Are You Prepared for the EU’s Updated NIS2 Cybersecurity Directive?
Compliance Deadline: October 17, 2024
The European Union is set to enforce the updated Network and Information Systems Directive [Directive (EU) 2022/2555], commonly known as NIS2, on October 17, 2024. This directive aims to strengthen cybersecurity measures and protect critical infrastructure across all Member States. With the deadline approaching, it’s crucial for businesses operating within the EU to understand the new requirements and ensure they are fully compliant.
What is NIS2?
NIS2 is the successor to the original NIS Directive, introduced to address the evolving landscape of cyber threats. It expands the scope of cybersecurity obligations, reflecting the increased dependency on digital systems and the rising sophistication of cyber-attacks. The directive emphasises the importance of robust cybersecurity practices to safeguard essential services and critical infrastructure.
Who Needs to Be Concerned?
The NIS2 Directive applies to a broader range of sectors than its predecessor. It uses a very broad term (“entities”) as a starting point to define the subjects concerned, meaning: “any natural or legal persons created and recognised as such under the national law of their place of establishment, which may, acting under their own name, exercise rights and be subject to obligations”. Therefore, such term includes both business structures and public administration.
The NIS2 Directive then specifies two categories of affected subjects:
- Essential Entities: Mainly (but not necessarily) medium-sized and large subjects operating in sectors like energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, and space.
- Important Entities: Other subjects (although neither medium-sized nor large) operating in the sectors above and certain subjects mainly operating in sectors like postal services, waste management, chemicals, food production, manufacturing of medical devices, electronics, certain kind of machinery and equipment and motor vehicles, digital providers and research organisation.
Both large organisations and small to medium-sized enterprises (SMEs) within these sectors must comply. Moreover, managed service providers (MSPs) and third-party vendors must also comply with the directive’s standards when providing services to these entities.
Key Requirements of NIS2
1. Enhanced Risk Management
Organisations must adopt comprehensive risk management practices that cover:
- Technical Measures: Implementing state-of-the-art security solutions to prevent, detect, and respond to cyber threats.
- Organisational Measures: Establishing clear policies and procedures for cybersecurity governance.
- Supply Chain Security: Assessing and managing risks associated with third-party suppliers and service providers.
2. Incident Reporting Obligations
In the event of a significant cyber incident, organisations are required to:
- Notify Authorities Promptly: Provide an initial report within 24 hours of detection.
- Detailed Reporting: Submit a comprehensive report within 72 hours, outlining the impact and mitigation steps.
- Post-Incident Review: Conduct an in-depth analysis and report findings within one month to prevent future occurrences.
3. Governance and Accountability
Management bodies are held directly accountable for compliance. Responsibilities include:
- Strategic Oversight: Ensuring cybersecurity is integrated into business strategies.
- Staff Training: Providing regular cybersecurity awareness training to all employees.
- Policy Enforcement: Implementing and enforcing internal policies aligned with NIS2 requirements.
4. DNS Security
Given the critical role of the Domain Name System (DNS) in internet functionality, organisations must:
- Protect DNS Integrity: Implement measures to prevent DNS attacks like poisoning or spoofing.
- Ensure Service Availability: Maintain robust systems to prevent service disruptions.
Penalties for Non-Compliance
Failure to comply with NIS2 can result in severe penalties:
- For Essential Entities: Fines up to €10 million or 2% of the total global annual turnover, whichever is higher.
- For Important Entities: Fines up to €7 million or 1.4% of the total global annual turnover, whichever is higher.
These significant fines underscore the importance of taking proactive steps toward compliance.
How 360 Business Law Can Assist
Navigating the complexities of NIS2 compliance can be challenging. 360 Business Law is here to help your organization understand and meet these new regulatory requirements efficiently and effectively.
Our Services Include:
- Compliance Audits: Evaluating your current cybersecurity posture against NIS2 standards.
- Policy Development: Assisting in the creation and implementation of robust cybersecurity policies and procedures.
- Training Programs: Providing tailored training sessions for your management team and staff to enhance cybersecurity awareness.
- Incident Response Planning: Helping develop comprehensive plans to detect, report, and respond to cyber incidents.
- Supply Chain Risk Management: Advising on best practices for assessing and managing third-party risks.
Meet Our Expert: Federico Regaldo
Federico Regaldo, based in Brussels, is our EU leading cybersecurity and compliance expert, and brings a wealth of experience in guiding organizations through complex regulatory landscapes. Federico helps businesses achieve compliance and strengthens their overall cybersecurity framework.
Get Started Today
With the compliance deadline on the horizon, there’s no time to delay. Early action not only ensures adherence to legal obligations but also enhances your organization’s resilience against cyber threats.
Speak to an Expert
Contact 360 Business Law to discuss how we can support your journey toward NIS2 compliance.
Your business’s security is our priority. Let 360 Business Law provide the expertise you need to navigate NIS2 with confidence.