As of January 2023, new European guidelines known as the Network and Information Security Directive 2 (NIS-2) have been implemented to strengthen cybersecurity across various sectors across the European Union. Companies and organizations need to comply with these rules. This blog post summarizes what we know about this legislation so far, which is vital for many organizations in Europe.

What is NIS-2?

NIS-2 legislation builds on previous NIS regulations and aims to enhance the security of network and information systems within the European Union. This requires member states to identify and implement appropriate security measures. The primary objective? Reduce cyberattack risks and limit their impact. NIS-2 targets entities operating in critical sectors such as energy, transportation, healthcare, and financial services, but also other sectors crucial to the ongoing function of the economy and society:

• Healthcare
• Transport
• Banking
• Digital infrastructure
• Water supply
• Energy
• Digital service providers
• Data centers
• Providers of public electronic communication services
• Water management
• Manufacturing of medical devices and chemicals
• Food
• Space
• Postal administration
• Public administrations

Why is complying with NIS-2 important?

For businesses and organizations that fall under NIS-2, compliance is a critical task in the coming period. Non-compliance with NIS-2 could result in substantial fines, up to 2% of the annual turnover. More importantly, adhering to NIS-2 guidelines is essential to ensure digital security and prevent cyberattacks. NIS-2 mandates organizations to elevate their digital security and adapt to the growing threats of cybercrime.

What if your sector isn't mentioned?

Even though NIS-2 mainly focuses on vital sectors, these guidelines may also impact companies not operating within these sectors. For example, suppliers to businesses in vital sectors might be asked to comply with NIS-2 to continue their operations. Thus, companies need to assess the impact of NIS-2 on their clients and suppliers and take timely actions to meet these requirements.

How can a company or organisation prepare for NIS-2?

To prepare for NIS-2, companies or organizations must first determine if the guidelines apply to them or their clients or partners. Information about these guidelines can be found in this blog post. Next, it's crucial to identify the necessary measures to become NIS-2 compliant. This process may include assessing (third-party) security risks, mitigating these risks, and limiting the effects of cyber incidents.

What could happen if you do not comply?

It's unclear how many European companies are fully in line with NIS-2 guidelines. However, it's known that companies operating within the sectors mandated by NIS-2 must comply, and this isn't just limited to large corporations; small and medium-sized businesses are included too. It's essential to understand that NIS-2 isn't optional, and non-compliance could lead to substantial fines.

Besides the financial repercussions, failure to comply with NIS-2 might damage the company's reputation, primarily if a cyberattack occurs due to the neglect of the guidelines. Hence, being NIS-2 compliant isn't just about avoiding penalties but also about ensuring digital security and maintaining the trust of customers and business partners.

How to become NIS-2 compliant?

Even though NIS-2 came into effect in January, organisations and companies still have some time to prepare. It's recommended to appoint a NIS-2 compliance officer responsible for the implementation and adherence to NIS-2 within the company. NIS-2 has significant implications for businesses and organizations in Europe. Amongst others, it sets requirements to third-party ICT risk management:

• NIS-2 emphasizes that organisations should proactively manage risks introduced by third parties. This includes all suppliers and service providers and should be considered from a multidisciplinary risk perspective. The Directive states that organisations at least should:
• Assess and take into account the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures (article 43)
• Exercise increased diligence in selecting a managed security service provider (article 44)
• Address cybersecurity risks stemming from their interactions and relationships with other stakeholders within a broader ecosystem. In particular, entities should take appropriate measures to ensure that their cooperation with academic and research institutions (article 45)
• Carry out or participate in coordinated sectoral supply chain risk assessments (article 46)