NIS2 is an EU Directive (2022/2555) aimed at increasing the security of networks and information systems for essential services. NIS2 replaces the previous EU Directive 2016/1148 (NIS) and aims to create a more coherent regulatory framework across the EU for the security of information for essential services.
The main objective of NIS2 is to ensure the ability of society to deliver essential services, regardless of whether these are delivered by private or public entities.
The cornerstone of NIS2 remains a systematic approach to information security that is risk-based, normally achieved through the establishment of information security management systems (LIS). Members will also have a greater responsibility to support the organizations covered by NIS2, both through information and also, among other things, by monitoring vulnerabilities.
An EU Directive sets out the expected result to be achieved by member states, with each deciding on the form and method of implementation.
Each member state is responsible for updating its local legislation to include the requirements of the NIS2 Directive, which means that some local variation or extension of the EU Directive may occur regarding NIS2. However, the Directive is designed to counteract the wide variation that has existed for NIS legislation in the different member states.
The Directive stipulates that each member state should maintain a register of organizations covered by NIS2, where both administrative and technical information should be collected, including contact details and IP address ranges. For significant entities, the maximum penalty is EUR 10 million or 2% of global turnover. For important entities, the maximum penalty is EUR 7 million or 1.4% of global turnover.
Each member state should also have an enhanced capability to deal with network and information system incidents through the establishment of Computer Security Incident Response Teams (CSRIT), which will interact with other CSIRTs in the EU. Compared to previous directives, CSIRTs should work more proactively and supportively.
The NIS2 Directive is due to come into force on October 18, 2024, which in practice means that much of the work of adapting information and cybersecurity work needs to start well before this date.
NIS2 is clearer than NIS about which entities are covered, the number of sectors covered has been expanded compared to NIS. In the sectors considered critical to society that exceeds the levels of medium-sized enterprises under Article 2(1) of 2003/361, which translates into more than 50 employees and/or turnover above EUR 10 million per year. When assessing size, it is generally the size of the entire group that is assessed. Paragraph 16 of the NIS2 Directive allows for exceptions in cases where it can be demonstrated that the company concerned is sufficiently separated from the rest of the group in terms of network and information systems.
Cegal's information and cyber security consultants have experience in establishing information security management systems for compliance with both NIS and other regulatory frameworks. In addition, Cegal's cyber security experts can guide and navigate you through this complex technical area. We can help you stay ahead of the curve when it comes to securing your IT infrastructure with in-depth knowledge of operational technology (OT), cloud infrastructure and platforms, hybrid solutions, and multi-cloud infrastructure. Our dedicated delivery areas offer a wide range of security solutions to protect and monitor critical functions and ensure business continuity.
Read about what Cegal's cyber security experts can help you with >