NIS2 and the Canadian public sector: anticipating new digital resilience requirements
The European NIS2 directive came into application in October 2024 across EU member states. Canadian organizations partnering with European entities in 18 critical sectors are directly affected.
The NIS2 directive (Network and Information Security 2) represents the most ambitious cybersecurity framework ever adopted in Europe for critical sectors. With 18 targeted sectors (compared to 7 for NIS1), penalties of up to 10 million euros or 2% of global turnover, and personal liability for executives in case of breach, NIS2 marks a major turning point. And its effects extend well beyond European borders.
Who is affected in Canada?
Affected Canadian organizations include: providers of digital services to European NIS2 entities, technology partners of European critical infrastructures, subcontractors in ICT supply chains of targeted sectors, and public sector organizations with cooperation agreements with European counterparts.
The 18 sectors covered by NIS2
- Highly critical sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT (managed services), public administration, space
- Additional critical sectors: postal services, waste management, manufacturing (chemicals, pharma, medical, electronics), food production, digital providers, research
- Thresholds: NIS2 applies to medium-sized entities (>50 employees or >EUR 10M turnover) and large entities (>250 employees or >EUR 50M turnover)
NIS2 minimum requirements
- Formalized ICT security risk analysis and management policies
- Incident management: detection, classification, notification to authorities within 24h (preliminary alert) and 72h (incident report)
- Business continuity and disaster recovery (BCP/DRP) documented and tested
- Supply chain security: assessment of critical ICT suppliers
- Multi-factor authentication (MFA) mandatory for all sensitive access
- Data encryption in transit and at rest for critical systems
- Cybersecurity training and awareness for all employees
NIS2 and Canadian regulations synergies
- Quebec's Essential Services Directive: Quebec is working on legislation similar to NIS2 for its critical infrastructures
- Critical Cyber Systems Protection Act (C-26): Canada's federal bill is directly inspired by NIS2
- CCCS recommendations: adopting CCCS controls covers the majority of NIS2 requirements
- ISO 27001:2022: a certified ISO 27001 ISMS demonstrates substantial compliance with NIS2
CapGRC integrates NIS2 and DORA frameworks
Simultaneously manage NIS2, DORA and your Canadian requirements without duplicating efforts.