What is NIS2?

What is NIS2?

What does the NIS2 Directive say?

Are you confused about NIS2?

Or are you still unsure what this means for your business?

Let's try to explain the new cyber and information security requirements that, according to the experts, you should familiarize yourself with and start preparing for right now.

What is NIS2?

NIS 2 is an extension of the NIS1 requirements on cybersecurity and GDPR from 2016, and your company or organization is covered by the NIS2 directive and the upcoming legislation if:

1. It belongs to the 18 sectors covered by NIS2 (NIS1 covered only 6), and
2. You employ more than 50 people or have an annual turnover of more than EUR 10 million, or
3. Your activities, business, or organization:
4. considered critical to society or the economy
5. relating to public safety or public health
6. disruptions may entail significant systemic risks
7. is of critical national or regional importance
8. is public administration
9. are defined as CER-critical entities.

Who is covered by NIS2?

The six sectors covered by NIS1 were:

Energy – Transportation – Banking – Digital Infrastructure – Digital Service Providers – Healthcare.

The 12 new sectors added to NIS2 are:

Manufacturing companies – Food – Chemicals – Drinking water – Wastewater – Waste management – Postal and courier services – Research – Public administration – ICT service management – Financial market infrastructures – Space.

For some companies and organizations, it is clear that they will be covered by NIS2, while others are unsure whether they will be. In this case, experts advise that you consult a lawyer to clarify NIS2 and its implications for your company.

Please note that it is the responsibility of individual companies and organizations to determine whether they are covered by NIS2.

What do you need to comply with if your company is covered by NIS2?

If your company or organization is covered by NIS2, it is a good idea to get started now. There is a lot of work ahead, even if you have been covered by NIS1 or are ISO27001/2 certified.

By October 2024, the authorities must be ready to enforce the legislation, impose sanctions, and issue fines to companies and organizations that do not comply with the legislation.

So what are the requirements that companies or organizations covered by NIS2 must meet?

Firstly, there are the NIS1 requirements:

1. Ensure information security within the company/organization and continuously carry out comprehensive and up-to-date security assessments. If you have a 7-year-old assessment, it is not sufficient.
2. to implement security measures targeted at the identified personal data risks (GDPR).

In addition, NIS2 introduces entirely new requirements:

3. assess the risks posed by any failure on your part to supply the community, including risks associated with any failure on the part of your suppliers to supply you.

Please note that the legislation only covers your business-critical activities, processes, people, technologies, and suppliers. These are activities that, in the event of a security breach, would affect critical infrastructure, supply chains, or other functions that are vital to society.

New safety requirements

The new safety requirements cover the following new areas:

1. Monitoring and incident management

You must be able to handle and identify security incidents, have control over backup management and restoration, and have your crisis management plans in place – not only in terms of IT, but also in purely operational terms.

1. Supply chain

Consider your supply chain. Who are your critical suppliers? What happens if their deliveries fail, and how do you help them—and thus yourselves—get back up and running? You probably remember when all trains in Denmark came to a standstill in the fall of 2022 when one of DSB's critical suppliers was hacked, preventing DSB from providing its train services.

1. Application security

Purchase, development, and maintenance of applications—including patch management. You should identify potential vulnerabilities and plan how you will address them.

1. Basic security measures.

Cyber hygiene and training for managers and employees. Personnel security, access control, and asset management. Multi-factor authentication, encryption, secure communications, and emergency communications systems.

Requirement to notify

Finally, the new law imposes a notification requirement. The purpose is to prevent others from being affected by incidents that affect you. This must be done by:

1. You must notify CSIRT within 24 hours that an incident has occurred in your systems.
2. You must submit a notification within 72 hours.
3. You must submit a report within one month.

This places additional demands on surveillance – and on round-the-clock and weekend surveillance – in your companies and organizations.

NIS2 also places new demands on the authorities

The new legislation also imposes requirements on the authorities, which from October 2024 must:

1. Respond within 24 hours to notifications from companies and organizations about critical security incidents that have occurred – and offer technical assistance and guidance if requested. This also places demands on the authorities in terms of round-the-clock and weekend monitoring, as well as their security competencies.
2. Conduct reactive—and in some cases proactive—supervision of NIS2-covered companies and organizations if they see signs of non-compliance with the legislation. In addition to orders, warnings, instructions, etc., this new enforcement obligation may mean the appointment of a monitoring officer for increased supervision for a fixed period and, if necessary, in the form of a project manager with a permanent position in the company or organization. Or it may result in a requirement to publish details of the company's or organization's non-compliance with the legislation.
3. Impose sanctions if the above measures do not have the desired effect. For example, the authorities may temporarily suspend an application for certification or approval, or temporarily prohibit individuals with executive responsibilities from managing the company.

The NIS2 Directive introduces new cyber and information security requirements that companies and organizations must comply with, expands the NIS1 requirements, and now covers 18 sectors.

If your company or organization meets certain criteria, such as number of employees or turnover, societal importance, or involvement in critical infrastructure, you should be aware of the NIS2 Directive and prepare well in advance.

The legislation requires you to implement security measures, assess the risks of supply failures, manage incident handling and the supply chain, ensure application security, and take basic security measures.

In addition, you must be able to notify the authorities of security incidents within a short period of time.

It is important to understand the NIS2 Directive and its requirements in order to ensure cybersecurity and protect critical societal functions. We hope this post will help you on your way.

If you would like to read more about the EU directive, here is a link to The European Commission's website here.

See also our previous post on how to builds safety barriers in industrial systems here.

And ours NIS2 guide for manufacturing companies.

If you need help, then Please contact Poul or Søren here..