a centralized repository for vendor data, including risk ratings, compliance status, and historical assessments.
Organizations should have clear procedures for managing incidents that involve third parties. This includes timely detection, response, and reporting of incidents to relevant authorities, ensuring that third-party incidents are handled with the same rigor as internal ones. To address this requirement, establish a unified incident response plan that includes third-party coordination. This should involve:
Consider cyber insurance to manage residual risks in incidents involving third parties and evaluate whether third-party insurance policies adequately cover supply chain risks.
Ongoing monitoring of third-party security practices is essential. Organizations should regularly assess the effectiveness of their third-party risk management measures and adapt them as necessary to address evolving threats. To address this requirement, implement ongoing monitoring of third-party activities, including:
Include clear, enforceable cybersecurity requirements in contracts with third parties. Key elements may include:
This ensures that third parties are contractually bound to maintain appropriate security measures and report incidents promptly.
By embedding these practices into your organization’s third-party risk management strategy, you can ensure compliance with NIS2 while minimizing the risks posed by external vendors and suppliers.
Part of the Mitratech Enterprise Risk Management Platform, the Prevalent TPRM solution automates the assessment, monitoring, and management of third-party risks in concert with your broader cybersecurity and enterprise risk management program. With the Prevalent solution, your team can:
For more on how Mitratech can simplify NIS2 third-party risk management compliance, request a demonstration today.
Uncover key changes in the Standard Information Gathering (SIG) Questionnaire for 2025 and learn what these...
12/16/2024
Ask your vendors and suppliers about their cybersecurity risk management, governance, and incident disclosure processes to...
10/24/2024
Enhanced cybersecurity supply chain risk management guidance has arrived with the final NIST CSF 2.0. Check...
09/25/2024