What is the NIS2 Directive?
In today’s blog article we’re going to talk about the NIS 2 directive which is based around a cyber security framework and is primarily based around the European Union.
The NIS Directive or the Network and Information Systems, is a directive which was implemented to increase the cyber security awareness of EU member states. The initial directive was implemented in 2016 and now we have the new version of NIS, NIS 2. This new version will further increase requirements on organisations to protect themselves.
The NIS2 directive is a cyber security related framework which is being mandated and will fully come into play in October 2024, the EU member states will need to be implementing this new directive, if not already. This means that organisations within Europe must, if not already, be getting ready to implement changes when it comes to complying with Cyber Security and their business.
Some of the key changes which are coming in the second version are as follows:
There is now a broader scope when it comes to what entities are impacted. The NIS2 directive, categorises entities into “essential” and “important” depending upon which sector they are in and the important that they play. The scope now also includes sectors such as healthcare, wastewater, postal and courier services, the aerospace industry as well as the digital sector and a few more. So as you can see it impacts a wide range now compared to the previous version.
As part of the scoping, you as a business also need to ensure that anyone who supplies you (via the supply chain) and provide services are also now covered, this therefore means that you need to ensure that any business that provide you things are doing their best to ensure they are protecting their information from cyber based threats.
A lot has happened since 2016 when the first directive was released, the version adds additional cyber security measures and standards, ensuring that the baseline of security is increased. There will now be mandatory measures put in place by businesses to ensure that the basic cyber hygiene is implemented, that vulnerability scanning, encryption and asset management are carried out. If you aren’t doing this already, look into it now. As a side note we also provide IASME Cyber Baseline, which can tick a lot of these boxes.
NIS2 will also be looking at how you as a business handle and manage any information security incidents. So you need to have a incident management plan in place and ensure people are aware of this and know what to do and who to contact, should something happen.
Like GDPR, NIS2 will also ensure that people are held responsible and that fines will be issued should businesses get impacted and found that they didn’t do their best to protect information.
However, there may also be some implications for businesses which need to deal with EU based companies. Basically, any companies that need to operate or provide services to EU based companies may be impacted by these changes, therefore this new directive could play a wider role.
Therefore, if your business deals with EU based businesses you should ensure that you also comply with the NIS directive, as you never know, you could be impacted in the future. Better to be safe and be compliant from the start.
So how that you know what NIS2 is, how can you as a business prepare for this?
Well, there are a few things you can look at doing, these being:
- Implementing a asset management plan, if not already. Ensure that you know what assets you have and who has them and where they are located. Ensure that full disk encryption is used on everything.
- Understand what is required of you, if you are based within the EU, read up on the directive and get a solid understanding of your requirements.
- Make sure that you have provided a risk assessment of your business, you have a valid risk register and risk management plan in place. You should know what your risks are and now to mitigate them.
- Educate your users, including senior management, ensure that everyone is aware of their duties and how to safeguard information.
Lastly remember that the NIS2 directive is not just a point in time requirement, it should be built into your business and you should built upon this and improve your processes as time goes on.