It’s no news that the amount of cybercrime has been significantly increasing all over the world – specifically in Europe. That’s why the Network and Information Systems (NIS) Directive was published, back in July 2016, paving the way to improve the overall level of cybersecurity in the European Union (EU).
Building on that first ever EU-wide legislation on cybersecurity, NIS 2 came into force in December 2022 to strengthen cybersecurity within the EU, bringing forward a comprehensive set of measures whose adoption by EU member states is mandatory by 17th October 2024.
To ensure compliance and avoid unnecessary fines, now is the time for organisations to prepare themselves for the NIS 2 measures. Here’s everything they need to know.
What is the NIS 2 Directive?
It’s the most comprehensive EU cybersecurity legislation to this day. It aims to establish guidelines for organisations that provide essential and important services, so they know how to respond in the event of a cyber threat. It also intends to improve collaboration between EU member states when it comes to cybersecurity matters.
Under the NIS 2 Directive, organisations should implement, at least, the following measures:
- Policies on risk analysis and information system security.
- Incident handling.
- Business continuity.
- Supply chain security.
- Basic cyber hygiene practices and cybersecurity training.
- Procedures regarding the use of cryptography and encryption.
- Human resources security, access control policies and asset management.
- Use of Multi-Factor Authentication (MFA), continuous authentication solutions, and secure communication systems.
- Among others.
Which sectors are impacted?
Approximately 160.000 companies across 18 sectors will have to comply with the NIS 2 Directive – basically, all medium or large businesses, with 50 or more employees as well as over €10 million in turnover. However, some smaller organisations can be included as well, regardless of their size, if they are identified by Member States as key players in our society.
Those 18 sectors are divided into two categories:
Entities in both categories will have to comply, but the difference is in how strictly they are supervised, and in the penalties for non-compliance:
- Essential entities can expect fines of up to €10 million or at least 2% of the total annual worldwide turnover.
- Important entities can expect fines of up to €7 million or at least 1.4% of the total annual worldwide turnover.
Next steps and NIS 2 deadlines
In order to prepare for the NIS 2 Directive, member states and businesses should be aware of what will happen and when. These are some of the most important dates to keep in mind:
- By 17th October 2024
Member states must adopt the necessary measures to comply with the NIS 2 Directive. Those measures should be applied from 18th October 2024. -
On 17th January 2025
The NIS Cooperation Group shall establish a peer review methodology to learn from shared experiences, build mutual trust, improve cybersecurity, and enhance Member States' capabilities and policies for this Directive.
- By 17th April 2025
Member states shall establish a list of essential and important entities. This list should be updated on a regular basis. - By 17th October 2027
The European Commission shall review the functioning of the NIS 2 Directive and report to the European Parliament and to the Council. This review must be done every 36 months thereafter.
How can companies prepare for NIS 2?
Given the 17th October 2024 deadline, it is advisable to act now. There may be bumps in the road, so planning ahead will keep you on the right track.
Although the ISO 27001 certification provides a strong foundation for managing security risks, meeting NIS 2 requirements will vary based on national legislation. Organisations with the ISO 27001 certification might be closer to compliance with NIS 2 – as well as those already compliant with the NIS 1 measures – but should remain attentive to the evolving national requirements to ensure full alignment.
Alter Solutions can help identify your company’s critical services and processes, ensuring proper implementation of all the NIS 2 measures. How?
- Assess and diagnose
We start by identifying your company’s essential services and processes, to understand how the NIS 2 Directive will impact them. We provide a full report and define a roadmap with specific measures to ensure NIS 2 compliance. - Implement necessary measures
We can help you define risk management policies, a business continuity plan, secure communication channels, cybersecurity training, among other things that may need to be addressed. We initiate implementation, taking your company’s specific security level into account. - Monitor regularly
At this point, your company is already NIS 2 compliant. Nonetheless, it is important to regularly check the effectiveness of all the implemented measures and to adjust accordingly. This is an ongoing task with which we provide all the support you need.
Learn more about the legal implications of the NIS 2 Directive in this article.