(No Ratings Yet)
Loading...What is NIS2?
The NIS2 Directive, or the Network and Information Security Directive, is a piece of European Union (EU) legislation that aims to improve the overall level of cybersecurity in the EU. It was adopted in January 2023 and will replace the NIS Directive, which was adopted in 2016.
The NIS2 Directive will go into effect on 28 June 2024. However, organizations that are subject to its requirements will have a one-year grace period to comply, so the deadline for compliance is 28 June 2025.
NIS2 vs. NIS and other Policies
The NIS2 Directive is a significant update to the NIS Directive. It includes a number of new requirements, such as:
- Increased focus on incident reporting and response
- New requirements for risk assessment and mitigation
- Expansion of the scope of the directive to include new sectors
| Policy | Scope | Requirements | Sanctions |
|---|---|---|---|
| NIS2 Directive | EU | Incident reporting, risk assessment, security measures, cooperation | Harmonized sanctions |
| Cybersecurity Act (NIS2 predecesor) | EU | Incident reporting, risk assessment, security measures | Fines |
| NIST Cybersecurity Framework | US | Risk assessment, security measures | Voluntary |
Who does it apply to?
The NIS2 Directive applies to a wide range of organizations operating in the EU, including:
- Organizations in critical infrastructure sectors, such as energy, transport, and financial services
- Organizations in important sectors, such as healthcare and telecommunications
- Organizations that provide essential services, such as water and waste management
What do you need to do to comply?
The specific requirements that organizations need to comply with will vary depending on their sector and size. However, some of the key requirements that all organizations will need to comply with include:
- Conducting regular risk assessments
- Implementing appropriate security measures
- Reporting certain types of cybersecurity incidents to their national cybersecurity authority
What can you learn from NIS2 if it doesn’t apply to you?
Even if the NIS2 Directive doesn’t apply to you directly, there are still some important lessons that you can learn from it. For example, the directive emphasizes the importance of incident reporting and risk management. These are two important aspects of cybersecurity that all organizations should be taking seriously, regardless of their size or sector.
Conclusion
The NIS2 Directive is an important piece of legislation that will have a major impact on cybersecurity in the EU. It is important for organizations that are subject to its requirements to be aware of the new requirements and to take steps to comply with them. Even if the directive doesn’t apply to you directly, there are still some important lessons that you can learn from it.
The directive is very general in nature, but at a high-level it shows you what is important across critical sectors important to a geopolitical entity such as the EU. There are several resources from consulting firms that map elements of the directive to ISO27001, trainings to prepare for compliance, and overall assessment of the directive.
Additional resources:
- The NIS2 Directive: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
- A Step-by-Step Guide for EU’s NIS2 Directive: https://www.dataguard.co.uk/blog/a-step-by-step-guide-for-nis2-directive