Does your organization fall within the scope of NIS 2?
Does your organization fall within the scope of NIS 2? Does your organization fall within the scope of NIS 2? In 2016, the initial NIS Directive made reference to 7…
Estimated companies that will be affected by NIS 2 and will have to become compliant
Maximum fine for NIS 2 non-compliance for all companies that are audited per year per companyย
Number of sectors covered by NIS 2 Directive. If your company works in the sector defined, it needs to be NIS 2 Compliant
The NIS 2 Directive, an updated EU cybersecurity rule introduced to address gaps from its predecessor, the NIS, has a wider scope, encompassing more sectors than before. It aims to unify cybersecurity standards across the EU and introduce stricter penalties for those who don’t comply.ย
The directive emphasizes a risk-based approach, meaning organizations should protect their systems based on potential threats. Collaboration is key, as NIS 2 encourages information sharing among stakeholders. Moreover, it requires comprehensive incident reporting to help understand and counter emerging threats.
The NIS 2 directive expands coverage from the original 7 sectors under the NIS directive, adding 8 more for a total of 15 sectors. To access sector-specific NIS 2 information, simply click on one of the sectors listed below.
NIS 2 classifies organizations as either “Essential Entities” (EE) or “Important Entities” (IE). Public or private entities in these sectors with over 50 employees and an annual turnover above 10M have to determine their group and follow the related rules.
NIS 2 classifies organizations as either “Essential Entities” (EE) or “Important Entities” (IE). Public or private entities in these sectors with over 50 employees and an annual turnover above 10M have to determine their group and follow the related rules.ย
Energy
Covers the crucial energy sectors of electricity, oil, and gas, underscoring their importance in everyday functions and the need for cybersecurity.
ย
Transport
Focuses on the major modes of transport: air, rail, sea, and road, highlighting their role in connecting people and places.
ย
Healthcare
Prioritizes the protection of healthcare settings, encompassing both public hospitals and private clinics, given their role in public welfare.
ย
Public Administration
Emphasizes the protection of public services, reflecting the directive's commitment to ensure uninterrupted and secure administrative functions.
ย
Banking & Financial Market Infrastructure
Addresses the backbone of our financial system, spotlighting areas like payment services that facilitate economic activities.
ย
Digital Infrastructures
Targets foundational digital services, such as those providing DNS and TLD registries, acknowledging their role in the digital ecosystem.
ย
Water Supply
Focuses on the preservation and security of both drinking water and wastewater systems, which are vital for public health.
ย
Space
Illuminates the strategic significance of the space sector, ensuring it meets high cybersecurity standards given its impact on various technologies and services.
Public telecom & ISP providers
Those offering publicly available communication networks and services, such as telecom companies and internet service providers.
Trust service providers
Entities that offer digital trust services, ensuring the authenticity of electronic transactions and communications.
Sole providers of a critical service
Unique entities that are the only sources of specific, vital services critical to daily operations or infrastructure.
TLD registries & DNS providers
Organizations managing top-level domain listings and the systems directing internet traffic to the correct addresses.
Domain name registrars
Businesses that oversee the reservation of internet domain names, ensuring each is unique and correctly assigned.
Entities crucial for safety, security, or health
Vital organizations whose disruption could jeopardize public safety, security measures, or health outcomes.
Central or regional public administration entities
Main governmental bodies at central or regional levels, playing a pivotal role in public governance and administration.
All other entities if:
The entity is the sole provider in a Member State of a service which is essential for the maintenance of critical societal or economic activities;
Disruption of the service provided by the entity could have a significant impact on public safety, public security or public health;
Disruption of the service provided by the entity could induce a significant systemic risk, in particular for sectors where such disruption could have a cross-border impact;
The entity is critical because of its specific importance at national or regional level for the particular sector or type of service, or for other interdependent sectors in the Member State;โ
If a Member State has defined that entity as a โcritical entityโ according to Critical Entities Resilience (CER) Directive (EU) 2022/2557
Digital Providers
Encompassing a broad array of digital services such as search engines, online marketplaces, and social networks, this sector is pivotal in today's interconnected world.
ย
Food
Covering the full spectrum from farm to fork, this sector ensures that every stageโfrom farming and processing to retailโis secure and robust.
ย
Postal & Courier Services
As the lifeline for communications and goods delivery, this sector must uphold a fortified digital defense, ensuring consistent and safe operations.
ย
Research organizations
As a hub of innovation and progress, this sector is pivotal, driving forward scientific breakthroughs while being a potential target for cyber threats.
ย
Chemicals
This sector, vital for Europe's industrial competitiveness, spans from the creation to the distribution of chemicals, serving as a bedrock for innovative solutions.
ย
Manufacturing
A broad field that includes the making of items like medical devices, electronics, machinery, vehicles, and transport equipment, it's at the heart of Europe's production capabilities.
Organizations under NIS 2 must proactively implement policies and measures to minimize cybersecurity threats.
This includes a core set of measures encompassing risk analysis, incident response, encryption, improved access control, and addressing vulnerabilities in their ICT supply chain. Moreover, entities should undertake vulnerability assessments to ensure that measures align with the entity's exposure to potential risks and the potential societal and economic impacts of such threats.
Corporate accountability
NIS2 emphasizes that management bodies of in-scope entities are responsible for overseeing and approving cybersecurity risk management measures. They are expected to undergo regular training to identify and assess cybersecurity risks and their potential impact on services. Moreover, breaches might lead to management being held liable, which underscores the heightened corporate responsibility under this directive.
ย
Management training program
Introduce mandatory cybersecurity training for corporate management to increase awareness of cyber risks, best practices, and organizational cybersecurity policies.
ย
Cybersecurity oversight committee
Form an executive-level committee to oversee cybersecurity measures, develop policies, and manage cybersecurity budgets.
ย
Risk reporting & mitigation
Develop a structured mechanism for management to regularly report on cybersecurity risks, vulnerabilities, and mitigation strategies.
ย
Penalties & incentives
Establish a framework of penalties for non-compliance and incentives for proactive cybersecurity risk management.
ย
Cybersecurity compliance audits
Regularly conduct audits to evaluate management's adherence to cybersecurity policies and identify areas for enhancement.
Reporting obligations
In-scope entities are mandated to promptly report significant incidents. This includes an "early warning" within 24 hours of awareness, followed by a comprehensive incident notification within 72 hours to competent national authorities. Affected users should also be notified promptly, ensuring a robust and transparent communication process during cybersecurity incidents.
Incident reporting platform
Utilize systems enabling suppliers, vendors, and customers to efficiently report all kinds of cybersecurity incidents.
Automated incident notifications
Set up an automated system for escalating alerts and notifications to relevant stakeholders, including regulatory bodies, within prescribed timeframes.
Incident classification guidelines
Develop clear guidelines for categorizing incidents based on severity and impact to ensure consistent reporting and effective response protocols.
Incident documentation & reporting process
Establish a detailed process for documenting incident details, responses, and post-incident analysis to enhance organizational learning and response improvement.
Incident response teams
Form specialized teams equipped with the necessary tools and expertise for prompt handling and containment of cybersecurity incidents.
Business continuity
In the face of major cyber incidents, organizations are expected to have a business continuity plan. This entails strategies for system recovery, emergency procedures, and the establishment of a crisis response team. The emphasis is on ensuring uninterrupted business operations and quick recovery after significant cybersecurity events.
Redundancy & backup
Implement data redundancy and backup strategies to maintain data availability and system resilience during and post-cyber incidents.
Business impact assessment
Conduct thorough assessments to identify key systems and processes critical for operations during cyber incidents.
Cyber incident response plan
Develop a comprehensive plan detailing step-by-step procedures for cyber incident management, including communication strategies, recovery tactics, and roles of crisis response teams.
Cybersecurity awareness training
Provide organization-wide training on the business continuity plan and employee roles in minimizing disruptions during cyber incidents.
Regular plan testing & drills
Periodically test and conduct simulated drills of the business continuity plan to identify gaps, enhance response efficiency, and ensure the planโs ongoing effectiveness.
Get Minumum Cybersecurity measures for NIS 2 Compliance
Companies failing to comply with the NIS 2 Directive could face severe penalties ranging from non-monetary sanctions to substantial administrative fines. Additionally, top management personnel can be held personally accountable for non-compliance, emphasizing the significance of cybersecurity responsibility at an organizational level.
The NIS2 differentiates between essential and important entities concerning administrative fines. Essential entities could incur fines of either โฌ10,000,000 or 2% of their global annual revenue, depending on which is higher. On the other hand, important entities face fines up to โฌ7,000,000 or 1.4% of their global annual turnover, again depending on which amount is greater.
Under the NIS 2, national supervisory authorities can enforce various non-monetary penalties. These could include compliance orders, binding instructions, orders for security audits, and mandates for threat notifications to an entityโs customers.
NIS 2 makes top management personally accountable, shifting the responsibility from IT departments alone. In cases of non-compliance, authorities can make violations public, identify responsible personnel, hold management liable for breach of their duties, and, for essential entities, temporarily ban individuals from holding managerial positions after repeated infractions.
Embarking on the NIS 2 compliance journey requires a structured approach. Here are five essential steps to guide your business to successful adherence.
Determine if NIS 2 affects your organization. Understanding its relevance to your business ensures you focus on what truly matters. Highlight and prioritize your organization's critical services, processes, and assets for a targeted approach.
Secure top management support by raising awareness about NIS 2 sanctions and fines. This includes dedicated training programs for leadership on cybersecurity risk management and the significance of a cyber-oriented culture.
Implement a risk and information security management system (ISMS). Review and adapt the 10 mandated cybersecurity risk management measures of NIS 2. This includes streamlining incident reporting, enhancing supply chain security, and establishing a robust business continuity plan.
Plan and budget accordingly, focusing on areas with the highest cyber risks. This involves allocating sufficient financial resources for cybersecurity endeavors, bearing in mind the stiffer penalties that NIS 2 introduces for non-compliance.
Foster a culture of continuous improvement. Regularly assess and close security gaps, stay updated on expected security controls, and leverage expert guidance as needed. Ensure that your organization remains agile and adaptive in its compliance journey.
Meet with Matt and book a free 15-min call below to better understand how to implement NIS 2 compliance in your company
Curated by NIS2Compliant.org, this page provides publicly-sourced information on everything related to the upcoming NIS2 Directive. Presented in a clear and concise manner for easy consumption.
ย
Disclaimer
The information provided on this website is intended for educational and informational purposes only. The content is not intended to be a substitute for professional advice or any other legal advisory, service, etc. The site’s administrators and contributors make no representations or warranties of the information on the site. Any reliance you place on such information is therefore strictly at your own risk.
Copyright By Nis2Compliant.org
