The NIS2 Directive or Network and Information Security Directive is an EU-wide cybersecurity legislation that will enter into force in national law by October 17th, 2024. Read this blog for a summary of everything you need to know about the NIS2 Directive. If the list seems challenging and long, don’t worry – our experts at Huld will help you meet the requirements!
The Directive aims to achieve uniform and effective cybersecurity across the EU. Its implementation in organizations is effectively enforced, for example through significant sanctions. The NIS2 Directive requires companies to take operational, organizational and technological measures to improve cyber security. As a concrete example, reporting is bound by specific requirements in the event of, for example, operational disruptions or near misses.
Under the Directive, the company’s top management is responsible for implementing and monitoring the operator’s cybersecurity risk management for communication networks and information systems. In practice, this means the ultimate responsibility to organize and resource risk management appropriately, and to oversee its operation.
The biggest change in the new NIS2 Directive compared to its predecessor is that it will apply to an increasing number of organizations, such as manufacturers of electronic equipment.
The requirements and minimum measures set out in the Directive are also broader than in the previous legislation. For example, NIS2 places particular emphasis on risk management measures and adds new requirements such as physical security reporting.
The main changes:
The NIS2 Directive obligations apply to medium-sized (50+ employees or annual turnover and balance sheet total exceeds €10 million) and large companies (250+ employees or annual turnover exceeds €50 million and balance sheet total exceeds €43 million) operating in sectors classified as highly critical and other critical sectors. In addition, the Directive applies to all nationally designated critical operators, irrespective of their size.
The operators are divided into key and important operators.
Under the NIS2 Directive, key actors are subject to active (ex-ante) control, while important actors are subject to passive (ex post) control. The authorities hold the right to carry out audits of the actor and data, without prejudice to confidentiality provisions and other restrictions on disclosure, or to require the actor to carry out a security audit of its cybersecurity risk management.
Companies that fail to comply with the Directive and remedy their shortcomings within the deadline will face sanctions that could have a significant negative impact on their business.
Tips from Huld’s Cybersecurity Expert:
The Directive has been in consultation from 3.10. to 29.11.2023. The review of the feedback and further preparation will start in November 2023. After that, a government proposal on the Directive will be submitted to Parliament in spring-winter 2024. The NIS2 Directive is due to become part of national legislation by October 17th, 2024, and the implementation of regulations will start on October 18th, 2024.
Our cybersecurity experts can help you secure your business and meet the requirements of the NIS2 Directive. Our experts are ISO27001 certified and have extensive experience in multidisciplinary security management, governance and risk assessment methodologies.
Director, Digital Security & Functional Safety
+358 44 562 5222