Get ready for NIS2

What is NIS2?

The NIS2 Directive is an extension of the previous NIS Directive that was introduced to improve security in network and information systems within the EU. NIS2 tightens the requirements for IT security further and includes more sectors, to ensure robust cybersecurity. The goal is to counteract and manage cyber threats primarily against critical infrastructures, but it can also be a good framework to adhere to even for companies that are not covered by the directive.

Which sectors are covered by NIS2?

The NIS2 Directive covers more sectors compared to its predecessor. The industries now included in NIS2 are companies working with:

1. Energy: Electricity, oil, gas, heat, and cooling.
2. Transport: Aviation, railway, maritime and road transport.
3. Bank: Financial services and transactions.
4. Financial markets: Infrastructure that supports financial transactions.
5. Health: Healthcare services and infrastructure.
6. Drinking water: Production, distribution, and treatment of drinking water.
7. Waste water management: The handling and treatment of sewage water.
8. Digital infrastructure: Cloud services, data center services, content delivery networks, communication services.
9. Public administration: Authorities and public services, at both national and regional levels.
10. Space: Operators of ground-based infrastructure, owned and managed by member states or private entities, that support the delivery of space-based services.
11. Postal and courier services: Collection, sorting, transport, and delivery of mail.
12. Digital providers: Providers of online marketplaces, search engines, and social networking platforms.
13. Manufacturing: Particularly important manufacturing sectors such as pharmaceuticals, medical devices, computer and electronic products, electronic equipment, and machinery.

What requirements are imposed on organizations according to NIS2?

Businesses must implement procedures for risk management, incident reporting, and security measures that adhere to international standards such as ISO/IEC 27001. The directive also requires that the management of these organizations actively work towards a more secure IT environment and maintain continuous monitoring of risks, reporting, and integrate risk management into the overall corporate strategy.

When does NIS2 come into effect?

According to the latest information, the directive will come into effect on January 1, 2025. All concerned organizations must be ready to comply with the new requirements from this date.

How can small and medium-sized enterprises (SMEs) prepare for NIS2?

For small and medium-sized enterprises, it can be a challenge to adapt to and meet the requirements of the NIS2 Directive. Here are some steps to prepare you:

1. Risk Assessment

First, one should conduct a comprehensive risk assessment to identify and understand potential security risks in networks and information systems, both internal and external.

2. Update or implement security policies

Based on the risk assessment, one should develop or update existing security policies and processes. Policies should be tailored to the company's specific needs and risks.

3. Safety Measures and Technology

Implement measures in your processes and technology to enhance protection against the identified risks. You may need a response team that continuously monitors your IT environment, or perhaps simpler services will suffice, depending on how critical your systems are. Also review other technologies such as firewalls, antivirus programs, and encryption.

4. Education

Ensure that all staff receive regular training and updates on cybersecurity. The staff should be aware of the latest guidelines to adhere to in order to ensure security and prevent threats.

5. Incident Management and Backup Plans

Develop and test an incident response plan that explains step by step how you report, manage, and recover from cyber incidents. It's important to have a plan ready, to quickly address and minimize the damage.

6. Supplier Security

Ensure that all suppliers and subcontractors follow the necessary guidelines. It may be required that you include specific security requirements in contracts.

7. Regular follow-ups and testing

Conduct regular follow-ups and penetration testing to identify and address vulnerabilities in your systems.

8. Surveillance System

Have a system in place to continuously monitor compliance with new regulations and laws.

9. Seek professional help

Seek assistance from cybersecurity experts or consultants who can offer advice and support to prepare and adapt your operations in accordance with the requirements of the NIS2 directive.

What will be the consequences if one does not comply with the NIS2 Directive?

Violations of the NIS2 Directive can lead to significant fines and penalties. These vary depending on the severity of the violation and the size of the company.

What standards can help implement NIS2?

International standards such as ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27005 are useful tools for structuring security measures and risk management processes in accordance with the requirements of the NIS2 Directive.

Does it still feel complicated?

We understand that there are still many questions and uncertainties regarding the new directive. Norteam is happy to help review your systems to ensure they support and comply with the standard required by the directive. Contact us to learn more!