Knowledge Exchange breaks down what the NIS2 Directive means for your business

EU places Cybersecurity as top directive for 40K business in its member states by mandating companies to comply with its new legislation to protect businesses from attacks and breaches.

The Network and Information Systems (NIS2) Directive is an extension of the original NIS Directive published in 2016, which has been adopted by EU member states. It imposes stricter cybersecurity requirements and ensures uniform sanctions across the EU. It came into effect in January 2023, and must be established as law by all member states and submitted to the European parliament for review by its council by October 2024 which means should your company fall within the criteria set by the directive, compliance with the new requirements will be mandatory.

What sectors are impacted by NIS2?

The legislation expands on the number of sectors covered in the original legislation to encompass all companies that play a critical role in society. The distinction is made between "essential" and "important" entities within these sectors, with both categories required to comply with stringent security measures. Essential entities are subject to proactive supervision, while important entities are monitored after incidents of non-compliance are reported. The NIS2 Directive significantly expands its scope to cover a wide range of sectors and organizations, impacting approximately 40,000 additional companies across the EU, which will be overseen at a national level by each member state’s respective governing body for cybersecurity.

Essential companies include:

The following industries have been deemed as ‘important’ under the legislation:

What are the requirements of NIS2?

There are four key areas of business that will have increased requirements following the implementation of the legislation.

1. Risk Management: Businesses must implement measures that will minimize cyber risks, including incident management, network security enhancement, supply chain security, access control, and encryption. 
2. Corporate Accountability: Corporate management must oversee, approve, and be trained in cybersecurity measures. Breaches may lead to penalties such as liability and temporary bans from management roles.
3. Reporting Obligations: Organisations will need to have established protocol to ensure proper reporting to authorities in the case of a cyber incident, e.g. major incidents should be reported to the respective governing body within 24 hours.
4. Business Continuity: Businesses must have contingency plans in place to ensure business continuity in the case of a major cyber incident. This plan should account for cover system recovery, emergency procedures, and establishing a crisis response team.

In addition to these four key overarching requirements, NIS2 mandates that companies implement baseline security measures to address likely cyber threats. In order to prepare for compliance with the NIS2 Directive, organisations need to determine if they fall within the scope, evaluate security measures, amend policies, plan for compliance and incorporate relevant security measures such as:

1. Establishing security policies and conducting risk evaluations for IT systems.
2. Developing a protocol for responding to security breaches.
3. Crafting a continuity plan for business operations to remain functional during and post-security incidents, ensuring timely backup updates and sustained access to critical IT systems.
4. Implementing targeted security measures in the supply chain, tailoring them to the specific vulnerabilities of each primary supplier and evaluating the collective security posture of all suppliers.
5. Instituting policies and procedures to regularly assess the efficacy of implemented security measures.
6. Enforcing security protocols in the acquisition, development, and maintenance of systems, including guidelines for managing and reporting system vulnerabilities.
7. Providing cybersecurity education and instilling best practices for digital hygiene among employees.
8. Establishing guidelines for the application of cryptographic and encryption techniques, as applicable.
9. Setting security protocols for personnel with access to sensitive data, encompassing data access policies and the effective management of critical assets.
10. Advocating for the adoption of multi-factor authentication, ongoing authentication mechanisms, and the encryption of voice, video, and text communications, along with secure internal crisis communication channels, where necessary.

What are the consequences of non-compliance?

The consequences of non-compliance with the NIS2 Directive are severe. Essential companies which do not comply can face fines up to €10 million or 2% of global annual revenue. Companies classified as important under the scope of the legislation can be fined up to €7 million or 1.4% of global revenue.

In addition to financial consequences, companies may also face non-financial repercussions, such as security audit mandates and alerts to clients about potential risks.

These heavy penalties ensure both essential and important companies will prioritise cybersecurity measures to protect national security, economic stability, and public safety.

What can you do to prepare for NIS2?

NIS2 came into force on January 16, 2023, and all EU member states must transpose it into national law by October 17, 2024. Companies that fall within the scope of NIS2 must ensure compliance by this date.

To prepare for the NIS2 Directive, companies need to take several key steps to ensure compliance with the enhanced cybersecurity requirements. Here are some essential measures you can take now to be prepared:

1. Implement Security Measures: Companies must implement planned security measures to enhance cybersecurity, as the aim of NIS2 is to increase cybersecurity for important European companies.
2. Identify Critical Processes: Conduct a Business Impact Assessment to identify critical services, processes, and assets that provide essential services as defined in NIS2.
3. Establish Risk Management System: Implement a risk and information security management system to manage information security risks effectively. This system should cover risk management policies, incident handling, business continuity, supply chain security, and more.
4. Understand Requirements: Familiarize yourself with the minimum requirements set by NIS2 and ensure compliance with these standards. Member states may choose to set higher standards than the minimum requirements.
5. Prepare Incident Response Plan: Develop an Incident Response Plan to coordinate response efforts in case of cybersecurity incidents. This plan should outline procedures for handling and reporting incidents as required by NIS2.
6. Assess Cyber Defence Posture: Evaluate your organization's cyber defence posture across various functions, focusing on areas like risk analysis, information system security policies, incident handling, business continuity, and supply chain security.

How can Knowledge Exchange help?

By joining Knowledge Exchange, you will be paired with a Key Account Manager who will act as your central contact for all you IT needs. Your Account Manager searches for the right information on your behalf and links you to a market player who can offer you a specific solution to the cybersecurity challenges you are currently facing so that you can get everything you need in place to ensure compliance. Get in touch to learn more.