Fatskills
Practice. Master. Repeat.
Study Guide: Certified Information Privacy Professional (CIPP): EU NIS2 Directive and Cybersecurity
Source: https://www.fatskills.com/data-privacy-laws-and-regulations/chapter/cipp-cipp-eu-nis2-directive-and-cybersecurity

Certified Information Privacy Professional (CIPP): EU NIS2 Directive and Cybersecurity

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~5 min read

CIPP/E Study Guide – NIS2 Directive & Cybersecurity


What This Is

The NIS2 Directive (EU 2022/2555) updates the original NIS (2016) rules to create a harmonised, higher‑level cybersecurity regime for “essential” and “important” entities across the EU. It obliges organisations to adopt robust security measures, report incidents promptly, and cooperate with national authorities.

Real‑world example: A pan‑European medical‑device manufacturer (classified as an “essential entity”) must secure the patient‑monitoring data it streams from hospitals in Germany, France, and Spain. When a ransomware attack disables the data‑flow in France, NIS2 forces the firm to notify the French CSIRT within 24 hours and to demonstrate that it had a risk‑based security policy in place.


Key Terms & Provisions

  • Essential Entity: Companies in sectors such as energy, transport, health, and digital infrastructure that provide services critical to societal functions. (EU)
  • Important Entity: Firms in sectors like waste management, postal services, and certain digital providers that still have a high impact on the economy. (EU)
  • Member State Authority (MSA): The national body (e.g., France’s ANSSI) designated to supervise compliance, conduct inspections, and enforce penalties. (EU)
  • Cybersecurity Risk Management Measures: A set of technical and organisational safeguards (e.g., encryption, patch management, incident‑response plans) required under Article 14.
  • Incident Reporting Deadline: 24 hours after becoming aware of a “significant incident” (Article 16). The report must include impact, root cause, and remedial actions.
  • Supply‑Chain Security Obligations: Controllers must ensure that sub‑contractors and service providers also meet NIS2 standards (Article 22).
  • Co‑ordination Group (EU‑CIC): The EU‑wide forum that issues guidelines, best‑practice recommendations, and a Cybersecurity Certification Framework (Article 31).
  • Enforcement & Penalties: Up to 2 % of annual turnover or €10 million (whichever is higher) for essential entities; up to 1 % or €7 million for important entities (Article 33).
  • Cross‑Border Cooperation: Mandatory information‑sharing between MSAs via the EU‑CSIRT Network to handle incidents that affect multiple Member States.
  • Digital Service Provider (DSP) Scope Extension: Online marketplaces, search engines, and cloud‑computing services are now covered, expanding the “digital” sector beyond the original NIS. (EU)
  • Super‑vision of Security Policies: MSAs can audit an entity’s security policies, conduct on‑site inspections, and require remedial actions (Article 23).


Step‑by‑Step Process Flow (Applying NIS2)

  1. Determine Scope – Identify whether your organisation is an essential or important entity (sector list + turnover/size thresholds).
  2. Map Critical Assets & Supply Chain – Catalogue all ICT systems, data flows, and third‑party providers that support the essential service.
  3. Implement Risk‑Based Security Measures – Adopt the 7 baseline controls (risk analysis, incident‑response, encryption, vulnerability handling, etc.) and document them in a Cybersecurity Policy.
  4. Set Up Incident‑Response & Reporting – Establish a 24‑hour detection/notification workflow, assign a NIS2 Incident Lead, and create a reporting template for the MSA.
  5. Conduct Periodic Audits & Certification – Perform internal audits (or obtain EU‑certification) at least annually; remediate gaps before the next supervisory inspection.
  6. Maintain Ongoing Compliance – Monitor regulatory updates, update policies, and train staff on new threat vectors and reporting obligations.

Common Mistakes

  • Mistake: Assuming NIS2 only applies to organisations with a physical EU presence.
    Correction: NIS2’s territorial scope is activity‑based; any entity delivering essential services to EU users, regardless of location, must comply.

  • Mistake: Treating incident reporting as optional “best practice” rather than a legal duty.
    Correction: Failure to report within 24 hours can trigger the maximum fines; the duty is statutory under Article 16.

  • Mistake: Over‑looking supply‑chain obligations and expecting the regulator to police only the primary entity.
    Correction: The primary entity is jointly liable for its providers’ security gaps; conduct due‑diligence contracts and regular audits of vendors.

  • Mistake: Believing that existing ISO 27001 certification automatically satisfies NIS2.
    Correction: While ISO 27001 is a strong baseline, NIS2 adds specific risk‑management, reporting, and supervisory requirements that must be addressed separately.

  • Mistake: Confusing NIS2 with GDPR data‑protection duties and treating them as interchangeable.
    Correction: NIS2 focuses on security of network & information systems; GDPR still governs personal data processing. Both must be complied with, but they have distinct obligations and enforcement bodies.


CIPP Exam Insights

  1. Scope Differentiation: Exams often ask you to identify whether a company is an essential vs. important entity based on sector and turnover thresholds.
  2. Reporting Timeline Trap: Remember the 24‑hour deadline for “significant incidents” – many candidates mistakenly answer 72 hours (the GDPR breach‑notification window).
  3. Supply‑Chain Liability: Expect a question that tests the joint responsibility of the primary entity for its subcontractors’ security measures.
  4. Penalty Levels: Be ready to compare the 2 %/€10 M ceiling for essential entities with the 1 %/€7 M ceiling for important entities – a frequent multiple‑choice point.

Quick Check Questions

  1. Scenario: A French cloud‑service provider (classified as an “important entity”) discovers a data‑leak affecting customers in Germany and Italy. What is the latest time it can submit its incident report to the French authority?
    Answer: Within 24 hours of becoming aware of the incident.
    Explanation: NIS2 mandates a 24‑hour reporting window for significant incidents, regardless of where the impact occurs.

  2. Scenario: A U.S. medical‑device manufacturer supplies equipment to hospitals in Spain. The equipment processes patient vital signs (personal data). Does NIS2 apply, and why?
    Answer: Yes, because the manufacturer provides an essential service (healthcare) to EU data subjects, triggering NIS2’s activity‑based territorial scope.

  3. Scenario: An EU‑based online marketplace (digital service provider) has an ISO 27001 certificate. A regulator asks for evidence of NIS2 compliance. What must the marketplace provide beyond the ISO certificate?
    Answer: A risk‑based cybersecurity policy, incident‑response plan, and proof of 24‑hour reporting procedures as required by NIS2.


Last‑Minute Cram Sheet (10 One‑Liners)

  1. NIS2 = Directive 2022/2555 – replaces NIS (2016) and expands to digital service providers.
  2. Essential vs. Important: Essential → 2 %/€10 M fines; Important → 1 %/€7 M fines (Art. 33).
  3. 24‑hour Incident Reporting – mandatory for “significant incidents” (Art. 16).
  4. Supply‑Chain Duty: Primary entity must verify security of all subcontractors (Art. 22).
  5. Baseline Controls: Risk analysis, incident‑response, encryption, vulnerability handling, monitoring, governance, and supply‑chain security (Art. 14).
  6. EU‑CSIRT Network – cross‑border coordination mechanism for multi‑state incidents.
  7. Super‑vision: MSAs can audit, issue remedial orders, and impose fines (Art. 23).
  8. Digital Service Provider Scope: Online marketplaces, search engines, cloud platforms now covered.
  9. ⚠️ Trap: NIS2 does not replace GDPR; it adds security duties, not data‑protection duties.
  10. ⚠️ Trap: “Targeting” is not enough – the directive applies when you provide an essential service to EU users, even if you operate wholly outside the EU.


ADVERTISEMENT