NIS2 is here – What “digital providers” need to know about Europe’s new cybersecurity regime

The new Network and Information Systems Directive (NIS2) came into effect on 18 October 2024 and with it comes an overhaul of the way in which cybersecurity risk management is regulated in Europe.

In this article we cover the applicability of NIS2 to digital infrastructure providers and digital services providers (collectively “digital providers”), an expansion in scope under NIS2 that represents a major shift for the EU’s digital sector.

Digital providers have, historically, fallen outside the scope of cybersecurity regulation which has traditionally focused on physical infrastructure (e.g., telecommunications networks, energy grids, transportation hubs and infrastructure) and/or services critical to the functioning of our economy (e.g., healthcare, banking). A lot has changed since NIS1 came into force in May 2018 and now digital providers are wholly embedded at the heart of economies and, consequently, a failure to compel a robust and resilient approach to cybersecurity within these sectors can now cause just as much harm as in traditional critical infrastructure.

It is the expansion to include a wide range of digital providers that has resulted in an exponential increase in the number of businesses which now fall under NIS2 auspices. For many digital providers, NIS2’s new enhanced cybersecurity obligations, incident reporting requirements, audit and oversight measures, and enforcement powers will represent a marked shift in how these sectors culturally approach cybersecurity compliance in Europe.

That, coupled with enhanced enforcement powers, underpinned by fining powers of up to €10m or 2% of worldwide turnover and (in some cases) sanctions against management and the C-suite, make NIS2 a key regulatory challenge for these sectors as we move into 2025 and beyond.

This article, part of our NIS2 series, provides a high-level overview of what you need to know for your sector and what steps you need to take now. For a more in-depth insight into NIS2 and its requirements, see our article here.

We anticipate that many legal, infosec and compliance professionals working in this sector may be learning about NIS2 for the first time and seeking to come to terms with what it means for their organisation and where to begin with operationalising NIS2. On that basis, we have included an info sheet roadmap of the initial steps organisations should take now to move towards NIS2 compliance.

Note on the UK: This article focuses on the EU's enhanced cybersecurity framework, which will not be applicable to the UK. For specific guidance on the steps the UK is undertaking in this space, please contact a member of the Resiliency team.

Just what constitutes a digital provider under NIS2?

When we refer to “digital providers” we are actually referring to a wide range of digital sectors under which the European Commission has retained competence to set the standards for aspects such as cybersecurity controls, incident reporting and vendor management – albeit Member States still retain the right to enforce those measures against digital providers.

In fact, ‘digital provider’ covers a broad range of sectors which include:

  • Digital infrastructure providers: Internet Exchange Points, DNS service providers, TLD registries, CDNs, Trust authentication providers.
  • Digital service providers: including online market places, online search engines and social networking platforms.
  • Managed service providers: which extends to any organisation that provides services relating to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, including all XaaS providers, outsourced IT providers, providers of CRM, ERP and HRMS systems, e-commerce platforms, finance payment service providers, productivity tools and industrial monitoring systems (e.g., SCADA) and gaming, entertainment and streaming platforms.
  • Managed security service providers: which includes all managed service providers which are active in the provision of cybersecurity and risk management products including Endpoint protection, mobile device management, network security products (e.g., IDPS, SWGs firewalls, including FWaaS), vulnerability scanning and pent-testing services, identity and access management (e.g., MFA, PAM and SSO products) disaster recovering and DLP providers and advanced threat detection services.

The sector also includes data centres and cloud-providers which we covered in a standalone article here.

Why the focus on digital providers?

Incidents that have impacted digital providers over the past few years emphasise their criticality to our economy and the impact such attacks and outages can have. Incidents such as Akamai’s CDN outage in 2021 which impacted multiple websites and online platforms, and Slack’s GitHub Repository Compromise in 2022 which resulted in security tokens being compromised.

In addition, as nearly all critical sectors rely on the use of digital tools to operate their critical infrastructure and services in some way, digital providers represent a key supply-chain for threat attackers to compromise our wider infrastructure. Incidents such as the ransomware attack on Kaseya’s VSA software (which affected over 1000 businesses), CCleaner’s incident in 2017 which allowed cybercriminals to infiltrate notable telecommunications providers, and the infamous SolarWinds Supply Chain attack in 2020 all emphasise the ability of digital providers to be used as a vector to compromise critical infrastructure.

Finally, it goes without saying that the CrowdStrike outage in July 2024 qualifies as the type of significant event that would trigger multiple incident notification requirements had it occurred when NIS2 was in force.

NIS2 imposes obligations on a broader range of entities, depending on whether they are identified as being ‘essential’ or ‘important’. 

Given their absolutely essential role in the European economy, nearly all digital sectors are categorised under NIS2 as ‘essential’ with the notable exception of digital service providers, which are regarded as ‘important’.

Incident management

NIS2 represents a significant cultural change in the way organisations approach incident management, and for the personnel who will need to be involved in that process.

One of the most significant aspects of NIS2 is the emphasis on breach reporting, which requires affected entities to promptly report any cybersecurity incidents to the relevant authority without undue delay and no later than 24 hours after detection of the incident, with more detailed reporting at additional intervals.

For digital providers, the European Commission has published the “NIS 2 Implementing Regulation” (“N2IR”), which clarifies the specific cybersecurity standards and incident reporting criteria that digital providers must follow.

You can read more about the details in our dedicated article here, but crucially key reporting thresholds differ across digital providers as follows:

For CDN providers

  • Complete unavailability for more than 30 minutes.
  • Limited availability for 5% or 1 million users (whichever is smaller).
  • Any compromise of data integrity, confidentiality, or authenticity, or compromised physical access from a suspectedly malicious action.
  • Any compromise of data integrity, confidentiality, or authenticity, or compromised physical access which impacts 5% or 1 million users (whichever is smaller) from any cause.

For managed service providers

  • Complete unavailability of any managed service or security service for more than 30 minutes.
  • SLA non-compliance affecting more than 5% of EU users or 1 million EU users for more than one hour.
  • Compromise of data integrity, confidentiality, or authenticity impacting more than 5% of EU users.

For digital service providers

  • Complete unavailability of any managed service or security service for more than 30 minutes.
  • SLA non-compliance affecting more than 5% of EU users or 1 million EU users for more than one hour.
  • Compromise of data integrity, confidentiality, or authenticity impacting more than 5% of EU users.

Finally, incident thresholds for core network-based digital infrastructure providers differ markedly across DNS providers, TLD name registries and cloud providers.

These above enhanced reporting criteria are in addition (and cumulative with) the general categories of incidents (many of which may also be novel to organisations) that apply to the broader category of digital providers.

For digital providers, this means that under NIS2:

  • A regulated entity’s information security team will need to be sufficiently resourced to ensure they can notify incidents within a 24-hour window.
  • Information security teams will need to develop new processes for how they identify and classify incidents.
  • Wider departments (particularly legal, compliance, and risk functions) will need to be introduced into the incident management process at an earlier stage to consider any impact to the company associated with notification. The significant financial sanctions makes this a key priority.
  • Members of the entity’s legal, compliance, and risk departments will need to be upskilled on aspects of incident classification, containment, and mitigation to contribute effectively to this assessment.

Other requirements

NIS2 additionally mandates that digital providers undertake the following cybersecurity risk-management measures (amongst others):

  • Digital providers should have security policies, adequate resourcing and defined roles and responsibilities. Entities must ensure staff and third-party compliance, with at least one person reporting directly to management on security matters.
  • Risk management systems that include risk assessments, treatment plans, and management approval of residual risks.
  • Incident handling that enables a simple mechanism for reporting suspicious events, communicated to suppliers and customers; robust monitoring and logging with a clear reporting mechanism for suspicious events; incidents must be promptly assessed, classified and managed; effective communication with stakeholders; and incident response teams must be established, along with post-incident reviews to enhance future response.
  • Digital providers must establish and routinely test business continuity and disaster recovery plans. These plans must be grounded in risk assessments and should clearly define roles, communication channels, activation criteria, failover service level agreements, and recovery processes.
  • Digital providers must extend their cybersecurity practices throughout the entire supply chain and implement robust risk management processes along with associated audit and oversight mechanisms. The vendor management framework should identify and mitigate risks in procurement and acquisition and continuing through supplier replacement and offboarding.
  • Digital providers must maintain strong cyber hygiene practices and ensure there is ongoing staff training, covering secure development practices, cryptographic protections, and configuration management to address cybersecurity risks effectively.
  • Digital providers must establish appropriate measures for protecting assets, detailing the protocols, algorithms, and cryptographic solutions employed for their security.
  • Digital providers must implement strong authentication, identity management, and access management controls. Policies and operational processes should be regularly reviewed and adhere to principles such as least privilege.
  • All information and assets within a digital provider’s regulated estate must be classified according to their sensitivity and business value, taking into account confidentiality, integrity, authenticity, and availability requirements. Digital providers must then develop policies aligned with this classification to ensure proper handling of information and asset management.
  • Core network and information systems must be protected against utility failures by implementing facility resilience, redundancy, and continuous monitoring to ensure environmental security.

Registration

With NIS2 comes a new mandatory registration requirement. A regulated entity will be required to register with its competent authority and provide key details about where the organisation provides its services, its IP ranges, and (where applicable) the identity and contact information of its designated representative.

Providers and suppliers located outside Europe and with no legal presence will need to appoint a local representative.

For digital providers, determining appropriate registration will be a challenge, particularly for large providers with a strong presence in multiple EU markets. That said, counsel should be sought on determining suitable candidacy for registration.

We have ISO27001 – do we need to do anything?

In short – yes. While it is true that both NIS2 and ISO27001 (and other information security management frameworks such as ISO22301) aim to enhance an organisation’s cybersecurity and resiliency, NIS2 is fundamentally different in its scope.

The mandatory controls required under NIS2 are more granular in nature and will apply to a wider part of an organisation (including entities that would typically be segregated under ISO27001). In addition, due to the stringent requirements around incident management, reporting and audit, it is highly unlikely an organisation will be able to simply rely on its ISO27001 certification to achieve NIS2 compliance.

In particular:

  • Scope of Application: ISO certifications and frameworks like SOC 2 typically focus on specific domains such as information security or operational controls within the organisation. NIS2, by contrast, takes a more holistic approach. It applies to the entire ecosystem of the digital provider, encompassing IT systems, operational technology (OT), supply chain risks, and even physical infrastructure.
  • Mandatory Incident Reporting: As outlined above, NIS2 introduces incident classification and reporting timelines that are significantly more detailed and prescriptive than those under ISO 27001 or SOC 2 frameworks.
  • Regulator Oversight and Enforcement: ISO certifications are fundamentally voluntary, whereas NIS2 imposes mandatory regulator-led oversight, including regular audits and inspections. In light of the significant financial penalties for non-compliance, existing certifications, while indicative of strong internal governance, do not prepare organisations for the rigorous external scrutiny required under NIS2.

That said, those organisations with ISO27001 (particularly the 2022 version) will already have in place a strong governance framework and ISMS onto which NIS2 controls can be added.

Vendor Management

NIS2 places a strong emphasis on the role of vendor management in ensuring the overall cybersecurity posture of regulated entities. For digital providers, effective vendor management is not only a best practice but a regulatory necessity to ensure compliance. Key considerations include:

  • Understanding Vendor Criticality: Organisations must assess the criticality of each vendor in relation to their NIS2-regulated systems. Vendors providing essential infrastructure or services, such as cloud hosting, cybersecurity tools, or operational technology, require enhanced scrutiny to mitigate risks.
  • Enhanced Vendor Due Diligence: Traditional vendor due diligence processes should be reviewed and updated to include assessments of vendors' own compliance with NIS2 standards. This includes verifying their incident management capabilities, cybersecurity policies, and supply chain resilience.
  • Updating Vendor-Facing Terms and Policies: Digital providers should revise standard vendor-facing agreements and policies to align with NIS2 requirements. This may include mandating adherence to specific security protocols, requiring incident reporting within predefined timelines, and ensuring appropriate data protection measures are in place.
  • Incorporating Enhanced Audit Rights: Contracts with critical vendors should include provisions for regular audits and oversight, allowing regulated entities to verify vendors' compliance with NIS2 obligations. This is particularly crucial for high-risk suppliers or those integral to regulated systems.

Customer-Facing Requirements

For many digital providers, compliance with NIS2 is not limited to internal systems and processes; it extends to their interactions with customers, many of whom will themselves be NIS2-regulated entities. To address these dynamics effectively, digital providers should:

  • Understand Customer Expectations: Many customers will look to their digital providers to assist with their own NIS2 compliance. Digital providers must anticipate these needs by ensuring their internal policies and customer-facing documents align with not only their own NIS2 requirements but also the expectations of their customer base.
  • Repaper Contracts: Contracts should be updated to clearly delineate service responsibilities, SLAs, and roles concerning cybersecurity and incident management. This will reduce ambiguity and establish a robust framework for NIS2-aligned operations.
  • Enhancing Incident Notification Procedures: Incident notification processes must be synchronised with customer requirements, ensuring timely and accurate reporting of any cybersecurity incidents. Clear communication channels and predefined escalation protocols should be established.
  • Customer-facing Audit and Compliance Documentation: Internal audit and compliance materials should be adapted to a customer-facing format, enabling digital providers to respond efficiently to customer requests for evidence of their cybersecurity controls and compliance.

The roadmap to success if you are a digital provider

The roadmap to success if you are a digital provider

 

Further insight and analysis on the full range of cyber resiliency advice can be found on our dedicated website pages Resiliency by Shoosmiths.

Insights

Read the latest articles and commentary from Shoosmiths or you can explore our full insights library.