NIS2: It's getting CRITICAL
Many companies based in the EU must urgently take steps to comply with stringent new NIS2 security requirements. This is not just about fulfilling obligations, but about more security in IT, from which we all benefit.
- NIS2 is a new EU directive to increase cybersecurity for critical infrastructure that applies to more companies across different industries than earlier NIS regulations.
- All EU member states must implement these minimum legal requirements at national level by October 2024.
- NIS2 requires clear cybersecurity standards, risk analysis, incident response management and supply chain security.
As critical infrastructure is increasingly targeted by hackers, the European Union (EU) in 2022 expanded the scope of the measures defined in the Network and Information Security
(NIS) Directive that’s been in place since 2016. Meant to increase cybersecurity for “critical infrastructures” (CRITIS), the new NIS2 regulations (EU 2022/2555) came into effect this year.
The earlier NIS regulations applied to organizations in the energy, healthcare, transportation, banking and financial services, digital infrastructure, digital service providers and water supply sectors. NIS2 adds a wider range of companies and institutions with more than 250 employees, annual revenue of €50 million (US$54 million), or assets of €43 million (US$46.7 million). It includes organizations whose operations are deemed important or essential to the economy or society such as food producers, processors and distributors, manufacturers of electronics, medical devices and other products, postal and courier services, data centers, waste management companies and more.
Other organizations are subject to NIS2 regardless of size including public electronic communications networks or services, trust service providers, domain registrars and DNS service providers, sole national providers of a service whose disruption could have a significant impact on public order, security, or health.
In addition, the following sectors are now considered “highly critical” throughout the EU: energy, transport, banking, financial market infrastructures, healthcare, drinking water,
wastewater, digital infrastructure, information and communications technology (ICT) service management, public administration and space.
At the national level, all EU member states must implement the statutory minimum IT security requirements by October 2024. In Germany, for example, the second draft of legislation covering implementation has been available since July 2023 and only needs to be confirmed by the federal administration.
Companies affected by NIS2 will have to meet a clear set of requirements for cybersecurity (safety and security), risk analysis, information security, assessment and implementation of
security measures, incident response and reporting, crisis management and training. NIS2 also places a much greater emphasis on risk management and supply chain
In an upcoming blog article I’ll describe what companies need to do to meet the requirements of NIS2 and how UEM can help with implementation.
One of the most common cyberattack methods is phishing. Our free checklist provides easy-to-implement steps that can significantly reduce the risk of being compromised by a phishing attack.