Ask An Expert About … The Network and Information Security Directive 2, or NIS2.

Everything you need to know about NIS2

October is an incredibly important time for security providers. Not only is it Cyber-security month, but it marks the start date for the Network and Information Security Directive 2, or “NIS2”.

Read on to find out everything you need to know about NIS2, shared from our Global Head of Operational Security, Rob Nidschelm.

What Does NIS2 Mean?

NIS2 is an update to regulatory frameworks. It’s being introduced by the EU to strengthen cybersecurity across the industry, and enforce the resilience of critical infrastructure. The NIS Directive (2016) is the foundation for this new update, with the original aimed at improving cybersecurity for essential services. Energy, healthcare, transportation, and digital services are all included.

NIS2, however, focuses on enhancing organisations within these sectors to respond effectively to cyber threats, it means they will be able to prevent, detect, respond to, and recover from incidents that could be catastrophic. Businesses will foster a more secure and resilient digital environment across the EU.

NIS2 was adopted by the European Parliament in November 2022, but is set to come into effect by October 2024. This is the deadline for EU member states to add the requirements of NIS2 as a part of their individual national legislations, and organisations within the EU will need to match these new standards too.

In Which Key Ways Is NIS2 Going to Change the Cybersecurity Landscape?

There are several ways that NIS2 is going to change the landscape of our industry. Let’s take a look at the most critical of them below.

Because the new framework expands its regulatory scope, we can expect it to cover more sectors and essential services. The list will now include food supply chains, waste management, and manufacturers of critical products. This update is a perfect example of the support NIS2 will bring, making sure that even more industries are protected against cyber threats.

With new standardisation practices, reporting across the EU is about to become a lot clearer. Organisations need to notify relevant authorities of a significant cybersecurity incident within 24 hours of detection. This will keep response times short, support arrives quickly, and keeps the entire EU safe.

Accountability is a large part of what it takes to keep an organisation secure. Senior management teams will now be held responsible for ensuring compliance with NIS2 and will need to hold regular audits and assessments of their cybersecurity. It’s no light responsibility, but necessary for the overall health of a business.

Other key changes include investigating the security of third parties, and vendors, as well as strengthened risk management.

What Will Be the Impact if NIS2 Is Not Implemented?

Failure to implement NIS2 can have significant consequences for both organisations and sectors covered under the directive:

• Increased Risk of Cyberattacks
• Non-Compliance Penalties
• Operational Instability
• Reputational Damage
• Supply Chain Vulnerabilities
• Loss of Competitive Advantage

Without NIS2’s mandatory cybersecurity measures, organisations are more vulnerable to cyberattacks, which could result in severe operational disruptions, financial losses, or compromised data. If something like this does happen, an organisation could face hefty fines, and penalties. It can easily result in a loss of supply chain, vendors, and damage your public reputation.  

How Should Companies Prepare?

There are several proactive steps open to your organisation that will prepare you for NIS2.

A full assessment of your current cybersecurity practices will identify gaps in risk management, incident response, and resilience capabilities. This sets a foundation for assessing and monitoring the cybersecurity practices of third-party suppliers and service providers, developing your Incident Reporting Protocols. Establishing clear incident reporting procedures is important, it ensures prompt notification to the authorities and efficient response to incidents.

Test regularly, update accordingly, and assess your preparedness with drills. Being prepared for a cybersecurity incident is half the battle when it comes to recovery.

Problems NIS2 Will Help to Solve

Cybersecurity isn’t the first thing you think of when you open a business, but it’s often the source of some major problems. By matching the NIS2 regulation, you can make sure that you’re working to a baseline of security across essential services, and that those services match the rest of the EU. It keeps a range of sectors up to date, and connected. Businesses are always speaking to one another, updating the authorities on threats, and creating a web of support across the continent. You’ll be a part of a sleek and responsive team of organisations.

How Can Getronics Help?

Getronics has a long list of services that will help you to match, and exceed, the directives involved in NIS2. We can consult on the way your current cybersecurity is placed, identify weak points, and suggest ways to reinforce them. Getronics will make strategy easy, offering strategies that don’t just align with NIS2, but also offer CTI services that gather, analyse, and apply actionable intelligence.

Emerging threats are spotted before they become an issue, giving you more time to ready yourself.

Getronics has the use of a dedicated Security Operations Center (SOC), which offers continuous monitoring, detection, and response services. We help to mitigate cyber incidents.

The jewel in our offering is that we always stay up to date with other standards globally. Check out our Ask An Expert article about DORA, and you’ll see how we can integrate both regulations together, supporting you to become fully compliant with any and all regulations.

Contact our experts to understand more about how to match NIS2, and how Getronics can help you exceed it.