The main objective of the NIS2 Directive is to increase the level of cyber resilience across the European Union by requiring all entities that provide critical services to the economy and society at large to take appropriate cyber security measures. It sets out requirements for cyber security in networks and information systems, covering private and public providers of vital services – or so-called operators of essential services. The basis of the NIS is the growing threat to all types of organisations – not least from third parties.
NIS2 will apply from 18 October 2024.
What do you need to do to ensure compliance with NIS2?
Under NIS2, organisations must take appropriate and proportionate risk management actions to prevent security incidents and minimise their impact.
The directive provides a list of 10 key measures that all organisations must take to ensure NIS2 compliance:
- Risk analysis and information systems security policies;
- Incident handling;
- Business continuity, such as backup and disaster recovery management and crisis management;
- Supply chain security, including security aspects relating to the relationship between each entity and its direct suppliers or service providers;
- Security in the acquisition, development and maintenance of network and information systems, including vulnerability handling and disclosure;
- Policies and procedures for evaluating the effectiveness of cybersecurity risk management measures;
- Basic cyber hygiene practices and cybersecurity training;
- Policies and procedures on the use of cryptography and, where appropriate, encryption;
- Human resources security, access control and asset management policies;
- The use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications, and secure enterprise emergency communications systems – where appropriate.
- What does this mean for you? A few practical steps
- Next, determine what the internal and external risks are – every business has its own unique challenges. Understand what threats could affect your industry and your particular enterprise.
The next step is to update cybersecurity policies and procedures to meet NIS2 requirements. But documenting compliance alone won’t help if you don’t have well-trained staff. In addition to employees, we encourage you to invest in training at the management levels so they understand the importance of the issue. There are appropriate training courses that simulate a cyber incident and test in a controlled environment how your policies work and what the damage would be in a cyber incident to your organization and how quickly you could restore normal business processes after the incident.
After staff training, it’s the turn of investing in advanced cyber security solutions to ensure you’re protected from the latest threats. Take care of constant surveillance with monitoring systems that monitor your networks 24/7.
At the same time, companies should develop an incident response plan in the event of a cyberattack, including data recovery and customer communication.
Penalties are up to €10 million or 2 percent of an enterprise’s total worldwide turnover for failure to comply with cybersecurity reporting and/or risk management measures for major organizations and 1.4 percent of global annual revenue, minimum €7 million for important organizations.
What can Cyberone do for you?
Let’s comment on the questionnaire together and identify where we can help you;
Advise on identified non-compliance with the directive and assist in building and implementing the necessary compliance protection mechanisms;
Training sessions aimed at familiarising staff with NIS2 and the basic requirements and rules for maintaining good cyber hygiene in the organisation;
Implementation of appropriate cyber security solutions.
