article | 24 Mar 2023

Setterwalls’ Tech Regulatory News Series – NIS2

Responsive image

What: The NIS2 (Network and Information Security) is a new EU directive that will replace the NIS directive. The NIS2 will require that more organisations comply with stricter cybersecurity requirements.

Who: The NIS2 will apply to all medium-sized and large organisations operating within the following sectors: healthcare, manufacturing of certain critical products (e.g., pharmaceuticals, medical devices, and chemicals), digital infrastructure, providers of public electronic communications networks or services, transport, postal and courier services, public administration, water supply, wastewater and waste management, energy, digital service providers and digital services (e.g., social networking platforms and data centre services), banking and financial market infrastructure, food and space (e.g., aerospace).

When: EU member states must adopt the NIS2 in national legislation to become effective 18 October 2024,

Key takeaways: The NIS2 includes stricter requirements compared to the first NIS directive for:

  1. Security requirements,
  2. reporting obligations, and
  3. enforcement requirements for a wider scope of organisations.

Actions:

To maintain a high level of security within essential service providers, the NIS2 will require that relevant organisations must comply with strict requirements for:

  • Completing a risk assessment and having sufficient information system security policies in place.
  • Preventing, detecting, and responding to incidents appropriately.
  • Crisis management and operational continuity in the case of a major cyber incident.
  • Ensuring the security of their supply chain, including providers of data processing or storage services.
  • Ensuring the security of their network and information systems, from the acquisition to the development and maintenance stages.
  • Having policies and procedures in place that assess the effectiveness of cybersecurity risk management practices.
  • Using cryptography and encryption.

Enforcement: If an organisation violates the NIS2, it will face fines of 10 million EUR or 2% of the organisation’s gross annual global revenue (the same as a GDPR fine for a less serious violation). Additionally, the leadership of non-compliant organisations can be held personally responsible for the NIS2 breach.

Do a Setterwalls NIS2 Gap Analysis and find out what your organisation needs to do to be compliant.

Contact:

Emily Svedberg-Possfelt, Fredrik Roos

Practice areas:

Activities in the public sector, Banking and finance, Commercial agreements, Compliance & Investigations, EU & Competition law, Infrastructure, IT law and data protection, IT, technology & telecoms, Life Sciences, Transport

  • This field is for validation purposes and should be left unchanged.

Do you want to get in touch with us?

Please fill out the form and we will contact you as soon as possible.

Related news

Setterwalls assisted Thunderful Group in connection with the divestment of its distribution business and with the company’s new financing solution

case | 12 Jul 2024

Setterwalls assisted Thunderful Group in connection with the divestment of its distribution business and with ...

Read more
Setterwalls has advised EQL Pharma in connection with listing on Nasdaq Stockholm

case | 04 Jul 2024

Setterwalls has advised EQL Pharma in connection with listing on Nasdaq Stockholm

Read more
Setterwalls has assisted Lifesum in connection with the acquisition of Lykon

case | 03 Jul 2024

Setterwalls has assisted Lifesum in connection with the acquisition of Lykon

Read more
Load more