The Network and Information Systems Directive (NIS2) brings an important update to the regulatory framework designed to improve the cybersecurity posture of critical sectors across the European Union. As the deadline for NIS2 implementation approaches, it's critical for organizations to understand whether they need to comply and, if so, what steps they need to take to ensure full compliance.
What Has Changed?
The Network and Information Systems Directive 2 (NIS2) is an evolution of the first NIS Directive, which was introduced in 2016 and implemented in 2018. NIS2 aims to strengthen the security of network and information systems in the Union. It extends the scope to cover more sectors and digital services, emphasizing the need for enhanced security measures by critical service providers and digital service platforms. The objective of the Directive is to harmonize the cyber security practices in the Member States and to ensure that the collective resilience against cyber threats is strong and uniform.
Does Your Organization Need to Comply with NIS2?
Here is a checklist to help you determine whether your company falls under the scope of NIS2:
Sector Classification:
- Does your company belong to the sectors listed in Annex 1 or 2?
| Sectors Annex 1 |
Sectors Annex 2 |
| Energy |
Digital Providers
Examples: Providers of online marketplaces, Providers of online search engines, Providers of social networking services platforms
|
| Transport |
Postal and courier services |
| Banking |
Waste Management |
| Financial Market Infrastructure |
Production, processing and distribution of food |
| Healthcare |
Manufacture, production and distribution of chemicals |
| Drinking water |
Research |
| Waste water |
Manufacturing |
Digital infrastructure
Examples: Internet Exchange Point providers, DNS service providers (excluding operators of root name servers), TLD name registries, Cloud computing service providers, Data center service providers, Content delivery network providers, Trust service providers, Providers of public electronic communications networks, Providers of publicly available electronic communications service |
|
ICT service management (business-to-business)
Examples: Managed service providers, Managed security service providers |
|
| Public Administration |
|
| Aerospace |
|
Criticality and Impact:
- Does your company play a critical role in the functioning of society or the economy?
- Would a disruption of your services have significant adverse effects on public safety, security, or economic activities?
Size and Scale:
- Is your organization operating in an Annex 1 or 2 sector at least medium-sized?
An organization is considered large based on the following criteria:
-
-
- A minimum of 250 employees, or
- An annual turnover of €50 million or more and a balance sheet total of €43 million or more.
An organization is considered medium-sized based on the following criteria:
-
-
- 50 or more employees, or
- An annual turnover and balance sheet total of €10 million or more.
IMPORTANT NOTE: There are several exceptions where the NIS2 requirements apply to organizations that do not meet the size threshold. Regardless of size, the Directive applies to entities identified as critical entities under Directive (EU) 2022/2557, as well as public electronic communication providers, trust service providers, domain name service providers and entities providing domain name registration services. If you answer "yes" to one or more of the other questions, your organization is likely to fall within the scope of NIS2, regardless of size..
Cross-Border Services:
-
- Does your company provide services across multiple EU member states?
- Could a disruption in your services have a cross-border impact?
If you answered "yes" to any of these questions, your company likely needs to comply with NIS2. Now, let’s explore the steps to achieve compliance.
Steps to Become Compliant with NIS2
1. Understand the Requirements:
-
-
- Risk Management: Implement risk analysis and information system security policies. Make sure you have a structured approach to identifying, assessing, and mitigating risks. You should also implement policies and procedures for evaluating the effectiveness of your cybersecurity risk management activities.
- Incident Handling: Develop procedures for incident detection, response, and recovery. Ensure you can report significant incidents within the required timeframes.
- Business Continuity: Establish and maintain robust business continuity plans, including backup management and disaster recovery strategies.
- Supply Chain Security: Ensure the security of supply chains by managing relationships with suppliers and service providers, focusing on their security practices.
- System Acquisition, Development, and Maintenance: Integrate security into the lifecycle of your systems, including vulnerability management and secure development practices.
- Cybersecurity Training: Provide regular training and awareness programs for all employees, emphasizing basic cyber hygiene practices.
- Cryptography Policies: Implement policies for the use of cryptography and encryption to protect sensitive data.
- Access Control: Enforce human resources security measures, including access control policies and asset management.
- Authentication Measures: Use multi-factor authentication or continuous authentication solutions to secure access to critical systems and data.
2. Conduct a Gap Analysis:
-
-
- Assess your current cybersecurity practices against the NIS2 requirements.
- Identify areas where your organization falls short and needs improvement.
3. Develop a Compliance Roadmap:
-
-
- Create a detailed plan to address gaps and achieve compliance.
- Set realistic timelines and allocate necessary resources for implementation, prioritizing the implementation of measures that mitigate the most critical risks.
4. Implement Technical and Organizational Measures:
-
-
- Update your cybersecurity policies and procedures to align with NIS2 standards.
- Invest in controls that mitigate identified risks, such as HR security processes and role-based training.
5. Regular Audits and Testing:
-
-
- Conduct regular internal and/or external security audits and vulnerability assessments to ensure ongoing compliance.
- Test your incident response and business continuity plans through simulations and drills.
6. Report and Document:
-
-
- Maintain comprehensive records of risk management, incidents, and response actions.
- Ensure you can produce required documentation during audits or inspections by regulatory authorities.
Compliance Timeline
EU Member states have until October 17th 2024 to transpose the directive into national law. Organizations should aim to be fully compliant by this date to avoid potential penalties and ensure they contribute to the collective cybersecurity effort.
Future-proofing your Organization Beyond NIS2 Compliance
Ensuring compliance with NIS2 is not just about meeting regulatory requirements; it’s about safeguarding your organization’s operations and the wider digital ecosystem. By following this checklist and taking proactive steps, your company can achieve compliance and enhance its cybersecurity resilience.
CyberCoach can help you meet NIS2 security awareness training, incident reporting
and continuous risk assessment requirements all in one easy solution directly in Teams/Slack.
