In October 2024, businesses across the European Union will enter a new phase in cybersecurity compliance with the full implementation of the Network and Information Security Directive 2 (NIS2). This directive represents a major enhancement of cybersecurity requirements for critical infrastructure and essential services throughout the EU. With NIS2, the European Union aims to strengthen the defences against the escalating cyber threats that have increasingly targeted key sectors in our society.
What is NIS2?
NIS2 is an evolution of the original NIS Directive, which was the EU’s first comprehensive cybersecurity legislation, introduced in 2016 and enforced from 2018. The original directive established foundational cybersecurity capabilities at the national level, mandated the creation of Computer Security Incident Response Teams (CSIRTs), and imposed security measures and incident reporting obligations on operators of essential services and digital service providers.
Building on this foundation, NIS2 expands its scope and tightens its requirements to address the evolving landscape of cyber threats. The directive now covers a broader range of sectors, including health, financial markets, digital infrastructure, and energy. NIS2 also imposes stricter obligations for risk management, incident reporting, and supply chain security, compelling organisations to adopt a more comprehensive and proactive approach to cybersecurity.
Key Changes and Requirements Under NIS2
- Expanded Scope of Coverage:
- NIS2 extends its reach to include additional sectors and entities, encompassing medium and large enterprises in critical sectors. Organisations that were previously outside the scope of the original NIS Directive will now need to comply with the enhanced requirements of NIS2.
- Stricter Risk Management Obligations:
- Organisations are required to implement a comprehensive array of cybersecurity risk management measures. These include policies for access control, incident handling, business continuity, and disaster recovery. There is also a heightened focus on supply chain security, reflecting the growing risks associated with third-party vendors.
- Enhanced Incident Reporting:
- NIS2 mandates faster and more detailed reporting of cybersecurity incidents. Organisations must notify relevant national authorities of significant incidents within 24 hours of becoming aware of them, followed by a detailed report within 72 hours. This significantly tightens the reporting timeline compared to the original directive.
- Increased Penalties for Non-Compliance:
- One of the most striking aspects of NIS2 is the introduction of tougher penalties for non-compliance. National authorities are now empowered to impose fines of up to 10 million euros or 2% of an organisation’s global turnover, whichever is higher. This aligns NIS2 with the General Data Protection Regulation (GDPR) in terms of enforcement and penalties.
- Greater Cooperation and Information Sharing:
- NIS2 encourages enhanced cooperation and information sharing among EU member states through the establishment of the European Cyber Crises Liaison Organisation Network (ECRN). This initiative is designed to improve the coordination of responses to large-scale cyber incidents and crises.
What Should Your Organization Do?
If your organisation falls within the scope of NIS2, it is crucial to begin preparations now to ensure compliance by the October 2024 deadline. Here are some steps to consider:
- Conduct a Risk Assessment: Evaluate your current cybersecurity measures against the requirements of NIS2. Identify any gaps and prioritise actions to address them.
- Strengthen Incident Response Capabilities: Ensure that your incident response plans are robust, with clear procedures for detecting, responding to, and reporting incidents.
- Review Supply Chain Security: Assess the cybersecurity posture of your third-party vendors and suppliers. Implement measures to mitigate risks associated with the supply chain.
- Engage Leadership and Governance: Ensure that cybersecurity is elevated to a board-level issue. Leadership should be actively involved in overseeing the organisation’s cybersecurity strategy and compliance efforts.
- Stay Informed: Keep up to date with additional guidance or regulations that may be issued by national authorities as they transpose NIS2 into national law.
Conclusion
The implementation of NIS2 marks a significant leap forward in the EU’s efforts to enhance cybersecurity across critical sectors. As cyber threats continue to grow in both scale and sophistication, NIS2 aims to ensure that organisations are not only prepared to defend against these threats but are also held accountable for their cybersecurity practices.
For businesses, NIS2 presents both a challenge and an opportunity—a challenge to meet stricter compliance requirements, and an opportunity to strengthen cybersecurity resilience and protect critical operations in our digital world. With the October 2024 deadline fast approaching, the time to act is now.