Return to overview
5 min read

NIS2 Directive Overview: In-depth look at Articles 21 and 23

5 min read
May 30, 2024
By: Koen Meeuwisse
NIS2 Directive Article 21 and Article 23
By: Koen Meeuwisse
15 March 2025

While many EU countries are still working out the specifics of implementing the NIS2 Directive, we know there are some key elements that will be included in each national implementation. Here we’ll focus on two of them: Article 21 and Article 23.

The importance of cyber security in national legislation and strategic frameworks cannot be overstated. National laws and strategies outline the obligations of entities to notify authorities and report incidents, underscoring the critical role of cybersecurity in the regulatory landscape.

NIS2 Article 21: The duty of care and cybersecurity risk management measures

Article 21 outlines key cybersecurity practices that every business under the NIS2 regulations must have in place. You’ll probably already have thought of many of these, and taken some steps towards implementing them for the health and future of your business. As for the others, Eye Security is here to help.

Essential and important entities are required to implement specific technical, operational, and organisational measures under Article 21 to enhance their cybersecurity resilience and prevent potential incidents impacting their services.

To enhance collaboration among EU Member States, the European Commission, and the EU Agency for Cybersecurity (ENISA), the NIS Cooperation Group aims to facilitate strategic cooperation, promoting effective information exchange and cooperation to bolster cybersecurity measures across critical sectors in the EU.

The Cooperation Group provides guidance to competent authorities on the transposition and implementation of cybersecurity directives, emphasising the identification and responsibilities of each essential entity. 

Mandatory cybersecurity measures under Article 21 include:

  • Risk analysis and information system security policies

  • Incident handling. This is an integral part of Eye’s CyberGuard service.

  • Business continuity, such as backup management and contingency planning, and crisis management In the event of a cyber incident, Eye Security guarantees support as part of its CyberGuard service. Crisis management is included in this incident response support.

  • Supply chain security. This includes security aspects related to the relationships between each entity and its direct suppliers or service providers, such as cloud computing service providers and data centre service providers. Additionally, dns service providers play a crucial role in ensuring cybersecurity.

  • Security in the acquisition, development, and maintenance of network and Information Systems. Vulnerability scanning (including newly identified vulnerabilities) is part of Eye Security’s CyberGuard service.

  • Policies and procedures for assessing the effectiveness of cybersecurity risk management measures

  • Basic cyber hygiene practices and training. Eye Security’s optional Awareness service includes regular phishing simulations and training for employees who fall for such phishing emails.

  • Policies and procedures regarding the use of cryptography and, where applicable, encryption

  • Personnel security, access policies, and asset management

  • Where appropriate, the use of multi-factor authentication or continuous authentication solutions, secure communication for voice, video, and text, and secure emergency communication systems within the entity. The Eye portal indicates security measures such as MFA usage, providing customers with visibility into the actual application of security measures.

NIS2 Article 23: incident reporting and network and information systems

Article 23 of the NIS2 Directive lays out the requirements for incident reporting. It defines what constitutes an incident, the mandatory reports, and the content required in these reports.

A cyber incident is defined as:

  • A severe operational disruption of the organisation's services.

  • An incident that could lead to financial damage.

  • An incident that could cause material or immaterial harm to other natural or legal persons.

The exact criteria for these thresholds are yet to be determined, but we're keeping an eye on developments. 

No one wants an incident – but if one happens to your business, under NIS2 you'll be required to report it as follows:

Within 24 hours of an incident, report it to the supervisory authority and the CSIRT designated for your sector. This report must state whether the incident was caused by unlawful or malicious actions and whether it could have cross-border implications.

After 72 hours, a follow-up report must be submitted. This report should update the information from the initial report and provide an initial assessment of the incident's severity and impact.

One month after the incident, a final report must be submitted. This report should provide a detailed description of the incident, including its severity and impact, the type of threat or root cause likely leading to the incident, applied and ongoing risk mitigation measures, and, if applicable, the cross-border impacts of the incident.

During an incident, the CSIRT or the competent authority/supervisory authority can request an interim report. This report should provide relevant updates on the situation.

Remember, improving your cybersecurity isn't just about meeting regulations – it's about you, your customers, and the safety of your business. Access our NIS2 resource hub to learn more.

We're with you on this journey, essential and important entities.

Eye Security offers round-the-clock protection, prompt and skilled incident response, and even insurance coverage. Our comprehensive cyber protection is tailored for small to medium-sized businesses. Book a demo to learn more.

FAQ

What are the background and context of the NIS2 Directive?

The NIS2 Directive is a crucial step towards enhancing the cybersecurity of network and information systems (NIS) across the European Union. Building upon the foundation laid by its predecessor, NIS1, the directive addresses the growing threat of cyber attacks on critical infrastructure. As our reliance on digital infrastructure and interconnected essential services increases, so do the vulnerabilities that can be exploited by threat actors. This makes it imperative to adopt a more comprehensive approach to cybersecurity risk management.

Recognising the importance of coordinated vulnerability disclosure, the NIS2 Directive encourages Member States to adopt national cybersecurity strategies that prioritise the protection of essential entities and critical infrastructure. By fostering a culture of cybersecurity awareness and training, the directive aims to bolster the overall cyber resilience of the EU. This proactive stance is designed to safeguard the integrity and availability of essential services, ensuring that the digital backbone of our society remains robust and secure.

What are the scope and applicability of the NIS2 Directive?

The NIS2 Directive casts a wide net, applying to a diverse array of sectors that are integral to the functioning of the EU’s digital economy. This includes essential services such as energy, transportation, healthcare, and finance, as well as digital service providers like cloud computing services, online marketplaces, and search engines. By encompassing such a broad range of entities, the directive ensures that all critical components of the digital infrastructure are subject to stringent cybersecurity risk management measures.

A key aspect of the directive is its distinction between essential and important entities. Essential entities, which include hospitals, power plants, and financial institutions, are subject to more rigorous requirements due to the critical nature of the services they provide. Important entities, such as online marketplaces and social media platforms, also play a significant role but are subject to slightly less stringent measures. This tiered approach ensures that the most critical services receive the highest level of protection, while still maintaining robust security standards across the board.

How does the NIS2 Directive ensure cooperation among Member States?

The NIS2 Directive establishes a robust framework for cooperation among competent authorities across the EU. Each Member State is required to designate a competent authority responsible for the implementation and enforcement of the directive. These authorities are tasked with facilitating strategic cooperation, sharing best practices, and coordinating responses to cyber attacks, thereby enhancing the collective cybersecurity posture of the EU.

In addition to the competent authorities, the directive also mandates the establishment of a network of Computer Security Incident Response Teams (CSIRTs). These teams are crucial for exchanging information on cyber threats and responding to incidents in a timely and effective manner. By fostering collaboration and information sharing, the CSIRT network enables Member States to mitigate the impact of cyber-attacks on essential services and critical infrastructure, ensuring a coordinated and resilient response to cybersecurity challenges.

How will the NIS2 Directive be implemented in national law?

To bring the NIS2 Directive into effect, Member States are required to adopt national legislation that aligns with the directive’s provisions. This process involves transposing the directive into national law, ensuring that all necessary measures are in place to protect essential entities and critical infrastructure. The directive also mandates the development of national cybersecurity strategies, which must encompass policies for supply chain security, vulnerability management, and cybersecurity education and awareness.

These national strategies are pivotal in enhancing the overall cybersecurity capabilities of Member States. By promoting a culture of cybersecurity awareness and training, these strategies help to build a resilient digital ecosystem. The directive’s emphasis on comprehensive national legislation and strategic planning highlights the importance of a unified and proactive approach to cybersecurity, ensuring that the EU remains well-equipped to tackle the evolving landscape of cyber threats.

Let's talk

Curious to know how we can help?

Get in touch
GET IN TOUCH
Share this article.