More Rules, Wider Reach
NIS2 (PDF) is an extension of the previous NIS directive created by the European institutions since 2016. It focuses on creating a broad awareness of cybersecurity in order for governments and companies to better defend themselves against increasingly complex cyber threats today and tomorrow.
The new directive also brings subcontractors and service providers (who have access to your critical infrastructure) under the regulatory umbrella. From now on, they too have to comply with stricter cybersecurity obligations if they want to work with your organisation. In fact, this group was overlooked in the first version of the directive.
Key Differences between NIS1 and NIS2
The NIS1 directive already set strict requirements for 'essential businesses' such as water, energy and telecoms companies. NIS2 goes a step further and applies to more organisations, including many medium and large enterprises.
A key feature of NIS2 is its more concrete approach, thanks to a list of minimum basic safeguards that companies should implement:
- Risk analysis and information security policy
- Incident handling (prevention, detection and response to incidents)
- Business continuity and crisis management
- Supply chain security
- Security in network and information systems
- Policies and procedures for cybersecurity risk management measures
- The use of cryptography/encryption
It also enables national authorities to monitor and enforce them more strictly. Fines can be substantial. For essential entities, they can amount to 2% of global turnover, up to €10 million!
How do you prepare for NIS2 and potential sanctions?
NIS2 requires organisations to take adequate measures in areas such as cyber risk management, penetration testing, incident response and recovery. So, your organisation needs to identify all risks and arm itself even better against threats. You will also need to make your team aware of the legal obligations to avoid fines.
Through checkpoints or audits by regulators, there will be strict checks on whether the level of your security is compliant with regulations. Failure to properly implement certain security measures will therefore have major consequences; not only do you run extra risk of hacks, but -as with GDPR breaches- financial penalties will be based on your organisation's global turnover.
It is important to understand how these new regulations may affect your organisation and take the necessary steps to comply with the NIS2 guideline comply. Cyber security is no longer a choice, it is a must. Would you like support in this? Count on our certified experts to assist you and/or provide a thorough Security audit execute:
vat no.*
share this post: