The aim of the NIS Directives is to strengthen the collective level of cybersecurity of EU Member States by increasing cybersecurity enforcement requirements for critical infrastructure sectors. But what does that mean? This article will help you get the basics.
What is NIS?
The aim of the NIS Directives is to strengthen the collective level of cybersecurity of EU Member States by increasing cybersecurity enforcement requirements for critical infrastructure sectors.
The abbreviation NIS stands for "Network and Information Systems". NIS2 is a continuation and extension of the previous EU Cybersecurity Directive, namely NIS1 from 2016.
Before the introduction of the NIS1 Directive, there were significant differences between Member States in terms of the requirements imposed on organisations, the level of detail and the way in which they were monitored. The NIS Directives eliminate these major differences and harmonise and streamline the level of security in all Member States.
As a result, the NIS1 directive is often referred to as the first cybersecurity legislation in the world.
NIS2 is the successor to NIS1 from 2016, and will take effect on 17 October 2024.
To which sectors does NIS2 apply?
A rule of thumb is that all medium-sized or large companies from the designated sectors fall within the scope of the NIS2 Directive and must comply with the imposed requirements.
The NIS2 regulation divides companies into "critical sectors" (think of postal and courier services, waste management, food production, ...) and "highly critical sectors" (think of energy, transport, governments, ...).
Depending on which category your company falls into, and its size, the NIS2 regulations impose more or less strict standards that you must meet.
What requirements does NIS2 impose on your company?
The NIS2 Directive adds new requirements in four primary areas of your business, namely management (1), reporting to authorities (2), risk management (3) and business continuity (4).
The aim is to make Europe more resilient to current and future cyber threats.
It is imperative that management is aware of and understands the requirements of the NIS2 Directive and risk management efforts. They have a direct responsibility to address cyber risks and to meet requirements.
2. Reporting to authorities
Organizations must have processes in place to ensure that proper reporting is done to authorities. For example, there are requirements that incidents must be reported within 24 hours.
3. Risk management
To meet the new requirements, organizations must implement measures to minimize risks and consequences. This includes incident management, enhanced supply chain security, network security, access control and encryption.
4. Business continuity
Organizations need to think about how to ensure business continuity in the event of major cyber incidents. This includes, for example, system recovery, emergency procedures and the establishment of a crisis response team.
Want to know more?
Is NIS2 on your plate? Would you like more information about how the NIS2 regulations determine exactly in which category your company is located, and what the 10 minimum measures are that you will have to take anyway? You want to understand what are the risks of non-compliance?