October 2024 / 10 Min Read

Is Your Organisation Ready for NIS2?

The EU’s new cyber security legislation affects many organisations, with the threat of fines for those who do not comply. Read our guide to make sure your organisation is meeting its NIS2 requirements.

Key Takeaways

The EU’s Network and Information Security (NIS2) Directive started to take effect across Europe from 18 October 2024 with the UK expected to adopt similar legislation.
More businesses are now under the scope of the legislation with a requirement to strengthen their cyber security arrangements.
Every business should look at the requirements for NIS2 and assess their compliance, or risk possible large fines.

What is the NIS2 Directive?

The European Union’s Network and Information Security (NIS2) Directive replaces the NIS Directive 2016 and aims to ensure a “high common level of cybersecurity across the EU’s Member States” by further strengthening cyber security requirements in critical infrastructure, and those industries and organisations that are indispensable for the functioning of the economy.

The European Parliament has adopted the Network Information Systems 2 (NIS2) directive as of December 2022. Member states had until October 2024 to incorporate the directive into their national legislation. NIS2 was ratified on 16 January 2023, and the majority of the EU’s member states are expected to have adopted and published the measures necessary to comply with the directives by mid-2025.

For businesses in the UK, the EU law will not be implemented, but it’s expected that an expansion of the UK NIS Directive will include similar requirements to NIS2. UK businesses who operate within the EU will have to comply with NIS2 to ensure they can show consistent levels of cyber security standards.

What are the Main Changes?

The main changes under NIS2 include:

Expansion of industry sectors and entities coming under the scope of NIS2

The original NIS covered so-called operators of essential services like water supply, healthcare, transportation and some digital service providers. NIS2 has been expanded to include industries such as postal and courier, food, space, and waste water, as well as numerous mid-sized companies with 50 or more employees and earnings above €10 million.

Management responsibilities

Management bodies are responsible for approving the cybersecurity risk management measures taken by their company, overseeing their implementation, and can be held liable for infringement. Management members are required to undertake training so that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk management practices and their impact to their services.

Strengthened cybersecurity risk-management measures

Organisations should take appropriate and proportionate technical, operational, and organisational measures to manage their cyber risks and to prevent or minimise the impact of incidents on recipients of their services.

There are now minimum requirements that organisations in scope for NIS2 must implement. These range from the use of multi-factor authentication to incident handling and policies and procedures to assess the effectiveness of cybersecurity risk management measures.

Cybersecurity risk-management measures adopted by the organisation must be documented and evidence of implementation of cybersecurity policies must be available. For example, their incident handling must be clearly defined, and they must have disaster recovery plans in place.

In the event of a cyber incident, organisations must fulfil three specific steps within a tight timeframe:

Within 24 hours of a cyber attack, an initial warning must be sent to the authority responsible in their country.
Within 72 hours, further information about the incident must be provided.
Within one month, a final detailed report on the incident must be available.

Supply chain security in scope

Cybersecurity risk management is expanded to include supply chain security. Organisations in scope of NIS2 should consider the vulnerabilities specific to each of their direct suppliers and service providers to prevent or minimise the impact of supply chain incidents on recipients of their services and on other services.

Higher fines

“Essential” companies found to be non-compliant with NIS2 will face administrative fines of a maximum of €10 million or a maximum 2 percent of their total worldwide annual turnover (whichever is higher), while “important” companies will see fines of up to €7 million or 1.4 percent (whichever is higher).

Which Companies are Affected by the NIS2 Directive?

The EU divides the list of companies in scope by NIS2 into ‘essential’ and ‘important’ (see below). This list includes energy providers, online marketplaces, corporations, as well as numerous medium-sized companies and government agencies. While the main targets for NIS2 are medium-sized companies and above, some smaller companies can also come under NIS2’s requirements if certain conditions are met, or they are deemed as essential.

Companies must identify whether they are affected by NIS2. Also, companies which are part of the supply chain of these companies can be affected. An appendix is included in NIS2 legislation. Aon can also work with you to help you understand whether you are affected and the next steps you need to take.

Essential

Banking

Digital Infrastructure (DNS, IXP, TLD, ICT)

Energy

Financial market infrastructures

Health

ICT service management

Public administration

Space

Transport

Water and sewage

Important

Digital providers

Manufacturing

Manufacture, production, and distribution of chemicals

Postal and courier services

Production, processing, and distribution of food

Research

Waste management

What do Companies Need to do Now

If your business is an essential or important entity, management need to look at the requirements of NIS2. These requirements include taking steps around operational cyber risk management; cyber hygiene; incident response; incident reporting; and supply chain security.

As one of the world’s largest cyber security firms with an international network of around 600 cyber security experts, we can offer help, support and advice on every stage of the NIS2 journey.

What NIS2 Demands

How Aon Can Help

Assess the effectiveness of cybersecurity risk-management measures

Optimisation of finite budget investments to help your organisation achieve better maximum Return on Security Investments.

Basic cyber hygiene

Provide an assessment of your organisation’s cyber posture and general hygiene to help evaluate and pinpoint risk and security control gaps.

Multi-factor or continuous authentication (MFA)

Provide strategic support for the selection, adoption, and deployment of appropriate Multi-factor Authentication solutions.

Policies and procedures regarding cryptography

Develop specified models for the construction and rollout of specific user awareness training modules.

Supply chain security

Align cyber risk in the supply chain to your existing corporate risk appetite framework and develop a company specific approach to better analyse and target improved supply chain cyber resilience.

Cyber Incident handling

Analyze your incident response preparedness and the development of comprehensive incident response protocols including:

Incident Readiness Assessment
Creation of Incident Response Plan (IRP)
Offering of Incident Response Retainer (IRR) worldwide
Cyber Business Continuity Management
Cyber Insurance Claims Protocol Development

Cyber Incident reporting

Assess your company’s incident reporting capabilities and responsiveness and design or adjust existing incident reporting procedures to ensure alignment with new regulatory requirements.

Policies on risk analysis and information system security

Develop or review of appropriate risk management systems aligned with enterprise risk management (ERM) frameworks.

Security in network and information systems

Systematically hunt generic and targeted threats within the network and monitor the deep and dark webs for threats and leaked assets.

Policies and procedures to assess effectiveness of risk management

Develop frameworks for risk assessments at an organisational level combined with scenario specific stress testing to examine overall risk management maturity and rigour.

NIS2: Four Questions Every Business Should Ask Themselves

Is my company affected by NIS2?
Is our risk management at the right level for NIS2?
Can my company report cyber security incidents properly or not?
What is the state of my company's supply chain risk management when it comes to cyber security?

Aon helps to empower clients to manage the full lifecycle of their cyber journey. Our holistic suite of cyber risk solutions integrates seamlessly to drive efficiencies and transparency, and help clients be better informed to safeguard their balance sheets and effectively manage risk. Learn how Aon’s Cyber Loop Model can support your organisation on its journey to sustained cyber resilience here.

Contact Us

If you are interested in learning more about how Aon can help your organisation prepare for NIS2, please complete the form below. A member of our team will be in touch shortly.

First Name Last Name Job Title Business Email Business Phone Location Organization Industry Annual Revenue Employee Headcount How can we help?
Aon and other Aon group companies will use your personal information to contact you from time to time about other products, services and events that we feel may be of interest to you. All personal information is collected and used in accordance with our privacy statement.

Please click here to manage your communication preferences