Network and Information Security (NIS) 2.0 Directive

The NIS2 Directive (Network and Information Security Directive 2) is a revised version of the original NIS Directive, developed by the European Union to strengthen the cybersecurity landscape in Europe. Its goal is to enhance the resilience and cybersecurity of critical infrastructures and digital services. The directive targets companies and organizations operating in essential or important sectors and requires them to implement a series of measures to improve their cybersecurity.

 

Requirements for Companies

Companies falling under the NIS2 Directive must implement a set of security requirements aimed at better protecting their networks and information systems against cyberattacks. The key requirements include:

  • Risk Management and Security Measures:
    • Companies must implement an effective risk management system tailored to the specific cyber risks of their industry.
    • Technical and organizational measures must be taken to ensure the security of networks and information systems. This includes safeguards such as firewalls, Intrusion Detection Systems (IDS), regular security audits, and emergency plans.
  • Incident Reporting:
    • Companies are required to report significant security incidents to the competent authorities within a specified timeframe. This includes incidents that could cause major operational disruptions or compromise sensitive data.
  • Continuity Management:
    • Companies must develop and implement contingency plans to ensure the continuity of their essential services in the event of a security incident.
  • Training and Awareness:
    • Regular training and awareness programs for employees are necessary to increase awareness of cyber risks and ensure compliance with security policies.
  • Access Management:
    • Companies must ensure that only authorized personnel have access to critical systems and data. This can be achieved through the implementation of multi-factor authentication and strict access policies.

 

Implementation Steps for Companies

To meet the requirements of the NIS2 Directive, companies must follow a series of steps:

  1. Assessment of Cybersecurity Status:
    • First, a thorough assessment of the company’s current cybersecurity status must be conducted. This includes identifying vulnerabilities, evaluating existing safeguards, and analyzing potential threats.
  2. Development of a Security Plan:
    • Based on the results of the security assessment, a comprehensive security plan must be developed. This plan should outline clear measures for risk reduction, implementation of NIS2 requirements, and preparation for potential security incidents.
  3. Implementation of Security Measures:
    • The measures outlined in the security plan must be implemented. This may include the installation of new security technologies, employee training, or the introduction of new organizational processes.
  4. Involvement of stakeholders:
    • Definition of employees in key positions of responsibility.
  5. Monitoring and Reporting:
    • Companies should continuously monitor their networks and information systems to detect and respond to security incidents promptly. They must also ensure that incidents are reported to the relevant authorities in a timely manner.
  6. Alignment with other regulatory requirements and legal provisions:
    • Classification in existing cyber security specifications for continuous improvement of the security strategy.
  7. Regular Review and Adjustment:
    • Security measures should be regularly reviewed and adjusted as needed to respond to new threats and changing technological environments.

 

Which Companies Must Implement the Requirements?

The NIS2 Directive targets companies operating in essential or important sectors. The essential sectors include:

  • Energy
  • Transportation
  • Drinking water and wastewater management
  • Healthcare
  • Banking
  • Financial market infrastructures
  • Digital infrastructure
  • Public administration

Additionally, the requirements apply to companies providing digital services, such as:

  • Cloud computing service providers
  • Online marketplace providers
  • Search engine providers

The NIS2 Directive expands the scope compared to the original NIS Directive, meaning more companies are affected. The exact identification of companies is done by the Member States, which can include additional companies in the regulation if deemed necessary.

 

Implementation Timeline

The NIS2 Directive was published in the Official Journal of the European Union on December 27, 2022. Member States have until October 17, 2024, to transpose the directive into national law. From that point on, affected companies must comply with the NIS2 Directive’s requirements. It is important for companies to begin implementation early to ensure they meet the requirements on time.