Blog NIS2 guideline: What are the consequences for you?
By Insight Editor / 10 May 2023 / Topics: Cybersecurity
By: Dirk de Goede, Security Solution Specialist Insight
What is NIS2?
Next year on October 18, a new directive for network and information security will go into effect in Europe: NIS2. Due to the increase in cyber threats and society's high dependence on IT, it has become apparent that the current guidelines are no longer adequate, necessitating stricter requirements from the EU. NIS2 therefore succeeds the NIS directive that has been in place since 2018, and it is going to "force" more organizations to have their cybersecurity in order. Yes, most likely yours as well.
From NIS to NIS2
NIS, or Network & Information Systems, is a European directive aimed at improving the resilience and security of network and information systems within the EU. The NIS directive focuses on key sectors such as water, energy and telecom. When companies in these sectors fail, they often have a disruptive impact on the economy and society. The first NIS directive aimed to ensure that companies in these sectors implemented appropriate measures to ensure the security and continuity of their network and information systems. This included the obligation to report data breaches to regulatory authorities and fines if things were found to be out of order.
Now it is the case that each EU country could determine the implementation of and compliance with those rules itself. So the NIS2 Directive was published late last year and gives member states until Oct. 18, 2024 to make the changes and adjust laws and regulations. It ensures that:
- EU countries to become much more unified on cybersecurity and especially on its enforcement by regulatory bodies.
- The list of sectors grows larger, distinguishing between essential and important companies:
- Essential companies are those with 250 employees or a net turnover of more than €50 million and a balance sheet total of €43 million. These companies will be proactively monitored by regulatory authorities.
- Major companies employ more than 50 people and have annual sales greater than €50 million. These companies can expect an audit once in a while.
- Exception: Smaller than 50 employees and €50 million, but are you a provider of trust services (digital services that ensure the confidentiality, integrity and authenticity of electronic transactions, communications and documents)? If so, your organization must also comply with NIS2.
Active monitoring
If your company falls under the NIS2 directive, there are consequences:
- Compliance: You are required to comply with security measures and reporting requirements. Consider having the proper certifications and reporting serious incidents to the relevant authorities.
- Increased liability: Companies that fail to comply with NIS2 and lose sensitive information as a result may be held liable for the consequences. These include financial losses, reputational damage and legal liability.
- Costs: You will most likely incur additional costs to comply. Consider adapting existing systems and processes, as well as training new people and implementing new tooling and monitoring potential threats.
Reporting those potential threats is a very sweeping measure as far as I'm concerned. Where the first NIS directive required you to report incidents within 24 hours, with NIS2 this also applies to potential threats. This means that your IT department will have to be very active in monitoring and reporting.
To-do list
How you will have to report later is not yet completely determined and Q4 2024 still seems quite far away, but from experience I know that active monitoring will be incredibly time-consuming, let alone the optimal design of your security. The latter you already have in hand now, so don't wait until the end of next year to review your security and your procedures and start reviewing the following aspects:
- Risk analysis: Identify which of your organization's systems and services are most important and therefore at greatest risk in the event of a hack.
- Business continuity: Is there good backup, but also for disaster recovery and crisis management?
- Supply chain security: What potential risks does your organization face through external suppliers and service providers?
- Network and information systems security: How are they set up and how are vulnerabilities handled?
- Incident handling: How are incidents currently handled and possibly registered?
- Effectiveness: How are policies and procedures in place to test cybersecurity effectiveness?
- Training: How well is everyone aware of and complying with computer policies within the organization?
- Cryptography and encryption: What about policies and procedures around the use of cryptography and encryption?
- Physical security: Of personnel, access control policies and asset management.
- Multifactor authentication: Apply it to accounts that can be accessed from the Internet, have management rights and to accounts on critical systems.
As you can see, a lot goes into setting up and adhering to solid security. It involves not only the technology, but also the processes within the company and the people who work there. The above list is going to help you determine what measures you still need to implement or tighten up to be as NIS2-ready as possible.
If you want to know more about this topic or exchange views, feel free to contact me.
Dirk de Goede
Security Solution Specialist Insight
Tel: 06 5775 0705
e-mail: dirk.degoede@insight.com
