Cybersecurity

NIS2 Compliance: All you need to know

April 2024

What is NIS2?

What we normally refer to as NIS2 is a Directive from the European Union that provides the new EU-wide legislation on cybersecurity.

It is commonly known as the NIS 2 Directive because it repeals the previous legislation on the matter, another EU Directive from 2016 “concerning measures for a high common level of security on Network and Information Systems (NIS)”.

 

From NIS to NIS2: Why was the NIS2 Directive needed?

The NIS Directive adopted in 2016 was the first-ever cybersecurity law in the European Union.

Despite its significant accomplishments in increasing Member States’ cybersecurity levels, the implementation of the NIS Directive was fragmented and inconsistent across Member States and impacted sectors.

Moreover, the regulatory framework revealed certain limitations in addressing new cyber threats emerging from society’s digital transformation and amplified by the pandemic.

The more heavily the European economy relies on digital solutions, the more disruptive cyberattacks could be, even if isolated to a single entity or sector. And that’s because their effect could be widespread and impact service delivery across the entire internal market.

To make up for the Directive’s ineffectiveness and respond to the evolved cyber-risks landscape, the EU Commission proposed a revision – resulting in the NIS2 Directive – intended to:

  • Expand the scope of the legislation to more of the ICT-reliant sectors essential to our economy, such as energy, transport, banking, drinking water, healthcare, manufacturing, food production, digital infrastructure, and so on.
  • Add future-proof rules aimed at strengthening the entities’ cyber resilience.
  • Improve Member States’ preparedness by requiring them to designate national Computer Security Incident Response Teams (CSIRTs), a competent national Network and Information Systems (NIS) authority, and a single point of contact (SPOC).
  • Reinforce Member States’ collaboration via the Cooperation Group and the CSIRTs Network to facilitate the exchange of information.

 

When did it enter into force? And what is your deadline to ensure compliance?

The EU NIS2 Directive entered into force on 16 January 2023 and gave Member States time until 17 October 2024 to transpose its measures into national law. By then, you will need to have ensured NIS2 compliance within your organization.

 

 

What are the next steps?

The role of the EU
The Directive laid down general cybersecurity measures, but the EU will also adopt additional implementing acts and certification schemes later on to further specify technical requirements.

Additionally, the Directive has enhanced the EU Agency for Cybersecurity (ENISA)’s role in monitoring Member States’ cyber hygiene policies by assigning to the agency new tasks, such as establishing a European vulnerability database where entities and competent authorities can disclose and register publicly known vulnerabilities for the purpose to allow users to take appropriate mitigating measures.

As of January 23rd, 2023, ENISA is a CVE Numbering Authority (CNA) for vulnerabilities in information technology (IT) products discovered by EU CSIRTs or reported to EU CSIRTs for coordinated disclosure.

As the first (and, until very recently, the only) CNA in Denmark, we at Secomea are thrilled to witness ENISA taking this important step to strengthen the cybersecurity landscape through a more efficient process for reporting vulnerabilities.

The role of Member States
By October 17, 2024, Member States will have to implement the requirements set by the Directive internally by adopting national laws.

Besides, each Member State is also required to

  • adopt a national cybersecurity strategy and incident and crisis response plan.
  • designate or establish one or more competent authorities responsible for compliance supervision, a single point of contact that will ensure cross-border cooperation with other Member States and the ENISA, Cyber Crisis Management authorities that will be part of the EU-CyCLONe (European Cyber Crisis Liaison Organization Network), and CSIRTs (Computer Security Incident Response Teams) that will also cooperate with the CSIRTs network.

But that’s not all
The competent authority in each sector
falling into the scope will be tasked with mapping out the specific cybersecurity requirements to be followed by its entities.

The entities, in turn, will follow their sector-specific guidelines and demand that their suppliers live up to new cybersecurity standards.

Finally, suppliers will need to adjust, update, and improve their products and services to meet new compliance requirements.

As a result, products and services will need to be developed and upgraded according to the new requirements.

 

 

What is the scope of the NIS2 Directive?

The NIS2 Directive applies to companies belonging to one of the sectors listed in its Annexes I and II (providing services critical to society) and exceeding the size limit set by law for medium-sized organizations (more than 50 employees or more than EUR 10 Mn of annual turnover) – with some exceptions.

The Directive distinguishes between essential and important entities based on how critical they are to society and their size. While all entities must address the same requirements, they are subject to different supervisory and enforcement measures.

Learn more about NIS2 scope and the different regime for essential and important entities.

 

What are the NIS2 requirements?

The requirements imposed on companies by the NIS2 Directive can be grouped into three broad areas:

  1. Management must be accountable for NIS2 compliance (and can be held liable for compliance failures)
  2. Companies must implement preventative cybersecurity measures to mitigate the risk of cyber incidents. These technical, operational, and organizational measures should be appropriate and proportionate and should include at least the 10 elements listed by Article 21 of the Directive.
  3. Companies must fulfill their reporting obligations in the event that cyber incidents occur and timely notify in case of incidents that can have a significant impact on the provision of their services.

Learn more about each of these NIS2 requirements.

 

How can you ensure compliance in your organization?

To support you in your compliance journey, we prepared a 10-step implementation program that includes the following phases:

  1. Assessing if you are impacted by the NIS2 Directive: Are you an essential or important entity?
  2. Performing an inventory of your assets: What resources do you use to provide critical services, and who has access to them?
  3. Evaluating your risk posture: What risks are you subject to? Where would hackers try to infiltrate your network? What are the most serious vulnerabilities you should prioritize (based on their likelihood of occurring and impact severity)?
    • Assessing the risk posed by your suppliers and services providers: Do you rely on NIS2-compliant vendors?
  4. Implementing cybersecurity measures: How are you protecting your assets from cyber incidents?
  5. Establishing modalities to cope with cyberattacks, minimize the impact of cybersecurity incidents, and ensure business continuity: How are you mitigating the effects of cyber incidents and recovering affected operations critical to society?
  6. Setting up reporting modalities to notify cyber incidents to the authorities: Do you have processes in place to timely report incidents?
  7. Training your staff: Are all of your employees capable of identifying threats, detecting them, and responding to them?
  8. Testing the effectiveness of your responding modalities: Can you demonstrate that your crisis management and disaster recovery plan will work as expected?
  9. Periodically reviewing your responding modalities: Are your recovery strategies up to date or do they need to be adjusted based on new technologies you have implemented, new employees you have hired, or new cyber threats that have emerged?
  10. Documenting your compliance work and safely storing your crisis management and business continuity plans: Have you backed up your documentation properly so that it can be accessed in time of need?

Learn more about each of these steps to achieve NIS2 compliance.

 

How can you prepare for a NIS2 compliance inspection from the authorities?

If your organization falls within the scope of the NIS2 Directive, you should prepare for the possibility that the authorities might come knocking on your door to audit your organization’s compliance.

For essential entities, inspections will happen regularly and randomly; for important entities, instead, inspections will only be scheduled if an incident has occurred.

There are a few activities you can perform to get ready for a compliance audit and support its positive outcome.

Learn about best practices and success strategies to prepare for NIS2 audits from the authorities.

 

How can Secomea help you achieve NIS2 compliance?

Implementing Secomea’s secure remote access solution on your factory floors qualifies as one of the technical measures that you are required to take under Article 21 of the NIS2 Directive to manage the risks posed to the security of network and information systems and prevent or minimize the impact of incidents.

Besides, using Secomea will address additional elements mandated by the legislation.

Read concrete examples of how Secomea’s features can help you fulfill specific NIS2 requirements.

 

Secomea: your trusted partner for NIS2 compliance

To help you take the right steps as you embark on your NIS2 compliance journey, we have compiled this whitepaper covering everything you need to know about the new cybersecurity legislation.


 

All you need to know to ensure NIS2 compliance
Fill out the form to get the PDF now for free!

Datenschutz & Cookie-Richtlinie // Kontakt: +45 88 70 86 50 // info@secomea.com
© Secomea 2021, Alle Rechte vorbehalten

NIS2 Compliance Roadmap. Stay secure, stay compliant.

X