Known as the Network and Information Security Directive, the NIS-2 Directive is an important piece of legislation aimed at improving cyber security hygiene and protecting critical infrastructure across the European Union. The NIS-2 Directive will be a requirement across all EU member states, by 18^th October 2024.

With less than a year until the deadline, organisations are asking questions and seeking support with implementing NIS-2, in time and in line with the standards. To avoid rushing the process, it is advisable to address NIS-2 and its requirements head on, and as soon as possible.

All organisations, regardless of size, are vulnerable to cyberattacks, which the NIS-2 is formulated to counteract. But who is affected by the NIS-2 directive? Organisations across 18 sectors with 50 or more employees and a turnover of 10 million EUR need to take note and have plans in place for Autumn 2024. Please see below for the industry sectors that fall under the “essential” category, and take note that NIS-2 regulations apply not only to companies, but their contractors too.

• Energy
• Transport
• Postal and courier services
• Space exploration and research
• Research institutes
• Digital suppliers (marketplaces, search engines, social networks)
• Food production, processing and distribution
• Chemical manufacturing, production and distribution
• Waste management
• Industry and manufacturing
• Public administration
• Banking and finance
• Education
• Water supply
• Digital infrastructure
• ICT service management

So, what must be implemented? The requirements of the NIS-2 Directive can be summarised into 3 groups, with the first being Governance & Awareness. Management bodies must approve and monitor cybersecurity measures taken and are liable for infringements. The second group concerns the implementation of risk management measures, and when making company-related decisions, the risks to the network and information systems must always be assessed. Lastly, the third group of requirements concerns reporting obligations to be complied with. In the event of significant security incidents, the competent supervisory authorities must be informed immediately, but at the latest within 24 hours of the incident.

Your board and senior management should define your cybersecurity strategy to effectively manage evolving cyber risks and adhere to NIS-2 regulations. With cyber threats constantly evolving, IT leaders must take a proactive governance approach to security. As key pillars, NIS2 requires firms to conduct regular risk assessments, implement appropriate controls, ensure third party security, maintain response plans, and report significant incidents. Forward-thinking CIOs and CISOs should integrate NIS2’s comprehensive expectations into their overarching cyber strategy now. Getting ahead of fast-approaching deadlines will allow methodically addressing any capability gaps, pursuing security enhancements steadily, and cultivating more resilient systems. Embracing these tighter regulations also signals to customers, partners and authorities that your organization takes data protection seriously. Prioritizing NIS2 alignment demonstrates strategic governance minimizing business disruption when the next inevitable cyberattack comes.

To discuss your options, or to get advice from a team of Governance, Risk and Compliance experts, reach out to us at NGS to be more secure in 2024.