What is the NIS2 Directive about?
The NIS2 Directive is the EU’s new cybersecurity directive aimed at improving the level of cybersecurity across the Union. The directive introduces requirements such as developing a cybersecurity management model, conducting regular risk assessments, and enhancing technical security, which apply to a broader range of sectors than before.
Scope of the NIS2 Directive – Who does it affect?
The directive applies to a wide range of societally critical sectors, including healthcare, water supply, and digital infrastructure. NIS2 targets large and medium-sized entities with a turnover exceeding 50 million euros or more than 250 employees. Smaller organisations might face requirements indirectly through their larger partners.
What kind of cybersecurity requirements does the directive set?
NIS2 imposes obligations related to cybersecurity risk management, reporting duties, and the development of management systems. Organisations must create effective models for risk assessment, strengthen their cybersecurity policies, and ensure that cybersecurity issues are on the management’s agenda. Additionally, the directive tightens the requirements for reporting security incidents, shortening the reporting time to 24 hours.
How do the new cybersecurity requirements compare to ISO 27001 requirements?
ISO 27001 is an international standard for information security management systems covering a wide range of security practices. While NIS2 introduces some specifics, such as stricter incident reporting requirements, organisations with ISO 27001 certification are already well-prepared to meet NIS2 requirements. Many of ISO 27001’s requirements, like risk management processes and administrative measures, are compatible with or even exceed those set by NIS2.
What are the responsibilities of the management?
The organisation’s management is responsible for planning and implementing risk management measures and developing cybersecurity policies. Management is also personally accountable for adhering to cybersecurity protocols, including proper reporting of security breaches.
How to develop NIS2 readiness?
Organisations can develop NIS2 readiness by conducting a current state assessment and creating development plans that meet the directive’s requirements. Assessment areas include technical safeguards, policies and procedures, cybersecurity training for staff, physical security, and third-party risk management. Not only is it crucial that all areas meet the minimum standards set by the directive, but that they are also regularly updated. Utilising various automation tools and resources can help meet NIS2 requirements.
The application of the NIS2 directive begins on 18th October 2024, so organisations should start preparing well in advance to meet all requirements by the deadline.
Would you like to assess your organisation’s current cybersecurity status, create an action plan, and demonstrate compliance with the NIS2 directive?
With the NIS2 Cybersecurity Requirements Tool, you’ll be able to ensure that your organisation not only meets the latest requirements but also elevates its security practices to a new level, protecting valuable information assets and ensuring business continuity.
Learn more about the tool here!