- Real people and events told for entertainment
- The commercial prospects or circumstances of a particular company
In an increasingly interconnected world where digital technologies drive innovation and transform industries, ensuring the security and resilience of critical information systems is vital. More and more services are playing a critical role in safeguarding our society and economy. Acknowledging the evolving cyber threat landscape, governments worldwide have been proactively implementing legislation aimed at safeguarding their digital infrastructure. One noteworthy advancement in this area is the introduction of NIS2. In this blog post, our goal is to provide you with information about NIS2, why it is being implemented, its scope of application, and its intended objectives.
NIS stands for ‘Network Information System’ and refers to the NIS Directive created in 2016. This NIS Directive was the first EU-wide legislative framework on cyber security. After the establishment of this framework, member states had until 2018 to incorporate these regulations into their national legislation.
The NIS Directive requires member states to develop national cyber security strategies and cooperate across borders. The organizations that had to comply with this legislation consisted of two groups:
1. Operators of essential services in the following industries:
Financial sector (financial markets)
2. Relevant digital services providers:
Online search engines
Cloud computing services
So what exactly did this mean for the organizations involved? These entities were required to adopt minimum security measures and report significant incidents. However, the rules were rather vague and lacked sufficient details.
After studying the NIS Directive, the European Commission concluded that:
Implementing the NIS proved to be difficult, resulting in fragmentation.
The scope of the Directive was too limited.
There was a lack of clarity on the scope and competencies of the organizations.
Due to the Commission’s conclusions and increasing cyber attacks, the Commission submitted a proposal to replace the NIS Directive with NIS2
NIS2 is a revision and expansion of the 2016 European Directive regarding cyber security. European countries had adopted the new NIS2 Directive by the end of 2022, but they have until October 17, 2024, to translate the Directive into national legislation. Until this legislation is finalized, the rules of NIS still apply.
Now, what distinguishes NIS and NIS2? NIS2 contains additional regulations and has a wider scope. It introduces heightened supervisory measures and more strict enforcement requirements. Consequently, cyber security is no longer a choice but an obligation for numerous companies. Through NIS2, the government seeks to cultivate a more resilient and secure digital ecosystem. But how is this executed in practice? The companies subjected to these regulations are mandated to:
develop a cyber security plan, which includes:
a risk analysis;
an incident-handling procedure;
a business continuity plan;
staff training and staff awareness;
supply chain security.
continuously test the plan.
report within 24 hours when they are victimized.
The same companies that were covered by NIS regulations are also within the scope of NIS2, with an additional extension. NIS2 divides companies into two categories: essential and important companies. The difference between them lies in the supervisory measures as well as the sanctions.
A list of the essential sectors includes:
financial market infrastructure
healthcare providers (not only hospitals but also pharmacists, laboratories, etc.)
ICT service management
public administration entities (central governments or regional governments)
A list of the important sectors include:
postal and courier services
chemicals (manufacture, production, distribution)
food (production, processing, and distribution)
The digital landscape is constantly evolving, with cyber threats becoming more sophisticated and pervasive. NIS2 is a response to these escalating challenges posed by cyber-attacks, aiming to strengthen the resilience of critical systems and ensure a proactive approach to cyber security.
Moreover, NIS2 strives to tackle the fragmentation of cyber security regulations among EU Member States. By instituting a unified framework, it promotes uniformity in security protocols, incident reporting, and collaboration between member states. NIS2 recognizes the significance of critical infrastructure, by enforcing strict security requirements, aiming to shield these vital systems from potential cyber threats and disruptions.
NIS2 mandates that each state establish a central point of contact for monitoring compliance. Additionally it necessitates the presence of a coordinating Computer Security Incident Response Team (CSIRT), primed to respond immediately upon the receipt of a report. Consequently, companies are therefore obliged to adhere to these regulations in the event of an incident. The following reporting obligations are as follows:
Within 24 hours, an early warning should be communicated to the CSIRT.
A full notification report is required after 72 hours.
A final report needs to be submitted after 1 month.
In conclusion, NIS2 is a game-changer in strengthening cyber security for the digital era. For a more profound exploration of this critical topic, we invite you to our exclusive event dedicated to NIS2 on October 12th. Our panel of experts will provide valuable insights and a comprehensive understanding of the new regulations, covering all the essential details.
From unraveling the extended scope of NIS2 to exploring the specific compliance requisites, this event will equip you with indispensable resources for navigating the evolving landscape of cyber threats. Don’t miss this opportunity to elevate your cyber security readiness. Mark your calendars for October 12th and join us for an enlightening session that will empower you to effectively safeguard your organization’s digital infrastructure effectively.
See you there!