NIS2 Requirements

Understand and prepare for the upcoming NIS2 requirements.

New Organizational Requirements

To bolster Europe’s resilience against current and future cyberthreats, the NIS2 Directive introduces new requirements and obligations for organizations in four overarching areas: risk management, corporate accountability, reporting obligations, and business continuity.

Risk Management

To comply with the new Directive, organizations must take measures to minimize cyber risks. These measures include incident management, stronger supply chain security, enhanced network security, better access control, and encryption.

Corporate Accountability

NIS2 requires corporate management to oversee, approve, and be trained on the entity’s cybersecurity measures and to address cyber risks. Breaches may result in penalties for management, including liability and a potential temporary ban from management roles.

Reporting Obligations

Essential and important entities must have processes in place for prompt reporting of security incidents with significant impact on their service provision or recipients. NIS2 sets specific notification deadlines, such as a 24-hour “early warning”.

Business Continuity

Organizations must plan for how they intend to ensure business continuity in the case of major cyber incidents. This plan should include considerations about system recovery, emergency procedures, and setting up a crisis response team.

10 Minimum Measures

In addition to the four overarching areas of requirement, NIS2 mandates that essential and important entities implement baseline security measures to address specific forms of likely cyberthreats. These include:

  • Risk assessments and security policies for information systems
  • Policies and procedures for evaluating the effectiveness of security measures.
  • Policies and procedures for the use of cryptography and, when relevant, encryption.
  • A plan for handling security incidents
  • Security around the procurement of systems and the development and operation of systems. This means having policies for handling and reporting vulnerabilities.
  • Cybersecurity training and a practice for basic computer hygiene.
  • Security procedures for employees with access to sensitive or important data, including policies for data access. Affected organizations must also have an overview of all relevant assets and ensure that they are properly utilized and handled.
  • A plan for managing business operations during and after a security incident. This means that backups must be up to date. There must also be a plan for ensuring access to IT systems and their operating functions during and after a security incident.
  • The use of multi-factor authentication, continuous authentication solutions, voice, video, and text encryption, and encrypted internal emergency communication, when appropriate.
  • Security around supply chains and the relationship between the company and direct supplier. Companies must choose security measures that fit the vulnerabilities of each direct supplier. And then companies must assess the overall security level for all suppliers.
Nis2 Complaince steps

Steps To Prepare For Compliance

With the NIS2 Directive set to be transposed into national law by October 17, 2024, applicable organizations must take steps to prepare for compliance. These include:

  • Determine if they fall under NIS2’s scope and which units are impacted
  • Evaluate security measures, amend security policies and plan for NIS2 compliance
  • Incorporate new security measures and incident reporting obligations in supply chain. Start early to avoid delays.

Get NIS2 Complaint (Whitepaper):

Time is running out to comply with NIS2 regulations. Starting your compliance journey sooner rather than later is crucial.

A typical NIS2 compliance process, including security assessments, auditing, consulting, and tool implementation, takes approximately 12 months.

For practical advice on how to comply with the requirements, check out our NIS2 white paper.

NIS2 White Paper