The NIS & NIS2 Directive
The first version of NIS entered into force in 2018. The main purpose of NIS is to create a more resilient and secure digital environment within the EU member states by establishing common cyber security standards, enhancing the protection of critical infrastructure, promoting risk-based cyber security practices, and fostering cooperation and information sharing among member states and relevant stakeholders. The threat landscape is constantly changing, and the threats are becoming bigger. EU has decided to develop NIS with a second version. The NIS2 Directive will take effect in October 2024 and seeks to enhance the work further started with the NIS Directive.
News in the NIS2 Directive
The NIS2 directive largely follows the same principles as NIS but with several important additions. Here are some highlights.
- More entities (industries) and sectors are covered.
- New methods of selection and registration.
- New incident notification deadlines.
- Greater accountability for management and personal responsibility.
- Introduction of sanctions, like those included in GDPR.
- Mandatory incident reports, also for so-called ”near misses”.
Countdown to NIS2 Becomes Law: Are You Ready?
Requires a Risk-Based & Systematic Approach
Implementing risk-based and systematic cyber security practices is one of the most important areas of NIS and NIS2. Organizations should assess and manage cyber security risks effectively based on their specific circumstances and the potential impact of cyber incidents. A systematic approach goes hand in hand with creating a proactive approach – a pillar in any cyber security strategy.
Cyber Security Risk Management Measures
Essential and Important entities must take appropriate and proportional technical, operational, and organizational measures to manage the risks posed to the systems that underpin their services and prevent or minimize the impact of incidents on their and other services.
- Risk analysis and information system security.
- Incident handling.
- Business continuity measures (back-ups, disaster recovery, and crisis management).
- Supply chain security.
- Security in system acquisition, development, and maintenance, including vulnerability handling and disclosure.
- Policies and procedures to assess the effectiveness of cybersecurity risk management measures.
- Basic computer hygiene and training.
- Policies on appropriate use of cryptography and encryption.
- Human resources security, access control policies, and asset management.
- Use of multi-factor, secured voice/video/text communication and secured emergency communication.
Management Responsibilities with NIS2
Senior management has ultimate responsibility for cybersecurity risk management in Essential and Important Entities. Failure by management to comply with NIS2 requirements could result in serious consequences, including liability, temporary bans, and administrative fines as provided for in the implementing national legislation.
Management bodies of Essential and Important Entities must:
- Approve the adequacy of the cybersecurity risk management measures taken by the entity.
- Supervise the implementation of the risk management measures.
- Follow training in order to gain sufficient knowledge and skills to identify risks and assess cybersecurity risk management practices and their impact on the services provided by the entity.
- Offer similar training to their employees on a regular basis.
- Be accountable for the non-compliance.
RECORDED WEBINAR
Upgrade Your Cyber Defense To Comply With NIS2 - A Step-by-Step Guide On How To Prepare
Industries Impacted by NIS2
The first version of NIS impacted a limited number of entities (industries). With NIS2 comes extended coverage to 15 entities. The former distinction between Operators of Essential Services (OES) and Digital Service Providers (DSP) in the original NIS Directive is replaced by a distinction between Essential Entities (EE) and Important Entities (IE), depending on factors such as size, sector, and criticality. Both entity types must follow the NIS2 framework for cyber security, whereas Important Entities have a more strict framework.
Essential Entities
Energy
Including subsectors; electricity, oil, and gas.
Transportation
Including subsectors; air transport, rail transport, shipping, and road transport.
Health
Including subsector; healthcare environments (including hospitals and private clinics).
Public Administration
Banking & Financial Market Infrastructure
Financial market infrastructure, e.g., payment services.
Digital Infrastructures
Digital infrastructures, such as the delivery of DNS and TLD registries.
Water Supply
Space
Important Entities
Digital Providers
Food
NIS2 categorizes the food sector as an important entity. Encompassing all stages from farming to food processing, packaging, transportation, and retail sales.
Chemicals
Manufactoring
Research
Waste Management
Postal & Courier Services
Holm Security Helps You Take a Huge Step Towards NIS/NIS2 Compliance
Holm Security help has helped hundreds of organizations throughout the EU to comply with the NIS Directive and is now helping more to comply with NIS2. We provide the tools you need to take huge steps towards compliance.
- Perform automated and continuous (systematic) risk assessments.
- Create a proactive approach towards cyber security
- Implement basic cyber hygiene practices and cybersecurity training.
- Provide the tools needed to secure the supply chain.
- Help management supervise the implementation of risk management.
- Demonstrate compliance based on data and reports.
Don't Wait Until It's Too Late. We'll Help You Comply with NIS2 Regulations
Start your compliance journey now.
What You Need To Know
How do I know if my organization must comply with NIS2?
The first step to comply with NIS2 is understanding whether your organization must comply. We recommend looking at our NIS2 quick reference and referring to your local authorities' guidance.
What is the key purpose of NIS and NIS2?
Increasing Cybersecurity Resilience
NIS2 encourages member states and critical infrastructure operators to enhance their cyber security resilience and preparedness to respond to and recover from cyber incidents effectively.
Harmonizing Cybersecurity Standards
It seeks to harmonize cyber security standards and practices across the EU to ensure a consistent and high level of security across the digital landscape.
Mandatory Reporting of Incidents
NIS2 mandates reporting significant cyber incidents to national authorities and establishes a coordinated mechanism for sharing information on cyber threats and incidents among member states.
Critical Infrastructure Protection
The directive specializes in protecting critical infrastructure sectors, such as energy, transport, healthcare, and digital infrastructure, requiring them to meet specific cyber security requirements.
Enforcement and Penalties
NIS2 introduces measures for effectively enforcing cyber security requirements and penalties for non-compliance, incentivizing organizations to invest in cyber security measures.
Cooperation and Information Sharing
It promotes cooperation and information sharing among member states and between the public and private sectors to enhance collective cyber security defense.
Why is there a NIS2?
These are the main reasons for the second version of NIS (NIS2) coming in October 2024:
- Evolving cyber threat landscape
- Increased dependency on digital
- infrastructure
- Technological advancements
- Lessons learned from NIS1
- Harmonization and consistency implementation
- Expansion of scope
- Alignment with other EU legislation
International cooperation
What are the news in NIS2?
To summarize, the news in NIS2 is the following:
- More entities (industries) and sectors are covered.
- New methods of selection and registration.
- New incident notification deadlines.
- Greater accountability for management and personal responsibility.
- Introduction of sanctions, like those included in GDPR.
- Mandatory incident reports, also for so-called ”near misses”.
When will NIS2 enter into effect?
The NIS2 Directive is set to be put into applicable national law by all EU member states by 17 October 2024. This is a crucial date for businesses to take note of as failure to comply with the directive can result in severe consequences such as financial penalties and damage to reputation. So, companies must gear up and prepare to ensure full compliance well before the deadline. Be sure to act now to avoid any potential negative consequences.
What are the NIS2 fines?
The NIS2 directive takes a nuanced approach to administrative fines, differentiating between the Essential and Important Entities.
Essential Entities
A maximum of at least 10,000,000 EUR or up to 2% of the total worldwide annual turnover of the undertaking to which the organization belongs in the preceding financial year, whichever is higher.
Important Entities
A maximum of at least 7,000,000 EUR or 1,4% of the total worldwide annual turnover of the undertaking to which the organization belongs in the preceding financial year, whichever is higher.
How can Holm Security help my organization comply with NIS2?
Implementing risk-based cyber security practices is one of the most important areas of NIS and NIS2. Holm Security helps organizations that must comply with NIS and NIS2 within several key areas:
- Perform automated and continuous (systematic) risk assessments.
- Create a proactive approach towards cyber security
- Implement basic cyber hygiene practices and cyber security training.
- Provide the tools needed to secure the supply chain.
- Help management supervise the implementation of risk management.
- Demonstrate compliance based on data and reports.
Is vulnerability management required for compliance with NIS and NIS2?
Referring to the requirements stated by EU and local authorities, vulnerability scanning or security scanning is a requirement as a part of the key element: risk assessment. For instance, The National Cyber Security Centre (NCSC) of Ireland and The Swedish Civil Contingencies Agency (MSB) both refer to vulnerability management as a critical element in compliance with the NIS2 Directive.
When complying with NIS/NIS2, what must we consider regarding our suppliers?
One of the focus areas of NIS2 is about securing the supply chain. This means that you will have to make sure not only that your organization is secure but also that your suppliers. In other words, you will have a responsibility to secure the entire supply chain. We’re happy to tell you more about our solutions for securing your supply chain.
I’m a supplier to an organization that must comply with NIS/NIS2 – what should I consider?
As a supplier to an organization that must comply with NIS/NIS2, you must ensure that you fulfill more or less the exact security requirements. Even if NIS2 will not hit your organization directly, you must still comply. Contact us to discuss how we can help you become ready to meet the future NIS2 requirements for the supply chain.
Getting You Ready for NIS2 Compliance
What Is NIS2 & How Will It Affect Your Organization?
Under the NIS2 Directive, more entities and sectors will be required to take steps that will aid in improving cyber security in Europe. In addition to addressing supply chain security, NIS2 streamlines reporting obligations introduces stricter supervisory measures, and introduces more enforcement requirements.
How the NIS2 Cyber Security Directive Will Impact You
As part of this webinar, we will be joined by Anders Jonson, a Cyber Security Expert and Senior Advisor at ENISA, who has been involved in the development of NIS2 for the EU.
Lessons on NIS2 Compliance: A Guide to Securing Critical Infrastructure
Discover how to navigate the scope of the NIS 2 directive and comply with the requirements to prevent and respond to cyberattacks.