Introduction of NIS 2
The Network and Information Security Directive (NIS2) addresses the escalating cybersecurity risks facing the EU, alongside the heightened interdependencies among companies, sectors, and national borders.
Set to be implemented on October 18th, 2024, NIS2 affects all entities providing essential or important services to the European economy and society, including both companies and suppliers.
Background
The European Union (EU) has taken significant steps to strengthening cybersecurity measures to protect critical infrastructure and services. The Network and Information Security Directive (NIS Directive) was an initiative introduced in 2016 to address threats to cybersecurity. In accordance with the EU’s cybersecurity strategy, a thorough review of the existing NIS Directive was decided upon in 2020.
The review identified, among other things, that the current supervision of the NIS directive was largely ineffective and did not take into consideration modern cybersecurity threats. The implementation and compliance levels of the requirements differed among the member states at a national level. Therefore, based upon the experiences and lessons learned, the EU adopted the NIS2 Directive, a comprehensive and updated framework designed to strengthen cybersecurity across member states.
Key features with NIS2
NIS2 includes more detailed requirements aimed at harmonising the incorporation of the rules within the EU. The directive also aims at strengthening the resilience of the internal market and enhance its ability to respond to incidents and cyberattacks.
- Broader Scope: NIS2 expands the scope of critical sectors to include not only essential services but also additional sectors like research, education, and manufacturing.
- Enhanced Cooperation: The directive emphasises increased cooperation and information sharing among member states, recognising that cybersecurity threats are often cross-border in nature.
- Incident Reporting Obligations: NIS2 introduces mandatory incident reporting for a broader range of entities. This ensures that any cybersecurity incident with a significant impact is promptly reported, enabling faster response and mitigation measures.
How to prepare for NIS2
- Assess whether your entity is in scope for the NIS2 Directive and if yes register at relevant supervisory authority.
- Measure your maturity level through a GAP analysis to assess your current state.
- Ensure that the existing cyber information security framework includes relevant organizational and technical measures, including internal compliance controls.
- Identify critical systems and the potential risks that exist, conduct a risk assessment with an action plan.
- Raise awareness and provide training to all your employees.
- Update your governing documents including your information security policy.
- Ensure your incident management and reporting process is clear and efficient and that you are aware of the new NIS2 requirements.
- Ensure that third-party vendors and partners adhere to security standards and include contractual obligations for cybersecurity in service-level agreements.
Next up
The Swedish government have appointed a special investigator to propose adaptations to Swedish law, necessary for the implementation of the NIS2 Directive. These proposals are to be presented no later than the 23rd of February and Advisense will comment on this adaption on the 27th.
