The European Union’s Network and Information Systems Security Directive NIS2 creates a new standard for corporate cybersecurity. That is, on cybersecurity measures to ensure that companies’ networks and information systems remain protected against cyber threats.
Which companies are affected
The new NIS2 Directive affects all medium-sized and large companies in the following sectors classified as essential or important: energy; transport; banking; financial market infrastructures; healthcare; drinking water; waste water; digital infrastructure; ICT service management; space; postal and courier services; waste management; manufacture, production and distribution of chemical substances and mixtures; production, processing and distribution of food; digital service providers; research; and manufacture of medical devices, IT, electronic and optical products, electrical equipment, machinery, motor vehicles and transport equipment.
Aims of the NIS2 Cybersecurity Directive
The NIS2 Cybersecurity Directive builds on the previous NIS1 Directive adopted in 2016. Its ultimate goal is to strengthen the capabilities of organisations operating in the EU that perform critical functions for society and the economy. To this end, it has been proposed:
- Reduce inconsistencies in addressing cyber security threats;
- Raise awareness of cybersecurity;
- Improve the ability of organisations to respond to incidents.
People, processes and technology
When the NIS2 Directive comes into force, thousands of companies will have to proactively implement a range of measures including: information systems security policies and risk analysis, incident management, backup management, crisis management, supply chain security, maintenance of network and information systems, cyber hygiene, cyber security training, access control policies, etc.
Compliance with the NIS2 Directive does not only involve the ICT department or the CISO (Chief Information Security Officer). Nor is it enough to acquire new technologies to deal with cyber-attacks. To comply with NIS2, it is necessary to build a security culture that affects the entire organisation. In other words, it is a question of companies having better cybersecurity practices and a general culture that reaches each and every member of the organisation.
This is why each requirement of the NIS2 Directive is divided into three categories: people, processes and technology.
Persons
Providing all staff with cyber security training as soon as they join the company ensures that cyber security is always a priority. But this requirement should not be limited to members of the organisation. Partners must also meet these requirements.
Processes
Cybersecurity processes must constantly evolve to stay ahead of cybercriminals.
Technology
The company must ensure that it has the right technology to defend itself against any threat. Therefore, the necessary infrastructure must grow at the same pace as the business. For their expansion creates new risks, and more elements to protect.
Timetable for implementation
EU member states have until 17 October 2024 to transpose the NIS2 regulations into national law. Thousands of companies will therefore have to adopt measures this year to increase their resilience and capacity to respond to cybersecurity incidents.
Compliance with the new regulation can be challenging. However, companies that prioritise cyber security now will be much better prepared to defend against current and emerging security threats and accelerate their growth. On the other hand, the costs of non-compliance with the Directive could include fines, reputational damage and loss of customers.
Compliance with the NIS2 Directive requires full coordination between the IT, cybersecurity, risk management and legal departments. For this reason, we recommend that you trust Confianz to advise you on the implementation of this complex regulation that could be key for the future of your company.