Book a demo

About NIS 2 Directive

Reborn EU-wide legislation and a huge challenge even for the SMEs.

The increasing rise of cyber security incidents led the European Union (EU) to take a hard look at industries such as energy, transport, and finance, and the leaders of the EU met in 2016 to create cybersecurity legislation. With the goal of improving the supplier’s cybersecurity resilience, the initial NIS initiative was born. 

NIS2 is an update to the original NIS Directive that resolves the gaps, emphasizes what cybersecurity practices are important and what essential suppliers must have in place.

European Commission found was the following deficiencies from the previous NIS Directive:

  • Insufficient cyber resilience levels of businesses operating in the EU
  • inconsistent resilience across member states and sectors
  • insufficient common understanding of the main threats and challenges among EU
  • lack of joint crisis response

NIS2 Directive expands cybersecurity risk management measures and reporting obligations across the EU in specific sectors. The NIS2 includes expanded rules for a regulatory framework and lays down mechanisms for effective cooperation across the EU. It also updates the list of sectors and activities subject to cybersecurity obligations and provides remedies and sanctions to ensure enforcement.

Are you affected?

NIS2 applies to all companies, suppliers, and organizations that deliver essential or important services for the European economy and society. If you fit within one of the categories listed below, then NIS2 applies to you.

Essential Entities

  • Energy
  • Transport
  • Healthcare
  • Banking and financial markets
  • Drinking and waste water
  • Digital infrastructure and ICT service management, including cloud computing service providers
  • Public Administration
  • Space

Important Entities

  • Postal and courier services
  • Waste management
  • Chemical production and processing
  • Food
  • Manufacturing of medical devices
  • Digital providers (search engines, social networking platforms, etc.)
  • Research institutions

However, one of the obligations of essential and important entities will be to ensure that its supply-chain provides the same level of cyber security as itself. This means that hundreds of thousands of companies will also have to comply with the NIS2 indirectly. Even though your company may not be considered as an essential or important entity it may be required to comply with this legislation as non-compliance can lead to the end of cooperation with your clients. Moreover, NIS2 also applies to suppliers outside the EU if they provide essential or important services in the EU.

Cyber security requirements

To protect networks and systems from incidents, measures must support a risk-based approach. The NIS2 provides an example of an ideal state of security that is easily achievable with the right guidance and investment. The “appropriate” and “proportionate” measures to be taken to secure network and information systems can be divided into organizational and technical measures.

NIS 2 includes many elements already defined in best security and compliance frameworks (e.g. ISO27001). This includes:

  • Risk analysis
  • Business continuity and crisis management plan
  • Policies and documented procedures
  • Security awareness training for staff and management
  • Handling and reporting of incidents

Liability 

CEOs and the Board members of the essential and important entities will be personally liable for:

  • ensuring that cybersecurity risk assessments are carried out
  • implementing technical and organizational security measures
  • staying on top of cybersecurity through training and risk management programs
  • managing risks appropriately

Moreover, members of management bodies could be personally liable in case they neglect their obligation to ensure compliance with the entity’s cybersecurity obligations. When certain conditions are met, persons in management positions could also be temporarily suspended.

Failure to demonstrate that risk and cybersecurity practices that have been addressed could result in authorities being able to rely on enforcement and investigation powers. These could include the ability to conduct raids, perform security audits and request data, information and documents.

The fines for non-compliance will be high:

  • For essential entities, of at least up to €10 million or 2% of the worldwide annual turnover.
  • For important entities, of at least up to €7 million or 1.4% of the worldwide annual turnover.

This Directive will have to be implemented in each EU member country’s national legislation by 17 October 2024. From the following day, that legislation will apply, and companies will have to start complying with it. Although it looks like there is still a lot of time left, ensuring compliance with the NIS2 requirements may take some time, so the best time to start implementing this is now.

Articles:

  1. Commission welcomes political agreement on new rules on cybersecurity of network and information systems
  2. New EU Cybersecurity Strategy and new rules to make physical and digital critical entities more resilient
  3. NIS 2 Directive document (DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL)

Automate Your Cybersecurity and Compliance

It's like an in-house cybersec & compliance team for a monthly subscription! No prior cybersecurity or compliance experience needed.

Contact Us

Related articles

ISO 27001: Incident Policy & Incident Action Plan

Trust no one: Why You Should Rethink Your Current Data Backup Strategy

How much do upcoming EU cyber security regulations overlap to each other?

Linkedin

Company

Compliance

Resources

© 2024 CyberUpgrade. All rights reserved.

Privacy Policy

Terms of Service

Cookies Settings