The new NIS2 directive is set to take effect in 2024, bringing stricter cybersecurity requirements for organizations across all EU member states. By adhering to the NIS2 directive as early as now, organizations can gain a competitive advantage by enhancing their reputation, and increasing the trust of their customers, ultimately driving growth and profitability.
NIS2: Europe’s Most Extensive Cybersecurity Directive To Date
Countdown to NIS2 Becomes Law: Are You Ready?
Essential Entities Under The NIS2 Directive
Including subsectors; electricity, oil, and gas.
Including subsectors; air transport, rail transport, shipping, and road transport.
Including subsector; healthcare environments (including hospitals and private clinics).
Banking & Financial Market Infrastructure
Financial market infrastructure, e.g., payment services
Digital infrastructures, such as the delivery of DNS and TLD registries.
Important Entities Under The NIS2 Directive
NIS2 categorizes the food sector as an important entity. Encompassing all stages from farming to food processing, packaging, transportation, and retail sales.
Postal & Courier Services
Protecting Information: The Essential Security Requirements of NIS2
One of the key requirements is conducting a thorough risk assessment. This means that businesses impacted by NIS2 must take a close look at the security risks involved with their services and come up with appropriate measures to manage them. It's not just a matter of checking off a box - it's about continuously keeping your business and its customers safe and secure!
Businesses impacted by NIS2 must have a plan in place for how to handle potential cyber security incidents and quickly restore their services. It's like having a fire evacuation plan - you hope you'll never need it, but it's essential to have just in case. So, make sure your incident management plan is in place and ready to go!
When it comes to cyber security, there's no room for shortcuts. That's why NIS2 requires businesses to take appropriate technical and organizational measures to safeguard their networks and information systems. This means conducting regular security testing and implementing measures to protect against potential threats. Think of it like locking your doors and windows at night to keep your home safe - except, in this case, you're securing your business's digital assets.
With NIS2's incident reporting requirements, affected businesses must report serious security incidents to the national cybersecurity authority as quickly as possible. This means taking swift action to notify the proper authorities of any significant security threats to your business.
Having business continuity plans in place, including backup and recovery procedures, can help your business maintain its operations in the event of a cyber incident and will not only minimize downtime, but you'll also ensure the continuity of your critical services.
NIS2 & NIS - What Is The Difference?
The NIS2 directive largely follows the same principles as NIS but with a number of important additions:
- More businesses, government authorities, and organizations will be subject to NIS2.
- Greater accountability in making sure your suppliers work securely.
- Introduction of sanctions, like those included in GDPR
- Requiring specific training for management
- Mandatory incident reports of so-called ”near misses”
- The use of encryption
Getting You Ready for NIS2 Compliance
What Is NIS2 & How Will It Affect Your Organization?
Under the NIS2 Directive, more entities and sectors will be required to take steps that will aid in improving cyber security in Europe. In addition to addressing supply chain security, NIS2 streamlines reporting obligations introduces stricter supervisory measures, and introduces more enforcement requirements.
How the NIS2 Cyber Security Directive Will Impact You
As part of this webinar, we will be joined by Anders Jonson, a Cyber Security Expert and Senior Advisor at ENISA, who has been involved in the development of NIS2 for the EU.
Lessons on NIS2 Compliance: A Guide to Securing Critical Infrastructure
Discover how to navigate the scope of the NIS 2 directive and comply with the requirements to prevent and respond to cyberattacks.
How Can Holm Security Help?
Prioritizing Security Gaps from a Risk-Based Perspective
We believe that taking a risk-based approach to cyber security is the best way to stay one step ahead of potential threats. By prioritizing security gaps in this way, you can strengthen the cycle for addressing new risks and vulnerabilities continuously. But it's not just about reacting to incidents that have already occurred. Our platform offers incident reporting, even for vulnerabilities without incidents, allowing you to proactively discover trends and patterns regarding your cyber security health. We'll ensure you're always on top of potential risks.
Partnering with Holm Security for NIS Compliance
We've helped hundreds of organizations meet the NIS requirements, thanks to our systematic analytical and risk-based approach to cyber risks through continuous and automated vulnerability management. We know that achieving NIS compliance can be a daunting task. That's why we offer a Success Program, providing the tools, training, service, and support you need to make NIS compliance a part of your daily work. With our help, you can navigate the complexities of NIS compliance with ease, leaving you free to focus on what really matters - growing your business.
Stay Ahead of Potential Threats
With our platform, you can identify vulnerabilities, reduce risk, and ensure compliance, all with just a few clicks. We'll helps you stay on top of potential threats, giving you peace of mind that your systems and data are always secure. So why wait? Take a significant step towards a more systematic approach to cyber threats and a stronger cyber defense with Holm Security.
What You Need To Know
What Is NIS2?
The NIS2 (Network and Information Systems) directive introduces several new requirements for organizations operating in the European Union. These include:
- Security requirements: NIS2 mandates that organizations implement appropriate and proportionate technical and organizational measures to manage the risks posed to the security of their network and information systems.
- Incident reporting: Organizations are required to report significant incidents that have a substantial impact on their network and information systems to the relevant national authority.
- Incident response: Organizations must have an incident response plan in place that outlines the necessary steps to be taken in the event of a cybersecurity incident.
- Cooperation: NIS2 emphasizes the importance of cooperation between EU member states, particularly in cross-border incidents.
- Penalties for non-compliance: NIS2 includes more severe penalties for non-compliance, which can include administrative fines of up to €10 million or 2% of the organization's global annual turnover, whichever is higher.
- Sector-specific requirements: The directive outlines specific requirements for each of the fifteen sectors covered by NIS2, based on the risk profile of each sector.
It is important to note that the specific requirements of NIS2 may vary depending on the sector and the country in which an organization operates.
When Is the NIS2 Implementation Date?
The NIS2 Directive is set to be put into applicable national law by all EU member states by 17 October 2024. This is a crucial date for businesses to take note of as failure to comply with the directive can result in severe consequences such as financial penalties and damage to reputation. So, it's essential that companies gear up and make necessary preparations to ensure full compliance well before the deadline. Don't wait until it's too late - act now to avoid any potential negative consequences.
What Sectors are Covered by NIS2?
If your organization falls under any of the categories below, NIS2 is applicable to you.
Essential Entities (EE)
Size threshold: varies by sector, but generally 250 employees, annual turnover of € 50 million or balance sheet of € 43 million
Water supply (drinking & wastewater)
e.g. cloud computing service providers and ICT management
Important Entities (IE)
Size threshold: varies by sector, but generally 50 employees, annual turnover of € 10 million or balance sheet of € 10 million
e.g. medical devices and other equipment
e.g. social networks, search engines, online marketplaces
Plus all sectors under “essential entities” and within the size threshold for “important entities”
What Are the NIS2 Fines?
The NIS2 directive takes a nuanced approach to administrative fines, differentiating between essential and important entities.
For those essential entities, the directive stipulates that Member States must set a maximum fine level of at least €10,000,000 or 2% of the global annual revenue, whichever is higher.
For important entities, the fines will be slightly lower, with NIS2 requiring Member States to fine them for a maximum of at least €7,000,000 or 1.4% of the global annual revenue, whichever is higher.
It's essential for organizations to understand which category they fall under to ensure that they are fully compliant with the NIS2 directive and avoid any potential financial penalties. Stay on top of your game by knowing your status and taking the necessary steps to ensure compliance!
What Is the Difference between NIS2 & GDPR?
NIS2 is for European cybersecurity what GDPR was for European data protection. Where GDPR strengthened the requirements for how EU member states manage personal data, the aim of NIS2 is to ensure that all European companies and organizations that operate within critical infrastructure maintain an adequate level of cybersecurity.