Content
The NIS-2 Directive is a revised version of the European Union’s Network and Information Security Directive (NIS Directive). It was introduced to strengthen the existing cybersecurity framework and increase member states’ resilience to cyberattacks.
When did the NIS-2 Directive come into force?
The NIS-2 Directive was published in the Official Journal of the European Union on December 27, 2022, and entered into force on January 16, 2023. EU member states have until October 17, 2024 to transpose the directive into national law. From this date, the companies and organizations concerned must comply with the new requirements.
What changes does NIS-2 bring?
The NIS-2 Directive introduces several significant changes and enhancements to the original NIS Directive. These changes aim to strengthen cybersecurity within the EU and better adapt to the evolving threat landscape.
Extended scope
NIS-2 covers more sectors and organizations, including those not traditionally considered “critical” infrastructure. For example, it now includes areas such as public administration, research institutions, space and food supply. The criteria for determining which organizations are considered essential have been expanded and clarified.
Increased security requirements
The security requirements have been tightened and standardized to ensure a higher level of security. Companies must implement specific technical and organizational measures to protect their systems. There is a stronger focus on risk management, incident detection and response plans.
Stricter reporting obligations
Security incidents must be reported more quickly and in greater detail. The directive sets clear deadlines for reporting and requires that the reports contain comprehensive information on the nature of the incident and the measures taken. There are stricter requirements for the coordination and reporting of cross-border incidents.
Increased enforcement and sanctions
NIS-2 will introduce stricter enforcement mechanisms and sanctions for non-compliance. These may include financial penalties and other measures to ensure that companies take the requirements seriously. National supervisory authorities will be given enhanced powers to monitor and enforce compliance with the Directive.
Improved cooperation and coordination
The Directive emphasizes the importance of international cooperation and information sharing between member states and between the public and private sectors. It creates an EU-wide network of Computer Security Incident Response Teams (CSIRTs) and an enhanced role for the EU Agency for Cybersecurity (ENISA) to coordinate with and support member states.
Focus on the supply chain
NIS-2 places more emphasis on the security of the entire supply chain. Organizations must ensure that their suppliers and service providers also take appropriate security measures.
Learn all about the NIS-2 directive and what it means for your cybersecurity.
Which sectors are affected?
The NIS-2 Directive extends the scope of the original NIS Directive to cover a wider range of sectors considered essential to society and the economy. The main sectors affected are:
- Energy
- Transportation
- Banking
- Financial market infrastructures
- Healthcare
- Drinking Water/water treatment
- Digital infrastructure
- Food supply
- Public administration
- Space travel
- Postal and courier services
- Waste management
- Chemical industry
- Research and development
What do affected companies and organizations need to do?
Companies and organizations covered by the NIS-2 Directive must take a number of measures to increase cybersecurity and ensure that they can respond appropriately to security incidents.
Implementation of appropriate security measures
Companies must take measures to ensure the security of their network and information systems. These include technical and organizational measures such as firewalls, encryption, access controls and regular security audits. A risk assessment must be carried out to identify potential threats and vulnerabilities.
Reporting of security incidents
Security incidents that could have a significant impact on the provision of essential services must be reported immediately to the competent national authorities. This is to ensure that countermeasures can be taken at an early stage. The notification must be sufficiently detailed to describe the nature and scope of the incident as well as the countermeasures taken or planned.
Continuous monitoring and evaluation
Companies need to implement systems to continuously monitor and assess their network and information security in order to respond quickly to threats and incidents. Regular audits and assessments of security measures are required to ensure their effectiveness and to make improvements.
Training and awareness
Employee training is necessary to make sure that everyone is aware of cybersecurity threats and how to respond to potential risks. There should be a clear communication strategy in the event of a security incident to inform all affected parties and enable coordinated action.
Cooperation and information sharing
Companies should actively participate in collaboration with other organizations and authorities to share information about threats and security incidents. Participation in national and international cybersecurity networks and initiatives is encouraged to strengthen resilience.
Reporting and compliance
Companies must ensure that they comply with the requirements of the NIS-2 Directive and submit regular reports on their cybersecurity measures to the competent authorities. Compliance with the directive can be monitored by national regulatory authorities, which can impose sanctions in the event of non-compliance.
Share this post
