Blog April 19, 2024

Who is affected by NIS2 and what does it mean for your compliance?

Yiannis Velitsikakis, Product Manager

In a regulatory landscape where new national, vertical, or international regulations are published on what seems like a weekly basis, the European Commission’s NIS2 Directive stands out. This legislation, which applies to all organizations operating across the European Union, has provided legally binding measures which organizations must abide by in order to ‘boost the overall level of cybersecurity in the EU.’

Why has NIS2 been introduced?

EU’s original NIS cybersecurity policy (Network and Information Systems Regulations) was introduced in 2016, came into effect in 2018 and its purpose was to help EU states establish a common level of security for network information systems. However, the framework, while successful in some instances, is now being enriched by the EU as NIS2, because according to the commission, it has shown ‘certain limitations’ to the success of its original goal of improving EU critical infrastructures’ resilience against cybersecurity risks.

This was exacerbated by something which the EU, and nobody else, could have foreseen; The Covid19 pandemic. This meant that all European organizations became increasingly reliant on digital solutions over the two main years of the Pandemic. This turn of events has radically boosted digitization, the efficient benefits of which are now being leveraged in an ongoing basis, adopting a plethora of new tools and processes that are considered the new operational system, as for example the hybrid working models that remain in place. This digital transformation has led to a huge spike in cybercrime and fraud, requiring for additional attention, and making the European Union to take action updating the original NIS.

What is new about NIS2, and what does this mean for your compliance?

The NIS2 directive expands its scope from the original 7 sectors, to a total of 15 sectors:

  • Chemicals
  • Digital infrastructure
  • Digital providers
  • Water Supply
  • Energy
  • Food
  • Finance
  • Health
  • Postal
  • Public Administration
  • Manufacturing
  • Research
  • Space
  • Transport
  • Waste Management

This has expanded the list of ‘critical’ industries by over 50%, meaning that many more organizations will have to abide by NIS2 compared to the previous situation.

The new organizational requirements relate specifically to four main areas:

  1. Risk management,
  2. Corporate accountability,
  3. Reporting obligations and
  4. Business Continuity.

Failure to comply with these areas could result in violations, which could in turn result in stringent compliance orders, audits, threat notifications to customers, and in the most serious instances, administrative fines of €10 Million or 2% of global annual revenue – Whichever is higher.

Organizations are legally obliged and accountable for implementing cyber security requirements mandated by NIS2-related laws. Management teams, including c-suite, are also affected.“

cyber buildings

NIS2 mandates essential and important entities to adopt baseline security measures designed to mitigate specific types of cyber threats. The following 10 are the minimum measures required by the directive:

  • Risk assessments and security policies for information systems.
  • Policies and procedures for evaluating the effectiveness of security measures.
  • Policies and procedures for the use of cryptography and, when relevant, encryption.
  • A plan for handling security incidents
  • Security around the procurement of systems and the development and operation of systems, which translates to requirements related to policies for handling and reporting vulnerabilities.
  • Cybersecurity training and a practice for basic computer hygiene.
  • Security procedures for employees with access to sensitive or important data, including policies for data access. Affected organizations must also have an overview of all relevant assets and ensure that they are properly utilized and handled.
  • A plan for managing business operations during and after a security incident. This means that backups must be up to date. There must also be a plan for ensuring access to IT systems and their operating functions during and after a security incident.
  • The use of multi-factor authentication, continuous authentication solutions, voice, video, and text encryption, and encrypted internal emergency communication, when appropriate.
  • Security around supply chains and the relationship between the company and direct supplier. Companies must choose security measures that fit the vulnerabilities of each direct supplier. And then companies must assess the overall security level for all suppliers.

Appropriate next steps

If you think your organization is likely to be impacted by NIS2, the good news is that the Directive is not yet law, coming into final effect on October 17th, 2024. This gives organizations time to assess their readiness from a compliance perspective, by undertaking internal security audits and evaluations.

Undertaking these audits will touch on both establishing appropriate cybersecurity technology solutions and cybersecurity policy processes and for this reason, it is important to partner with an organization who can assess the effectiveness of both. Obrela’s solution responds to both needs addressing the requirements of NIS2 in a comprehensive manner, making sure your organization will effectively boost its resilience against cyber threats and will raise its overall level of cybersecurity considering both aspects of technology and processes while remain compliant to the increasing regulatory obligations.

To find out how Obrela can help ensure your organization is NIS2 complaint, get in touch.