Next year on October 18, a new directive for network and information security will go into effect in Europe: NIS2. Due to the increase in cyber threats and society's high dependence on IT, it has become apparent that the current guidelines are no longer adequate, necessitating stricter requirements from the EU. NIS2 therefore succeeds the NIS directive that has been in place since 2018, and it is going to "force" more organizations to have their cybersecurity in order. Yes, most likely yours as well.
NIS, or Network & Information Systems, is a European directive aimed at improving the resilience and security of network and information systems within the EU. The NIS directive focuses on key sectors such as water, energy and telecom. When companies in these sectors fail, they often have a disruptive impact on the economy and society. The first NIS directive aimed to ensure that companies in these sectors implemented appropriate measures to ensure the security and continuity of their network and information systems. This included the obligation to report data breaches to regulatory authorities and fines if things were found to be out of order.
Now it is the case that each EU country could determine the implementation of and compliance with those rules itself. So the NIS2 Directive was published late last year and gives member states until Oct. 18, 2024 to make the changes and adjust laws and regulations. It ensures that:
If your company falls under the NIS2 directive, there are consequences:
Reporting those potential threats is a very sweeping measure as far as I'm concerned. Where the first NIS directive required you to report incidents within 24 hours, with NIS2 this also applies to potential threats. This means that your IT department will have to be very active in monitoring and reporting.
How you will have to report later is not yet completely determined and Q4 2024 still seems quite far away, but from experience I know that active monitoring will be incredibly time-consuming, let alone the optimal design of your security. The latter you already have in hand now, so don't wait until the end of next year to review your security and your procedures and start reviewing the following aspects:
As you can see, a lot goes into setting up and adhering to solid security. It involves not only the technology, but also the processes within the company and the people who work there. The above list is going to help you determine what measures you still need to implement or tighten up to be as NIS2-ready as possible.
If you want to know more about this topic or exchange views, feel free to contact me.
Dirk de Goede
Security Solution Specialist Insight
Tel: 06 5775 0705