The European Commission’s updated Network and Information Security Directive (NIS2) is just days away from taking effect, bringing a major shift in how businesses protect themselves from cyber threats.
With a relentless surge in data breaches and cyber-attacks, cyber security has become a top priority for organisations worldwide. To address these threats, regulators are tightening the rules, and NIS2 is one of the key drivers pushing organisations to strengthen their cyber security defences.
So, with the deadline looming, what does NIS2 mean for your business, and how can you ensure compliance? In this blog post, we’ll break down the key aspects of NIS2, discuss its potential impact on your business, and offer practical tips on how to prepare for its rollout.
What is the NIS2 Directive?
The new NIS2 Directive is a revised EU regulation that all member states and service providers within the EU must comply with by October 17, 2024. Its main goal is to protect critical infrastructure from cyber threats and enhance security across the EU.
NIS2 targets organisations that provide essential services crucial to the functioning of society, such as those impacting economic activities or public health. The directive introduces stricter security requirements, new reporting obligations, and broader enforcement measures compared to the original NIS directive. Essentially, it sets out new security standards for the organisations we depend on the most.
Does NIS2 Affect your Business?
NIS2 affects all entities that provide essential or important services to the European economy and society, including companies and suppliers. It aims to ensure that common cyber security standards are met and key services remain strong and functional in the event of an attack. However, not all industries and sectors will be subject to NIS2 compliance.
NIS2 will impact the following sectors, which have been broken down into Essential and Important:
Key Requirements of NIS2
NIS2 requires organisations to take practical steps to manage risks, prevent security incidents, and minimise their impact. Here are the 10 key areas to focus on:
- Risk analysis and system security
- Incident handling
- Business continuity (backups, disaster recovery, crisis management)
- Supply chain security
- Secure system development and vulnerability management
- Cyber security policies to assess risk management
- Basic computer hygiene and staff training
- Use of cryptography and encryption
- HR security, access control, and asset management
- Multi-factor authentication and secured communication methods
New Reporting Requirements
If a security incident occurs, NIS2 requires you to report it to the authorities following these steps:
Within 24 hours: Send an early warning to the CSIRT or national authority, noting if the incident seems malicious or has cross-border effects.
Within 72 hours: Submit an incident notification with your initial assessment, including severity, impact, and any signs of compromise.
Within 1 month: Provide a final report with full details, including the cause, impact, and mitigation steps, especially if there’s cross-border involvement.
What’s at stake if you don’t comply?
Ireland’s National Cyber Security Centre (NCSC) now has the power to impose stricter penalties on public sector organisations that fail to comply with NIS2 regulations. Fines could reach up to €10 million or 2% of global annual revenue for essential entities, or €7 million or 1.4% of global annual revenue for important entities.
Board-Level Accountability
NIS2 shifts the responsibility for cyber security beyond security teams, placing directors firmly in the spotlight. Senior leadership can now be held personally liable for gross negligence in the event of a security breach. In some cases, they may be named and shamed, required to publicly disclose compliance failures, and face bans from leadership roles after repeated violations. The stakes couldn’t be higher.
Preparing for NIS2
To prepare for NIS2, there are a number of steps your business can take.
1. Check if NIS2 applies to you: Review the sectors and size limits for NIS2 to see if your organisation needs to comply.
2. Understand the requirements: Get familiar with NIS2 rules and assess how they impact your current processes. Identify any gaps in risk management, incident reporting, and supply chain security.
3. Conduct a risk assessment: A risk assessment helps identify potential security threats, their likelihood, impact, and how well you’re already managing them.
4. Implement security measures: Put the necessary security measures in place, ensuring you cover all 10 baseline requirements of NIS2. Don’t forget to secure your supply chain and data partners.
5. Train your team: Ensure employees know how to spot and report cyber threats and follow your security procedures.
6. Regular audits and improvements: Set up regular internal and external audits to continually assess and improve your cyber security measures.
Time to Take Action
As the NIS2 deadline inches closer, it’s time to take action. Compliance isn’t just another box to tick, it’s about safeguarding your business and the essential services that people depend on. Ignoring it could lead to hefty fines, reputational damage, and even personal liability for directors. Now’s the time to get your security measures in place, train your team, and stay ahead of potential risks.
Learn more about NIS2
If you’d like to learn more about NIS2 and the implications that non-compliance can have on senior management, join our CPD-accredited webinar on ‘NIS2 – A Regulation Directors can’t Afford to Ignore’, Tuesday, 15th October, 11 am – 12 pm. Our experts will discuss what NIS2 means for your business, the serious risks of non-compliance and practical steps you can take to meet NIS2 standards.
Register Here to secure your spot.
