Understanding the newest EU cybersecurity regulations
NIS2 requirements & actionable suggestions for complying with the directive
Please select your cookie preferences before getting in touch
Thank you for reaching out to Sigma Software!
Please fill the form below. Our team will contact you shortly.
Sigma Software has offices in multiple locations in Europe, Northern America, Asia and Latin America.
USA
Sweden
Germany
Canada
Israel
Singapore
UAE
Australia
Austria
Ukraine
Poland
Argentina
Brazil
Bulgaria
Colombia
Czech Republic
Hungary
Mexico
Portugal
The Network and Information Security (NIS) directive is an EU cyber security legislation designed to strengthen the security of critical infrastructure sectors. The first directive was introduced back in 2016, and now its second, extended version is on the horizon. So, in this article, we will explore the changes introduced by NIS2 and provide organizations with actionable suggestions for its compliance.
Understanding the newest EU cybersecurity regulations
NIS2 requirements & actionable suggestions for complying with the directive
In our interconnected and digitalized world, the need for fortifying cybersecurity becomes a shared responsibility on individual, national, and global levels. Digital systems provide countless opportunities for simplifying our daily routines and tasks. However, this dependency on systems also makes us open and vulnerable to cyber threats, which can potentially compromise private data, organizational information, or even corporate systems at any given moment.
The European Commission introduced the cybersecurity act – NIS (Network and Information Security) directive in 2016 to cope with this challenge within the EU. It aimed to provide a high common level of cybersecurity throughout the Member States. With the ever-evolving technologies, changes in the geopolitical environment, conversion to remote work in 2019, etc., EU cybersecurity had faced new challenges related to more frequent and sophisticated attacks. This highlighted core areas for improvement within the NIS, which later were considered and addressed in the next revised version of the directive, known as NIS2. The new EU cybersecurity act took a course toward hardening more industries and domains against potential cyberattacks.
The legislators introduced the revised version of the directive in 2020, and in January 2023 it came into force. It is to be adopted on the Member States’ level by October 2024, and since then, each company encompassed by the NIS2 will be legally obligated to align with new cybersecurity regulations.
The difference between NIS and NIS2 lies in the broadened scope of requirements, expanded lists of industries covered, and strict provisions for fines. As such, the NIS2 directive is now applied to 15 sectors, including industries that were prioritized by NIS (energy, health, finances, transport, drinking water, digital infrastructure) and newly affected entities (public administration, postal services, space, foods, manufacturing, chemicals, research, digital providers, waste management). The new list recognizes that cyber threats now have far-reaching consequences, affecting not only critical infrastructure. Therefore, the directive also strongly focuses on supply chain protection, as attacks on it can impact numerous businesses and consumers.
NIS2 compliance assumes significant organizational and technical adjustments that require time, effort, and resources. So, the newly affected entities should start preparing already to minimize potential risks, enable seamless compliance, and hedge their organizations against emerging threats. Further in the article, we’ll walk you through the core specifics and requirements of the NIS2 in detail.
Europe is a political, economic, and security actor that often becomes a target for malicious attacks. According to Deloitte, the number of cyber-attacks on critical infrastructure in 2020 – 2021 has risen by 45% worldwide and up to +220% across EU Member States. As this indicator may further increase, all businesses must undertake measures against possible cybersecurity incidents. Compliance with the NIS2 can not only fortify organizations’ security online but build a collective defense against emerging threats. Among other, adhering to NIS2 will help your business with:
NIS2 introduces a revised approach to classifying the industries covered by the directive. Unlike its first version, which affected only the operators of essential services, the new directive includes two categories – essential and important entities. The classification of businesses depends on their industry, staff headcount, and annual turnover. It’s also important to consider whether the organization holds a leading position in its industry or country. However, an entity of any size may still be deemed as essential or important if it is a single provider of a critical service for social or economic activity in a Member State.
The key difference between the essential and important categories lies in the level of supervision. While essential entities are under continuous monitoring to verify their compliance, important ones undergo inspections only in case of security events, data breaches, or losses.
You may check the following scope of entities to determine whether your business falls under the new directive and, if so, under which category in particular:
Essential Entities (EE) | Important Entities (IE) |
---|---|
Size: medium size companies with over 250 employees, annual turnover of € 50M, or balance sheet of € 43M | Size: small size companies with over 50 employees, annual turnover of € 10M, or balance sheet of € 10M |
|
|
According to the NIS2 directive, both essential and important entities can be penalized and fined for non-compliance with cyber security laws and regulations. The fines can be up to € 10M or 2% of annual revenue, depending on the severity and impact of the breach or incident.
Additionally, NIS2 emphasized top management accountability for security within their organizations. So, if the management doesn’t take proper measures to protect the company, they can be held personally responsible. They will have to make public announcements about the violation and identify responsible persons along with the nature of the incident. In severe cases, they could be temporarily banned from holding management positions.
By this, NIS2 intends to strengthen cybersecurity practices and information security law, encouraging management to take proactive steps in safeguarding the organization against cyber threats.
NIS2 conveys the minimum requirements needed to bring European companies in line with cybersecurity standards. The Member States have the flexibility to add specifications regarding their particular governance objectives. This means they may provide further details on the information security regulations to clarify the measures that local organizations need to implement. However, the basic recommendations are mandatory across the EU irrespectively of the country. Therefore, organizations are now encouraged to start implementing the required cybersecurity measures and best practices as soon as possible. This will allow businesses to lay a robust cybersecurity ground and enhance it further according to specifications from national legislators.
The early-on approach allows the newly affected entities to avoid the haste when NIS2 will come into forth on national levels. Hence, organizations have to work through a particular set of activities to meet the NIS2 cyber regulations, and it makes sense to start with a general assessment of your existing cybersecurity level. This will help you benchmark your current state to the NIS2 requirements and create a step-by-step roadmap toward full compliance. It is also a good idea to prioritize the most comprehensive areas since those would take more time to implement.
In the table below, you will find actionable suggestions on how to get started with NIS2 compliance:
NIS2 Requirements | How to Comply |
---|---|
Policies on risk analysis & information system incident handling |
|
Business continuity |
|
Supply chain security |
|
Security in network & information systems acquisition, development, and maintenance (incl. vulnerability handling and disclosure) |
|
Policies & Procedures to assess the effectiveness of cybersecurity risk management measures |
|
Basic cyber hygiene practices & cybersecurity training |
|
Policies & procedures regarding cryptography and encryption |
|
Multi-factor authentication or continuous authentication solutions |
|
Human resources security, access control policies, and asset management |
|
Sigma Software has extensive expertise in legal regulations and cybercompliance. We support our clients with cybersecurity procedures and best practices implementation, safeguarding their adherence to different standards like ISO 27001. Currently, our experts help organizations take a proactive approach to meeting the NIS2 directive and support organizations with the following activities:
Don’t hesitate to contact us if you need consultancy or help with preparing for the NIS2 directive adoption. Our cybersecurity experts will safeguard your readiness for cyber legislation.
Sigma Software provides IT services to enterprises, software product houses, and startups. Working since 2002, we have build deep domain knowledge in AdTech, automotive, aviation, gaming industry, telecom, e-learning, FinTech, PropTech.We constantly work to enrich our expertise with machine learning, cybersecurity, AR/VR, IoT, and other technologies. Here we share insights into tech news, software engineering tips, business methods, and company life.
Linkedin profileUnderstanding the newest EU cybersecurity regulations
NIS2 requirements & actionable suggestions for complying with the directive
In today’s data-driven world, the ability to process and analyze data in real-time is crucial for businesses to stay competitive. At Sigma Software, we always s...
Medical imaging plays a vital role in today’s healthcare by providing critical information about the inner workings of the body. Historically, this field has re...
ADHD is a neurodevelopmental disorder that affects many people around the world and this includes symptoms such as inattention combined with hyperactivity and i...