Improve cybersecurity across the EU

NIS2-How your organisation can
meet the requirements

Published: 2024-04-15

In this article we go through the NIS2 directive that was implemented by the EU in 2016.
What it is, how it affects your organization and how to meet the requirements.

 

What is NIS2 and who does it effect?

The Network and Information Security Directive (NIS Directive) was implemented by the EU in 2016 to improve the cybersecurity posture of critical infrastructure operators and digital service providers. Building on the foundation laid by the NIS Directive, the European Commission introduced the NIS2 Directive, which aims to further strengthen cybersecurity resilience across the EU.

NIS2 expands the scope of its predecessor by covering a wider range of entities, including online marketplaces, search engines and additional sectors important to society and the economy. It sets out comprehensive requirements for incident reporting, risk management, cyber security capabilities and cooperation mechanisms between Member States.

NIS2 direktivet från EU

Two central areas of NIS2 are the importance of proactive risk management Chapter IV – Article 20 and incident reporting Chapter IV – Article 23.

Organizations falling under its scope are required to implement robust cyber security measures, conduct risk assessments and establish procedures to counter incident management.

Many member states and industry sectors integrate internationally recognized standards and best practices when formulating their national legislation. These universally recognized standards – such as NIST CSF, ISO 27001/27002, CIS Controls – can serve as useful guides for local authorities to comply with the NIS2 directive.

NIS2 Implementation deadline and legal implications

European Union (EU) member states are required to incorporate the NIS2 directive into national implementation acts by October 2024. These acts will be legally binding, requiring compliance with the directive’s requirements for organizations that fall within its scope.

 

Emphasie proactive risk management and incident management

The NIS2 directive stands as proof of the EU’s commitment to strengthening cyber security across its member states. With an emphasis on proactive risk management and strict incident reporting requirements, NIS2 aims to mitigate the cyber security threats we face.

Adherence to these directives not only protects critical infrastructure, but also promotes a safer society.

Affected organisations

The existing NIS Directive covers both essential services and certain digital services, without requiring the latter to be classified as essential. These digital services include internet-based marketplaces, search engines and cloud services. According to Swedish legislation, specifically the Act (2018:1174) on information security for socially important and digital services, providers of these services are obliged to quickly report incidents that significantly affect the delivery of a digital service within the EU.

The services that are considered critical to society are those that are crucial for the functioning of society or the economy, such as, for example:

  • Banking operations
  • The transport sector
  • The energy sector
  • Healthcare
  • Digital infrastructure
  • Financial market infrastructure
  • Delivery and distribution of drinking water

 

These services constitute a critical infrastructure whose disruption can have far-reaching consequences for both society and the economy.

With the NIS2 directive, we now see an expanded list of sectors covered by the regulation. With NIS2, community-critical services are expanded to also include these sectors:

  • Public Administration
  • Manufacturing
  • Waste disposal
  • Space (operators of ground-based infrastructure)
  • Research
  • Sewage
  • Management of ICT services
  • Mail and courier services
  • Manufacturing, production and distribution of chemicals
  • Production, processing and distribution of foodstuffs
  • Digital suppliers

NIS2 will be introduced in October 2024

On October 18, 2024, the NIS2 directive enters into force, marking a new era for information security within the EU. This directive enforces higher demands on the protection of personal data and system availability, which means that companies and organizations must strengthen their defences against cyber threats. To meet these requirements, stakeholders must actively engage their staff, improve their internal processes and implement modern and secure technology. Through these measures, a stronger infrastructure is created to protect critical data and maintain service continuity. The NIS2 directive is not just a regulatory framework but a call for proactive work to secure the basic functions of our digital society.

With the use of an IT Service Management System, you can easily strengthen your cybersecurity posture and ensure NIS2 compliance going forward, read the related article more aimed at describing what an IT Service management system do to be NIS2 compliant IT Service Management that fulfills the requirements for NIS2

 

André Hellman

André Hellman
IT Service Management Expert
→ About Zitac