The implementation of NIS2 signals a new cybersecurity era where prevention, preparedness, and transparency are key in the fight against digital threats. The directive is set to be implemented October 2024, when a number of organizations must meet compliance requirements regarding management, risk management, business continuity, and reports to the authorities.
What is NIS2?
NIS2 is short for ‘Network and Informations Systems 2’. The NIS2 directive serves as an update of the EU’s original NIS directive issued in 2018 with the aim of enhancing cybersecurity across industries and sectors in EU member states.
NIS2 expands and enhances existing guidelines by implementing stricter security guidelines, reporting obligations and stricter standards for supervision, and enforcement of the compliance rules.
What do the guidelines mean for NIS2 compliance?
The NIS2 directive requires organizations to make “appropriate and proportionate technical, operational, and organizational measures to manage the risks posed to the security of network and information systems”. The directive might be convoluted, but in layman’s terms it implies the necessity of continuous risk analysis with the aim of identifying and assessing risks tied to threats and vulnerabilities. Moreover, it requires the implementation of appropriate security measures.
According to the guidelines, the appropriateness of a security measure is determined by assessing the risk of a threat being realized and its potential consequences. The bigger the risk, the stricter the security requirements.
Besides having risk management as a focal point, NIS2 requires a string of mandatory measures regarding:
Incident management
In order to ensure that organizations are prepared for potential incidents related to cybersecurity, NIS2 emphasizes the need for a robust incident management plan. The plan is crucial towards minimizing damages, reestablishing normal operations promptly, and ultimately strengthening the organization’s resilience against cyber attacks.
Backup and crisis management
As an addition to incident management, NIS2 requires organizations to have an IT emergency plan, which clearly defines procedures and responsible individuals. To ensure a quick restoration of operations, the guidelines also require a clear procedure for backup.
Supply chain security
The NIS2 Directive sets stricter requirements for supply chain security, which obliges the organization to identify, assess, and manage the risks associated with third parties.
This includes suppliers, distributors, subcontractors, service providers, partners, and other external actors who have access to the organization's data, systems or resources.
Ongoing assessments of security measures
Going forward, additional emphasis will be placed on IT security in relation to the acquisition, development and operation of the organization's network and information systems. This includes managing and disclosing vulnerabilities. It's also essential to have a plan for preventing and identifying attacks.
Employee education
In addition to the practical measures, NIS2 sets guidelines for the education of employees as well. This is to foster good security practices, including strong passwords, and ongoing updates of software and antivirus.
Encryption policies
If encryption is used in the organization, NIS2 requires policies in this regard. You need to actively decide what data to encrypt and how - both internally and externally.
Further, the directive implements a specific reporting obligation, requiring organizations to notify the authorities of significant incidents as soon as possible and within 24 hours at the latest. The notification must be followed up with an elaborated update and an assessment of the incident within 72 hours.
Who is subject to NIS2?
The scope of NIS2 has been significantly expanded compared to its predecessor. This implies that your organization may be regulated by the directive if you conduct activities in the fields of:
- Digital infrastructure
- Water and wastewater
- Energy
- Financial services
- Public administration
- Aerospace
- Healthcare
- Transportation
NIS2 also encompasses services related to areas such as postal and courier, waste management as well as the manufacturing, production and distribution of chemicals.
Food production, processing and distribution is also covered by the directive, as are the manufacture of medical and electronic equipment, machinery, motor vehicles, in addition to platforms for social networking services, online marketplaces, and search engines.