Admin view of NIS2

What do I think I have to consider

Kalle Happonen

Geek. Product Owner @CSCfi

The normal disclaimer, don't take this as legal advice, there are people much more versed in NIS2 intricacies than me. However a lot of the questions the NIS2 brings will fall on admins of services to answer, so this is just some context for us on the receiving end.

NIS2?

NIS2 is a newish European directive to ensure decent levels of IT security across the board. It touches tons of organizations providing IT services in EU. It's a decently large change, to my knowledge there hasn't been this level of legal requirements on IT security this widely before.

When writing this, I read of the original NIS, which has flown below my radar, but the new one seems to be more important.

I won't go deeply into the text of NIS2, just enough to to answer the main questions.

Does it Apply to Me?

Usually when we admins hear about something like this, we cross our fingers and hope, maybe this actually does not apply to me. I tried, but it's hard to avoid this if you do IT in EU.

If you're a medium sized (50+ people or 10+ M€ turnover/balance sheet) organization or larger, it applies.

Small ones, you thought you were safe?

Regardless of size, it also applies to all critical services, like the water, waste, rail, post and all those things. (defined here)

Are we done? Nope!

It also applies if

  • you're the only provider in your country for something important for society, or regionally for some sector
  • problems with your services can have significant impact on public safety or health, or it has systemic risks like cross border impact
  • You're public admin or government

And then the fun Cloud and ICT part of the critical services (definitions here in Annex 1). So regardless of the size of the organization it affects

  • Internet Exchange Point providers
  • DNS service providers
  • TLD name registries
  • Cloud computing service providers (yes this is wide, IaaS, PaaS, SaaS, NaaS, computing, networking, storage, services, software, private, hybrid,community,public, etc. etc.)
  • Data centre service providers
  • Content delivery network providers
  • Trust service providers (authentication and digital signature services and such)
  • Providers of public/publicly available electronic communications networks
  • Managed service providers (basically if you provide services where you manage ICT for somebody)

So if you do IT in EU, and I read the documents correctly, it's hard for this not to apply to you. You can be classed as an "essential" or "important" entity, but from my reading of this it mostly affects oversight, not so much what is required of you. There are some concessions for small actors that the actions should be proportional to your size, but I'm not convinced it helps too much, based on examples.

Sigh, fine, so what do I have to do again?

Ok, the rules of what you need to do is here in Annex 1. The most enthusiastic of you may read through this, but even I just skimmed it.

The good news of those who are under ISO 27001, it sounds like most of the requirements are taken indirectly from there, or similar standards.

If you don't have an information security management system yet, NIS2 basically requires it. This means that it's not just up to your service to implement NIS2, but up to your organization. E.g. it's hard for a service admin to set up "Human resource security" or "Environmental and physical security". Now, if you're not under ISO 27001 or if you don't have similar things in place, I think the most difficult thing you'll face as an admin, is convincing the upper management that this is not just a "IT thing you can put in the backlog", but affects the organization IT management as a whole.

Whew, we are certified under ISO 27001, did I as an admin dodge a bullet?

:)

In addition, when you have your information security management in order, here's the new part.

The most important thing for admins is to understand you have to report "Significant incidents" to your national bodies. A bit like GDPR but for IT security.

I really need to report incidents to national authorities?

Yup! If they're significant, and here too, luckily we have quite clear instructions starting at Article 3.

So, the generic rules are, it's significant if

  • It can cause more than 500k€ damages (or 5% of turnover)
  • It leaks trade secrets
  • It results in death or harm
  • There has been malicious access that can cause significant disruption
  • It's recurring and the incidents together fill the other criteria

That's not too bad? Right?

But then, depending on what you do, there are more criteria. I'll just go through the cloud provider one, but there are specific criteria for TLDs, social network sites, trust providers, DNS providers, etc. etc.

So for the cloud services:

  • The service is completely unavailable for 30 mins or more
  • The service has limited availability for over 5% or 1 million users - whichever lower - for an hour or more. If you're reading this blog post, and you're in the 1m category, I think you might need better internal support for NIS2.
  • Integrity, confidentiality or authenticity is compromised because of malicious action, or it's compromised for 5%/1m users

Scheduled maintenance is excluded.

If I look back, there would be a few downtimes in the last years we would have had to report, but it's not crazy, and it can be incorporated in incident management quite easily.

Reporting

So what do we need to report? It's basically in three phases under Article 23

  • As early as possible, within 24h of becoming aware of the significant incident an early warning and if it's expected that this was because of malicious action, or has cross border impact.
  • Within 72h an initial assessment including severity and impact.
  • Within 1 month (or for long running incidents, 1 month after it's solved) a final report with a description, severity, impact, root cause, and mitigations.

This is probably nothing you don't gather internally anyway, so the overhead is not too great.

Conclusion

As an admin, as our information security management system is certified under ISO 27001, I'm not that worried. The main change is that I should know when we need to do a report, and to know what goes in it.

It'll be interesting to see how this affects smaller companies that do some IT, and don't have a information security management system in place. While they are of course reasons to have them, they are even necessary at some scale, starting to maintain one is not a trivial effort.

Also, I don't read EU legislation daily, so please feel free to correct me on misinterpretations, and I'll update the post.

Kalle Happonen

Geek. Product Owner @CSCfi

August 20, 2025

Subscribe to this blog

Share this article with friends

© 2025 Kalle Happonen

comments powered by Disqus

This update link alerts you to new Silvrback admin blog posts. A green bubble beside the link indicates a new post. Click the link to the admin blog and the bubble disappears.

Got It!