To be implemented by 17 October 2024 by all EU Member States, the NIS 2 directive is a set of rules aimed at ensuring a common level of cyber security within the EU. The aim is to modernize the existing legal framework to adapt it to the increasing digitalization of businesses and, at the same time, to an ever-changing landscape of cyber security threats.
NIS 2: requirements for businesses
The NIS2 Directive establishes a series of minimum-security requirements for businesses to improve the cyber security resilience of critical sectors across the EU:
- Risk management and security measures
Organizations must implement a comprehensive information security policy that outlines security objectives, roles and responsibilities. A risk management framework is needed to identify, assess and mitigate cyber security risks, with management approving the risk assessment results and mitigation plans.
- Breach reporting and management
A formalized incident management policy should be in place. This should include categorization of breaches, reporting and escalation protocols, and assignment of roles for detection and response. The policy should be integrated with business continuity plans, and response actions should be recorded, with forensic evidence retained for post-incident analysis.
- Supply chain security
The NIS 2 directive emphasizes the need to manage cybersecurity risks in third-party relationships. Entities should assess the risks posed by their suppliers and ensure that security requirements are integrated into supply chain contracts.
- Regular audits and compliance
Regular monitoring and internal audits are required to ensure compliance with security policies. A compliance reporting system should be in place to track and verify adherence to these policies, and the effectiveness of security measures should be reviewed periodically.
- Cybersecurity training and awareness for employees and managers
Organizations must provide regular training for employees and leadership on topics such as identifying cyber risks, managing incidents and enforcing internal security policies. In addition, the directive requires awareness-raising activities to promote general awareness of cybersecurity. For example, how to recognize phishing emails or apply security practices in daily operations. This helps create a culture of security, reducing the risk of human error and improving incident response.
Sectors and scope of application of NIS 2
The regulations under the NIS2 directive do not apply exclusively to large and medium-sized enterprises, but also, in some cases, to small and micro-enterprises operating within the European Union. This extension is part of a broader commitment by the EU to ensure greater resilience and protection against cyber threats, in an increasingly interconnected and vulnerable environment.
The legislation covers a wide range of critical sectors, including energy, transport, banking, financial market infrastructure, healthcare, drinking water and wastewater, digital infrastructure, management of ICT (Information and Communication Technology) services, public administration and space. In addition, essential services also include postal and courier services, waste management, production and distribution of chemicals, food, medical devices, electronic and optical products, electrical equipment, vehicles, digital services and research. Businesses operating in these sectors must take appropriate measures to protect their systems and data, ensuring the continuity of services essential for the safety and well-being of society.