The NIS2 Directive: What Is It – and How Do You Prepare for It in Time
- January 23, 2024
Phishing attacks. Ransomware. Data breaches. Spoofing. Human errors resulting in exposure.
The NIS2 Directive is the result of – and the necessity for – this new cyber threat landscape.
But what is the NIS2 Directive all about? And how do you prepare for it – in time?
We’ll tell you the answers here.
What is the NIS2 Directive?
NIS is short for Network and Information Security.
It’s an EU directive that defines a set of rules aimed at strengthening the overall level of cybersecurity in the EU – especially to protect critical infrastructure – as well as aligning the rules in this scope.
The first NIS Directive, established in 2016, therefore marked a significant milestone as the first EU-wide legislation dedicated to cybersecurity.
Several years down the line, the digital landscape has witnessed a big rise in threats. Largely due to the rapid digitalization and a notable surge in cyberattacks.
This has led to the development and finalization of the NIS2 Directive in 2022.
As a successor to the original NIS Directive, NIS2 seeks to address these emerging challenges by expanding its scope to cover a broader range of sectors.
As an example, this means that an EU country like Germany would go from 1,800 organizations covered by NIS1 to 29,000 organizations covered by NIS2.
It also introduces stricter compliance requirements and enhanced security protocols. This is to ensure a more resilient and secure digital infrastructure across the EU.
Every member state in the EU must transpose the NIS2 Directive into national law from October 18, 2024.
It also means that we all need to be patient and wait for a complete and final clarification of what each national law will require from the entities, if there will be different requirements of the sectors if it will affect municipalities, and so forth.
However, we know the minimum requirements that come with the NIS2 Directive. We recommend you start here as soon as possible to be as prepared as possible – and, by that, don’t have to start from scratch when we get close to the implementation deadline.
#1: Requirements for adequate security
You have to comply with these 10 requirements to ensure adequate security:
- Policies on risk analysis and information system security
- A plan for handling incidents
- Business continuity, such as backup management and disaster recovery, and crisis management
- Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
- Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
- Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
- Basic cyber hygiene practices and cybersecurity training
- Policies and procedures regarding the use of cryptography and, where appropriate, encryption
- Human resource security, access control policies, and asset management
- The use of multi-factor authentication or ongoing authentication solutions secured voice, video and text communications and secured emergency communication systems within the entity where relevant.
#2: Awareness and training of management, board members, and key employees
Your management must follow training and you should also offer training to your employees on an ongoing basis.
This is to ensure that they get the knowledge and skills they need to identify risks. And to ensure that they can assess cybersecurity risk management practices and their impact on the services that your company offers.
#3: Reporting of incidents to the authorities
NIS2 has a multi-step approach to incident notification. This is to find the balance between rapid reporting to prevent the spread of incidents and in-depth reporting to learn valuable lessons.
Covered entities have:
- 24 hours to submit an early warning
- 72 hours to submit an incident notice
- One month to submit a final report.
Wrap-up
Since the ‘compliance countdown’ has begun, there’s neither reason nor time to start from scratch.
We, therefore, recommend that you start with the minimum requirements now. If you’d like to go more in-depth with NIS2 and how you prepare for its requirements in time, you’re more than welcome to download our NIS guide here.
