Introduction to NIS 2: what it entails and how to comply

NIS 2 Directive

The NIS 2 Directive strengthens NIS 1 and introduces new requirements to improve the cybersecurity of networks and information systems. This introduction will cover the main points of the directive and the actions companies need to take.

DORA

The DORA (Digital Operational Resilience Act) is a European regulation aimed at improving the digital operational resilience of financial entities. It mitigates risks from digital transformation and promotes cybersecurity resilience in the financial services ecosystem. DORA helps banks and financial systems to prevent, respond to, and recover from cybersecurity issues. It introduces ICT risk management requirements and establishes uniform standards for supervising digital risks. DORA ensures that companies are prepared for cyber threats and operational disruptions.

NIS (1)

The NIS (Network and Information Security) Directive, introduced in 2016, improves the cybersecurity of networks and information systems in the European Union. It aims to protect critical infrastructures like energy, transport, healthcare, and finance from cyber attacks.

NIS 2

Who NIS 2 targets and what it entails

The NIS 2 Directive expands the scope of companies subject to the regulation. Unlike NIS, where member states decided essential service operators, NIS 2 uses a sizing rule. This rule applies to medium and large entities (with at least 50 employees and an annual turnover exceeding 10 million) in relevant sectors.

SMEs are generally excluded unless critical to society. NIS 2 also covers the entire supply chain. For example, an IT company supplying equipment or software for essential services falls under the law.

NIS 2 Industries

• Energy

• Transport

• Healthcare

• Finance

• Digital services

• Drinking water

• Wastewater

• Public Administration

• Space Industry

The European Parliament approved NIS 2 in November 2022. EU member states must comply by October 17, 2024.

Why a new directive?

Cyber threats evolved, making updates necessary. NIS 2 broadens and strengthens security measures to address new digital challenges and technologies.

What NIS 2 entails

NIS 2 requires organizations to adopt appropriate security measures to manage network and information system risks. It aims to prevent or minimize the impact of incidents.

NIS 2 strengthens incident reporting. Organizations must issue a preliminary notice within 24 hours of an incident and a detailed report within 72 hours. This ensures a rapid and effective response, contributing to a safer digital environment and operational continuity.

Essential and important entities

NIS 2 defines two categories of entities that must adopt specific security measures: Essential Entities and Important Entities.

Essential Entities

Essential Entities operate in sectors critical to society and the economy. Their compromise would significantly impact essential services.
Examples include:

• Energy (electricity, gas, oil)
• Transport (air, rail, road, maritime)
• Banks and financial market infrastructures
• Healthcare (hospitals, clinics)
• Drinking water and wastewater
• Digital infrastructures (data centers, cloud services)

Important Entities
Important Entities play key roles in various sectors. Their compromise could still cause significant damage. Examples include:

• Postal and courier services
• Medical device manufacturing
• Electronic communications services
• Digital services (search engines, social media platforms)
• Waste management services

Common obligations for Entities
-Conduct regular risk assessments to identify vulnerabilities,
-Adopt appropriate technical and organizational measures,
-Promptly notify security incidents to authorities,
-Share relevant information and collaborate to enhance overall security

What NIS 2mMeans for Companies

Companies often lack resources and specialized skills, making them vulnerable to cyber attacks. NIS 2 offers an opportunity to improve cybersecurity and protect businesses.

Here’s how to comply with NIS 2:
-Implement risk analysis and cybersecurity policies
-Adopt security measures like firewalls, antivirus software, regular backups, and staff training
-Develop business continuity plans, including backup management and disaster recovery
-Establish incident response procedures to reduce damage and restore operations quickly
-Ensure supply chain security, including relationships with suppliers and service providers
-Promote basic cyber hygiene practices and cybersecurity training
-Secure the acquisition, development, and maintenance of IT and network systems, including vulnerability management and disclosure.

NIS 2 is a significant step forward in protecting European digital infrastructures. It provides valuable guidance for organizations to improve cybersecurity.By following NIS 2 measures, companies can comply with regulations, better protect their data, and ensure operational continuity.