What is NIS2?

What is NIS2?

What does the NIS2 Directive say?

Are you NIS2 confused?

Or have you not yet fully understood what it means for your business?

Let us try to explain the new cyber and information security requirements that the experts say you should familiarise yourself with and start preparing now.

What is NIS2?

NIS 2 is an extension of the NIS1 cybersecurity requirements and GDPR from 2016, and your company or organisation is covered by the NIS2 directive and upcoming legislation if:

1. It falls within the NIS2-covered 18 sectors (NIS1 only covered 6) and
2. You employ more than 50 employees or have an annual turnover of more than EUR 10 million, or
3. Your activities, company or organisation:
4. considered critical or economically important to society
5. involves public safety or public health
6. disturbances can lead to significant systemic risks
7. has critical national or regional importance
8. is public administration
9. are defined as CER critical devices.

Who is covered by NIS2?

The 6 NIS1 covered sectors were:

Energy - Transport - Banking - Digital Infrastructure - Digital Service Providers - Health.

The new 12 new NIS2 added sectors are:

Manufacturing - Food - Chemicals - Drinking water - Wastewater - Waste management - Post and courier - Research - Public administration - ICT service management - Financial market infrastructures - Space.

For some companies and organisations it is clear that they will be covered by NIS2, while others are unsure if they are. The experts advise that you consult with a lawyer to get clarity on NIS2 and your organisation.

Please note that it is the duty of individual companies and organisations to find out if they are covered by NIS2.

What do you need to fulfil if your company is covered by NIS2?

If your company or organisation is covered by NIS2, it's a good idea to get started now. There's a lot of work ahead, even if you've been NIS1 or are ISO27001/2 certified.

By October 2024, authorities must be ready to handle the legislation, sanction and issue fines to companies and organisations that do not comply with the legislation.

And what do you have to live up to as a NIS2-covered company or organisation?

Firstly, there are the NIS1 requirements:

1. Ensure information security in the company/organisation and continuously carry out comprehensive and up-to-date security assessments. If you have an assessment that is 7 years old, it is not sufficient.
2. Implement security measures targeted to the identified personal data risks (GDPR).

On top of that, NIS2 introduces completely new requirements:

3. Assess what risks your lack of supply to society poses - including the risks of your suppliers' lack of supply to you.

Please note that the legislation only covers your mission-critical activities, processes, people, technologies and suppliers. Those activities that, in the event of a security breach, affect critical infrastructure, supply chains or other socially important functions.

New safety requirements

The new safety requirements include the following new areas:

1. Monitoring and incident management

You need to be able to manage and identify security incidents, manage back-up management and recovery, and have your crisis management plans in place - not just IT-wise, but also operationally.

1. Supply chain

Look at your supply chain. Who are your critical suppliers? What happens if their deliveries fail, and how do you help them - and therefore yourself - get back up and running? You probably remember when all trains in Denmark came to a standstill in autumn 2022 when one of DSB's critical suppliers was hacked, preventing DSB from delivering their train services.

1. Application security

Purchase, development and maintenance of applications - including patch management. You should identify what vulnerabilities may arise and plan how you will deal with them.

1. Basic safety measures.

Cyber hygiene and training for managers and employees. Personnel security, access control and asset management. Multi-factor authentication, encryption, communication security and emergency communication systems.

Notification requirements

Finally, the new law requires notification. The purpose is to prevent others from being affected by incidents that affect you. This must be done by:

1. You must notify the CSIRT within 24 hours that an incident has occurred in your systems
2. Within 72 hours you must submit a notification
3. Within 1 month, you must submit a report.

This places extra demands on surveillance - and 24-hour and weekend surveillance - in your companies and organisations.

NIS2 also places new demands on authorities

The new legislation also places demands on authorities, which from October 2024 must:

1. Respond within 24 hours to companies' and organisations' notifications of critical security incidents - and offer technical assistance and guidance if required. It also places demands on the authorities for 24-hour and weekend monitoring and their security competences.
2. Reactively - and in some cases proactively - monitor NIS2 covered companies and organisations if they see signs of non-compliance. In addition to orders, warnings, instructions, etc., this new enforcement obligation may mean appointing a person responsible for monitoring for increased supervision for a fixed period and possibly in the form of a project manager with a permanent position in the company or organisation. Or it could mean a requirement to publish parts of the company or organisation's non-compliance with the legislation.
3. Implement sanctions if the above does not have the desired effect. For example, the authorities can temporarily suspend an applied certification or authorisation, or temporarily prohibit natural persons with management responsibilities from managing the company.

The NIS2 Directive introduces new cyber and information security requirements that businesses and organisations must comply with, expanding the NIS1 requirements to cover 18 sectors.

If your company or organisation meets certain criteria, such as number of employees or turnover, societal importance or involvement in critical infrastructure, you should be aware of the NIS2 Directive and prepare well in advance.

Legislation requires you to implement security measures, assess supply failure risks, manage incident management and supply chain, ensure application security and take basic security measures.

In addition, you need to be able to notify authorities of security incidents within a short period of time.

Understanding the NIS2 directive and its requirements is essential to ensure cybersecurity and protect critical functions. We hope this post can help you on your way.

If you want to read more about the EU directive, here is a link to EU Commission page here.

See also our previous post on how to Build safety boundaries in industrial systems here.

And our NIS2 guide for manufacturing companies.

If you need help, please Get in touch with Poul or Søren here.