What does NIS2 mean for your organization?
The European cybersecurity directive NIS2 is the logical successor to the first NIS. The acceleration in digitization and current threats on the world stage have increased the pressure t.a.t. cyber threats. People are talking about a ransomware pandemic. Therefore, the rise in ransomware attacks is a major reason why work has been done from the European Union to tighten the existing NIS. The security duties from the NIS2 should bring about a higher level of security within Network and Information Systems. NIS1 is already fully enforced currently. For NIS2, we still have some time; the date when NIS2 will be finally active is tentatively set for October 2024.
What does this mean for your organization? What requirements need to be adjusted?
The NIS only dates back to 2016 but as mentioned, the threats as we are currently seeing make a second, heavier version coming soon. The NIS is implemented in the Netherlands in the Network and Information Systems Security Act (Wbni) and has three pillars as the basis of ICT security:
- Security risk mapping
- Reducing risk through protection & detection
- Mitigate consequences of cyber incidents
Accountability to the board
NIS2 has much authority in the field of supervision and enforcement. Directors can be held liable and suspended after cyber incidents, and fines are high. This makes cybersecurity no longer just the responsibility of IT administrators, but of the administrators themselves. The obligations under NIS2 are threefold, organizations covered by NIS2 must comply by 2024 with:
- Duty of care: Conduct a risk assessment, take appropriate measures to protect services and information.
- Duty to Report: Report incidents to the supervisor and the Computer Security Incident Response Team (CIRT) within 24 hours.
- Monitoring: Organizations are monitored for compliance.
NIS2 is increasing cybersecurity requirements throughout Europe, classifying more and more organizations as “essential business. As a result, more and more companies have to meet higher requirements, but they also now receive support from the government when they are hit by cyber incidents. An additional motivation for the EU to introduce the NIS2 was the fact that when doing business with other EU countries or having multiple branches in different countries, various rules apply. To ensure a uniform approach, the EU strives to ensure that every member state applies the same law and takes a single line.
NIS2 - Essential entities and gouvernance.
The NIS2 directive applies to essential entities, also known as vital sectors, including energy, transportation, banking, infrastructure financial markets, healthcare, drinking and wastewater utilities, digital infrastructure, government services, aerospace, postal and courier services, waste management, chemicals, food production, research, manufacturing and ICT service providers. In addition, the NIS2 gives member states the flexibility to also identify other (smaller) organizations with a high security risk profile.
The NIS2 directive applies to essential entities in industries such as energy, transportation, banking, healthcare and more. Member states may also identify other organizations with a high security risk. Gouvernance, detection, logging and monitoring are crucial for effective security and management of systems and data. Awareness around cybersecurity is increasing, but many incidents can still be prevented by acting more carefully.
NIS2-CyberSCAN - Advice from our network security experts.
iunxi offers advice and helps prepare for the new directive. Our network security specialists analyze the current security status of your organization and advise on appropriate measures to comply with the law. Our approach follows the protect, detect, respond & cover framework. Three basic recommendations from our specialists are:
- Know who is where within your systems.
- Make regular backups and test them.
- Use multifactor authentication.
Contact Barry
Want to learn more about NIS2 or request a CyberScan for your organization? Contact directly.