article / 24 Mar 2023
Setterwalls’ Tech Regulatory News Series – NIS2
What: The NIS2 (Network and Information Security) is a new EU directive that will replace the NIS directive. The NIS2 will require that more organisations comply with stricter cybersecurity requirements.
Who: The NIS2 will apply to all medium-sized and large organisations operating within the following sectors: healthcare, manufacturing of certain critical products (e.g., pharmaceuticals, medical devices, and chemicals), digital infrastructure, providers of public electronic communications networks or services, transport, postal and courier services, public administration, water supply, wastewater and waste management, energy, digital service providers and digital services (e.g., social networking platforms and data centre services), banking and financial market infrastructure, food and space (e.g., aerospace).
When: EU member states must adopt the NIS2 in national legislation to become effective 18 October 2024,
Key takeaways: The NIS2 includes stricter requirements compared to the first NIS directive for:
- Security requirements,
- reporting obligations, and
- enforcement requirements for a wider scope of organisations.
To maintain a high level of security within essential service providers, the NIS2 will require that relevant organisations must comply with strict requirements for:
- Completing a risk assessment and having sufficient information system security policies in place.
- Preventing, detecting, and responding to incidents appropriately.
- Crisis management and operational continuity in the case of a major cyber incident.
- Ensuring the security of their supply chain, including providers of data processing or storage services.
- Ensuring the security of their network and information systems, from the acquisition to the development and maintenance stages.
- Having policies and procedures in place that assess the effectiveness of cybersecurity risk management practices.
- Using cryptography and encryption.
Enforcement: If an organisation violates the NIS2, it will face fines of 10 million EUR or 2% of the organisation’s gross annual global revenue (the same as a GDPR fine for a less serious violation). Additionally, the leadership of non-compliant organisations can be held personally responsible for the NIS2 breach.
Do a Setterwalls NIS2 Gap Analysis and find out what your organisation needs to do to be compliant.