The growing dependence on digital technology in all aspects of our lives has brought with it a significant increase in cyber risks. To strengthen cybersecurity and protect critical infrastructures across Europe, the European Union (EU) has adopted the Network and Information Systems (NIS) Directive.
On October 18, 2024, NIS 2 will replace the previous NIS. By that time, EU countries must have enacted their own laws and regulations based on NIS 2.
What is the NIS Directive?
The NIS Directive, adopted in May 2016, establishes a common cybersecurity framework for the entire EU. Its main objective is to ensure an elevated level of security for networks and information systems in critical sectors such as energy, transportation, financial services, and healthcare. The NIS Directive requires EU Member States to take measures to strengthen cybersecurity and improve cooperation among stakeholders involved.
The official text is available here: NIS Directive Text
Who does the NIS 2 apply to?
There are 3 criteria that define organizations (referred to as “essential entities” and “important entities”) that must comply with NIS 2:
What are the main novelties of NIS2?
The new NIS2 introduces a broader range of industries (sectors) that must comply with its provisions, enhances cooperation among Member States, establishes new deadlines for incident notification, places more focus on supply chain security, emphasizes entity management responsibility, and imposes stricter sanctions, among other changes.
The NIS-2 Directive will be mandatory for companies with more than 250 employees and an annual turnover of 50 million euros or more. Similarly, operators providing essential services and digital service providers operating in the European Union will also be required to comply. These services include, among others, energy, transportation, healthcare, banking and finance, and telecommunications services.
NIS2 is the second version of the directive, replacing Directive (EU) 2016/1148. In addition to expanding the scope and enhancing coordination and cooperation, as reflected above, the novelties include stricter penalties for non-compliance (significant fines and administrative sanctions). Penalties include:
- For essential entities: up to €10 million or 2% of total annual turnover.
- For important entities: up to €7 million or 1.4% of total annual turnover.
- Requirement for entity management to approve and oversee the implementation of technical, operational, and organizational measures to prevent and minimize the impact of incidents.
- New obligations such as end-to-end encryption, mandatory training for entity management, periodic training for employees, default privacy by design, crisis management, certification of services/products/systems under European cybersecurity certification schemes, and vulnerability handling and disclosure.
- Enhanced supply chain security and relationships with suppliers. Critical operators may require suppliers to comply with regulations.
- Like the GDPR, NIS2 requires operators of essential services and digital service providers to report serious incidents to relevant authorities within 72 hours (about 3 days). There is also an obligation to notify their designated CSIRT promptly of security incidents with significant impact.
- Full integration with sector-specific regulations, such as the Directive on Digital Operational Resilience for the Financial Sector (DORA) and the Directive on Resilience of Critical Entities (CER).
These advancements under NIS2 demonstrate a commitment to strengthening cybersecurity across critical sectors and ensuring a resilient digital environment throughout Europe. The directive aims to enhance preparedness, response, and recovery capabilities in the face of evolving cyber threats.
How LinProfs can help you?
At LinProfs, we offer the necessary assistance and guidance for the implementation of the NIS 2 Directive. With our help, you will have greater ease in managing documentation: creating, updating, and managing the necessary documents to meet NIS 2 requirements, such as security policies, incident response plans, and security logs.
Our services encompass:
- Compliance Oversight: We establish and monitor NIS 2 requirements to ensure compliance across all areas of your organization.
- Security Risk Management: We identify and manage information security risks, implementing controls to effectively mitigate those risks.
- Implementing Security Measures: Our platform facilitates the implementation of specific security measures mandated by the NIS 2 directive, including strong authentication and access controls.
- Monitoring and Improving Security: Our software offers continuous monitoring of information security, enabling you to make tailored improvements based on organizational needs.
By partnering with LinProfs, you gain access to comprehensive solutions that enhance your organization’s cybersecurity posture and ensure alignment with NIS 2 regulations.
EN_GB
Comments are closed