Let’s work together
Want to discuss potential opportunities? Pick the most suitable way to contact us.
Book a call+370 5 2 780 400
info@ba.lt
In 2024, European organisations will intensify their focus on cyber security as the NIS 2 Directive becomes law in Europe. With the compliance deadline set for Q4 2024, we are here to provide a thorough understanding of the NIS 2 Directive, so your organisation gets ready on time.
In this blog post, we go through the key aspects of the NIS 2 Directive, its significance, compliance requirements, impacted sectors and entities, and what actions every organisation can take.
The NIS 2 Directive, short for “Network and Information Security Directive,” is a legislative framework introduced by the European Union to bolster cyber security measures across member states.
It became a law in 2024. Therefore, entities that fall under the NIS 2 purview need to align with its requirements until Q4 2024, as each member state transposes it into national law by October 17, 2024.
The NIS Directive was adopted on July 6, 2016, with official approval by the European Parliament and the Council of the European Union on that date. The directive aimed to establish a standard level of cyber security preparedness across European Union member states.
Originating from the challenges faced by the initial NIS Directive, the NIS 2 Directive was proposed in 2020 and enacted on January 16, 2023. It serves as a continuation and expansion of its predecessor, aiming to rectify deficiencies. NIS 2 focuses on enhancing the security of networks and information systems by obligating operators of critical infrastructure and essential services to implement security measures and report incidents to relevant authorities. Compared to NIS, NIS 2 widens its scope, covering more organisations and sectors EU-wide. It emphasises improved supply chain security, simplified reporting obligations, and the enforcement of stringent measures and sanctions throughout Europe.
As the NIS 2 Directive deadline approaches, applicable organisations must take steps to prepare for compliance. This includes:
Unsure where to begin with NIS 2 Directive compliance? Book a consultation with our cyber security experts for guidance.
Aiming to strengthen the EU’s ability to tackle existing and future cyber threats, the NIS 2 Directive brings new rules for organisations in several key areas. The main requirement areas include:
Need advice on NIS 2 Directive compliance? Contact our IT consultants today.
In 2018, the NIS Directive marked seven essential sectors vital for the EU’s stability. Later, in 2023, the NIS 2 Directive expanded to eight more important sectors. Let us explore the impacted sectors below.
According to Article 26 (Jurisdiction and Territoriality), if a non-EU entity provides services within the EU but is not based in the EU, it must appoint a representative within the EU. This representative should be located in one of the Member States where the services are offered.
The entity will be subject to the jurisdiction of the Member State where the representative is established. If there is no representative, any Member State where the entity offers services can take legal actions against it for violating the NIS 2 Directive.
The relationship between the NIS 2 Directive and the Digital Operational Resilience Act (DORA) lies in their collective efforts to enhance cyber security within the European Union, albeit with different focal points. NIS 2 aims to standardise cyber security across sectors critical to societal functioning, emphasising supply chain security. On the other hand, DORA specifically targets the financial sector, focusing on bolstering the operational resilience of digital systems. While the NIS 2 Directive outlines predefined financial penalties for non-compliance, DORA delegates the assessment of sanctions to member states.
Additionally, compliance requirements differ. NIS 2 mandates a security audit every two years, while DORA has more strict demands, including a threat-based test every three years and an annual resilience testing program. Despite their unique goals, both directives contribute to making digital systems more secure in the EU.
The NIS 2 Directive sets several crucial deadlines for compliance. These deadlines, ranging from adoption and application to periodic reviews, outline the timeline for implementing and assessing the directive’s measures.
Have additional questions about the NIS 2 Directive? Do not hesitate to contact our IT consultants today.
The NIS 2 Directive outlines clear penalties for essential and important entities that do not comply. Penalties can be imposed for things like not meeting security requirements or failing to report incidents. These penalties include:
The fines will differ based on the Member State. Still, the NIS 2 Directive sets a minimum list of administrative sanctions for violating cyber security risk management and reporting obligations.
As the NIS 2 Directive becomes law, national supervisory authorities can enforce non-monetary measures. These include issuing compliance orders, providing binding instructions, ordering the implementation of security audits, and issuing threat notifications to entities’ customers.
For the essential entities, encompassing public and private companies in sectors like transport, finance, energy, water, space, health, public administration, and digital infrastructure, authorities can levy a maximum administrative fine of at least €10,000,000 or 2% of the global annual revenue, whichever is higher.
For important entities, which cover public and private companies in sectors such as foods, digital providers, chemicals, postal services, waste management, research, and manufacturing, authorities can impose a maximum fine of at least €7,000,000 or 1.4% of the global annual revenue, whichever is higher.
Easing the burden on IT departments and redefining the landscape of cyber security responsibility, the NIS 2 Directive presents measures (criminal sanctions) that make top management directly accountable for significant lapses in security.
Particularly, if proven negligence occurs after a cyber incident, NIS 2 empowers Member State authorities to hold organisation managers personally responsible. This involves publicising compliance breaches, issuing statements pinpointing the individuals responsible and the nature of the violation, and, for essential entities, potentially imposing a temporary ban on an individual holding a management role for repeated violations. These measures ensure that C-level management faces responsibility and deter negligence in managing cyber risks.
While organisations tackle NIS 2 Directive compliance, having actionable guidance can ease the process. Let us handle your compliance so you can focus on your business.
Reserve your consultation today, and we will take care of the rest.
Want to discuss potential opportunities? Pick the most suitable way to contact us.
Book a call+370 5 2 780 400
info@ba.lt
Master your Progress OpenEdge logging skills by learning about the LOG-MANAGER system handle and the OpenEdge Logger Framework.
Find out what Microsoft Fabric is and how you can harness the potential of this platform to make strategic business decisions.
Read the blog post about Drupal, its different versions, and its benefits. Learn why Drupal migration is essential for your website.