What is NIS2?
NIS2 (Network and Information Security) is a new landmark EU cyber security directive which must be complied with by 17th October 2024.
the clock is ticking
Adopted in January 2023, organisations should ideally be preparing for NIS2’s upcoming rollout already, but for those yet to begin or early in the process of achieving compliance, there’s still time to align practices to NIS2’s requirements.
Designed to improve
Designed to improve the state of cyber security in organisations EU-wide (including those outside of the EU but operating within it), NIS2 provides legal measures to modernise existing frameworks and keep pace with the rapidly evolving cyber threat landscape.
Ebook
A Beginner's Guide to The NIS2 Directive
Featuring an actionable checklist of 10 Minimum Measures for NIS2 Compliance as well as the basics at a glance, our new Beginner’s Guide to NIS2 is the ideal introduction
Who Will NIS2 Impact?
It is estimated that over 160,000 organisations will be affected by NIS2 across 15 separate sectors including energy, health, transport, finance and more.
NIS2 focuses on the operators of essential services and critical infrastructure in its list of relevant industries to ensure vital cyber security is upheld and incidents are reported to the associated authorities as a matter of course.
When Will NIS2 Come into Effect?
EU member states are obligated to integrate NIS2 into their existing cyber security legislation by 17th October 2024, and those organisations and sectors impacted should plan ahead in order to align their cyber defences and strategy with the required stipulations within plenty of time, as penalties associated with NIS2 non-compliance will be severe, ranging from fines to legal consequences and reputational impact, with senior management to be held directly liable in cases of gross negligence.
What’s New with NIS2?
In comparison with the original NIS legislation, NIS2’s scope and requirements are further reaching but simplified, with a view to avoiding the challenges of inconsistent and disparate efforts associated with NIS (1) across the European Union.
While it may appear more strict than previous legislation at first glance, it is hoped that NIS2 will be, on the whole, a more straightforward and manageable standard for organisations to meet.
What Are the Requirements for NIS2 Compliance?
The organisational requirements of NIS2 can be grouped into the following four areas:
Risk Management
To comply with the new directive, organisations must practise and evidence risk management, taking measures to minimise cyber risks wherever possible. This includes but is not limited to incident management, supply chain security, access control, encryption, and network security.
Corporate Accountability
NIS2 emphasises the responsibility and accountability of management in upholding cyber security practices. Cyber breaches, under the new directive, may result in penalties for members of management including legal liability.
Reporting Obligations
A central theme within NIS2 is the proactive reporting of breaches and cyber attacks for greater transparency. Impacted organisations must have appropriate and adhered to processes in place for the prompt and systematic reporting of security incidents, with alerts to the relevant authorities made without delay.
Business Continuity
A comprehensive business continuity plan will help organisations to prepare for the eventuality of a major cyber security incident. Within this plan businesses should address their strategy for emergency procedures, system recovery, and if appropriate, a crisis response team, along with business and industry specific considerations to maintain operations and security in the aftermath of an attack.
How Can Businesses Prepare for NIS2?
To prepare for NIS2, organisations should urgently determine whether they fall within NIS2’s scope, and if so, which units of operation are to be impacted, before evaluating existing security measures and amending and implementing new policies and security measures as required to achieve compliance.
It must be emphasised that while NIS2’s guidelines may fall largely within an organisation’s existing cyber security provision, it is essential to doublecheck processes and security stacks to ensure that exact requirements are met and can be evidenced.
NIS2 Resources
Ebook
A Beginner's Guide to The NIS2 Directive
Featuring an actionable checklist of 10 Minimum Measures for NIS2 Compliance as well as the basics at a glance, our new Beginner’s Guide to NIS2 is the ideal introduction
