What is the NIS2 Directive?
The Network and Information Systems Directive (NIS) was established in July 2016. This Directive focused on strengthening cybersecurity competence at a national level.
Through the use of regulatory measures across the European Union, the NIS Directive aimed to not only increase cyber resilience, but to enhance collaboration between Member States and incorporate cybersecurity measures on a fundamental level throughout diverse organizations.
The European Union adopted a new version of the Network and Information Security Directive in January of 2023.
Also known as NIS 2 Directive (Directive (EU) 2022/2555), this eu-wide legislation on cybersecurity aims to achieves a high common level of cybersecurity across the European Union. It is imperative that all Member States ensure that essential and important entities take appropriate and proportionate technical, operational and organizational measures to manage any and all risks that pose a threat to the security of network and information systems.
By expanding the scope of the cybersecurity guidelines to new sectors and entities, it further improves the resilience and incident response capacities of public and private entities, competent authorities and the EU as a whole. These measures must be based on an all-hazards approach (with the goal of preventing or minimising the impact of incidents on recipients of Member States services and on other services)
How do I know if NIS2 applies to my organization?
Organisations that are directly affected by the new EU Directive and have to meet NIS2 compliance if:
- They are active in 1 of the sectors listed in Annex I or Annex II of the NIS2 Directive, and
- They are a medium-sized organisation with at least 50 employees or an annual net turnover of over €10 Million (In this case, you organisation is considered an important entity)
The Directive aims to force companies whose failure would have a major impact on our society to increase cyber security.
Start your preparation!Which sectors are impacted by the new directive?
When considering the sectors that fall under the new Directive, there are two categories that may be considered: Sectors of high criticality (Summarized in Annex I) and other critical sectors (Annex II).
Annex I (highly critical) NIS2 sectors
Energy
Health
Banking
Transport
Financial
markets
Drinking
water
Digital
Infrastructure
ICT services
management
Wastewater
Public
administration
Space
Annex 2 (critical) NIS2 sectors
Postal and
courier services
Waste
management
Chemicals
Foods
Manufacturing
Digital
providers
Research
Important deadlines to prepare for NIS2 requirements
2024/06/30
By 30 June 2024, companies must register with the proper Authorities and designate the person responsible for the security of their information system (information security officer).
2024/10/18
As of 18 October 2024, the application of specified administrative, physical and logical security measures for electronic information systems should be initiated as set out in the Implementing Regulation
2024/12/31
A contract must be established with auditors by 31 December 2024.
31/12/2025
The first cybersecurity audit must be compelted by 31 December 2025.
What are the EU NIS2 Requirements?
The NIS2 Directive has introduced new security requirements and obligations for organizations in four overarching areas to combat cybersecurity risk. The requirements of the NIS2 directive are as follows:
Risk Management
Organizations are expected to take appropriate measures that minimize cyber risks, which include incident reporting and management, stronger supply chain security, enhanced network security, better access control, and encryption.
Corporate Accountability
It is required that corporate management address cyber risks by overseeing, approving, and receiving training on the entity's cybersecurity measures. Penalties may be applied to management on the occasion that any breaches take place, which include liability and potential temporary bans from management roles.
Reporting Obligations
Processes must be in place for prompt reporting of security incidents that may significantly impact service provision or recipients when concerning essential and important entities. Because of this, certain notification deadlines are put in place by the directive, such as a 24 hours "early warning".
Business Continuity
In case of major cyber incidents, organizations must plan for how they intend to ensure business continuity. This plan focuses on system recovery, emergency procedures, and setting up a crisis response team.
Minimum measures required by the NIS2 directives
In addition to the four broad areas of requirements, the NIS2 directives require that organisations implement basic security measures to address specific forms of cyber threats.
- Risk assessments and security policies for information systems.
- Policies and procedures for evaluating the effectiveness of security measures.
- Policies and procedures for the use of cryptography and, when relevant, encryption.
- A plan for handling security incidents.
- Security around the procurement of systems and the development and operation of systems. This means having policies for handling and reporting vulnerabilities.
- Cybersecurity training and a practice for basic computer hygiene.
- Security procedures for employees with access to sensitive or important data, including policies for data access. Affected organizations must also have an overview of all relevant assets and ensure that they are properly utilized and handled.
- A plan for managing business operations during and after a security incident. This means that backups must be up to date. There must also be a plan for ensuring access to IT systems and their operating functions during and after a security incident.
- The use of multi-factor authentication, continuous authentication solutions, voice, video, and text encryption, and encrypted internal emergency communication, when appropriate.
- Security around supply chains and the relationship between the company and direct supplier. Companies must choose security measures that fit the vulnerabilities of each direct supplier. And then companies must assess the overall security level for all suppliers.
What cybersecurity measures should I take for NIS2 Compliance?
In compliance with the new NIS2 directive, organizations are required to implement comprehensive measures to fortify their cybersecurity stance. This begins with conducting comprehensive risk assessments and creating strong security policies for information systems. These policies should include evaluating procedures for the effectiveness of security measures and the use of cryptography and encryption where relevant.
Furthermore, the NIS2 directive requires that organizations establish clear protocols for handling security incidents and incident reporting obligations, including a well-defined plan for incident response. This plan should outline procedures for incident detection, containment, eradication, and recovery. In addition to incident management, security must also be prioritized throughout the procurement, development, and operation of systems. This involves implementing policies for vulnerability handling and reporting, ensuring that all relevant assets are properly used and protected.
Organizations must provide comprehensive cybersecurity training and introduce practices for basic computer maintenance and hygiene among employees. Additionally, strict security procedures must be implemented for employees with access to sensitive data, including policies for data access control. In anticipation of security incidents, organizations must devise contingency plans for managing business operations during and after an incident. This includes maintaining up-to-date backups and ensuring continued access to IT systems and their functionalities.
Furthermore, the adoption of advanced authentication measures, such as multi-factor authentication and continuous authentication solutions, is strongly encouraged when such situations require it. Additionally, the encryption of voice, video, and text communications, along with encrypted internal emergency communication channels, should not be so easily disregarded, as they could mean the difference between a safety and a cybersecurity threat.
Addressing the complexities of modern supply chains, organizations must extend their security measures to encompass relationships with direct and indirect suppliers. This involves tailoring security protocols to the vulnerabilities of each supplier and conducting comprehensive assessments to ascertain the overall security level. By implementing these multifaceted measures, organizations can strengthen their cybersecurity resilience and align with the requirements outlined in NIS2 directives.