The abbreviation NIS stands for Network and Information Systems. In 2013, the European Union (EU) introduced the first proposal for enhancing cyber defense throughout Europe, known as the NIS directive.
In 2016, the NIS directive was interpreted and adopted by member states with slight variations. Recognizing the necessity for greater specificity in order to meet Europe’s increasing demand for enhanced cybersecurity, the EU developed NIS2.
This whitepaper offers comprehensive details about the NIS2 directive, including its primary objectives, scope, and the requirements that companies must comply with.
Table of contents:
- Introduction
- The key objectives of NIS2
- Risk management measures
- Management responsibility is new in NIS2
- How is NIS2 enforced?
- Sanctions if you do not comply with NIS2
- Tactical considerations – Governance frameworks for security
- How can your organization prepare for NIS2?
- How can Conscia help you prepare for NIS2?
To read our entire whitepaper, just fill out the form, and we’ll send you our whitepaper: NIS2: Vision, key objectives, and tactical strategies for your organization, straight to your email as a PDF document.
Get the NIS2 whitepaperFAQs about NIS2
NIS2 is an EU directive that replaces the existing NIS directive, which has been in force since 2013. NIS stands for Network and Information Security.
The directive applies to the whole of the EU and aims to ensure a high and uniform level of cyber and information security so that critical infrastructure and society-critical services are better equipped against breakdowns and cyber threats from outside.
The new NIS2 directive covers far more sectors than before, and it tightens the requirements for supervision while introducing the possibility of holding management personally liable for breaking the law.
NIS2 covers far more sectors than the original NIS Directive. All players within critical infrastructure are covered, including their suppliers. The directive specifies 17 segments: energy, transport, finance (banking), financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, outer space, mail, waste management, chemicals, food, digital providers, education, and research.
Smaller companies with fewer than 50 employees or with a turnover of less than 10 million euros are not covered, but there are several exceptions. Furthermore, it is up to the local authorities to specify who is covered.
The directive distinguishes between "essential" and "important" segments, and depending on which segment you belong to, different requirements apply.
The directive must first be implemented as legislation in the respective countries, and the companies concerned are then given a "grace period" to comply with the legislation. However, NIS2 must be implemented in all covered European companies, authorities, and organizations by 2024 at the latest. After that, it will be the responsibility of local authorities to enforce the directive, similar to the current situation with GDPR.
The requirements in NIS2 include, among other things:
- Policies for risk analysis and information system security
- Incident management (prevention, detection, and response to incidents)
- Business continuity and crisis management
- Supply chain security, including security-related aspects of relationships between entities and their suppliers or service providers, such as data storage and processing services or managed security services
- Security in connection with the acquisition, development, and maintenance of network and information systems, including the handling and disclosure of vulnerabilities
- Policies and procedures (testing and auditing) for assessing the effectiveness of measures to manage cybersecurity risks
- Use of cryptography and encryption.
Watch our recorded webinar on the NIS2 directive and the potential impact on your organization
Today, we’re all connected across EU countries, so the cybersecurity of a foreign organization isn’t just their problem. With a rise in cross-border cyberattacks, the EU has introduced a strong security directive called the Network and Information Security Directive 2 (NIS2 Directive).
Watch our webinar to discover how you prepare for the NIS2 directive and the potential impact on your organization. Read more about our NIS2 webinar here.