Understanding the new NIS2 Directive regulations and what it mean to you
In an era where digital technologies underpin every aspect of our lives, both in private and professionally, cybersecurity is non-negotiable. In continuation to that the European Union (EU) introduced the NIS2 Directive a significant piece of legislation that aims to enhance cybersecurity across member states. By now expanding its scope the directive seeks to create a safer digital environment for businesses and individuals. This blog aims to create an understanding of the NIS2 Directive and explain the new regulations, and not least – what it means to you.
What is the NIS2 Directive?
NIS2 stands for the “Network and Information Systems 2 Directive”. It is a legislative framework introduced to update and strengthen the existing NIS Directive, which came into effect in 2018. The directive is designed to address emerging cybersecurity threats and adapt to the ever-evolving digital landscape. Since the emerge of the NIS2 Directive, the field of application have expanded, and the regulations have developed.
Gain an overview of the key objectives of the NIS2 Directive here:
- The primary goal of the NIS2 Directive is to enhance the overall cybersecurity posture of EU member states. It encourages organizations to take proactive measures to protect their network and information systems from cyber threats.
- The directive places a strong emphasis on safeguarding critical infrastructure, such as energy, healthcare, finance, and transportation systems from cyberattacks. Operators of essential services (OES) and digital service providers (DSP) are subject to specific requirements to ensure their resilience against cyber threats.
- The directive introduces mandatory incident reporting for both OES and DSP, meaning that if a cybersecurity incident should occur, these organizations are obligated to report it to the relevant national authorities.
- To facilitate a coordinated response to cyber threats, the directive promotes collaboration and information sharing among EU member states. This ensures that cybersecurity incidents are addressed effectively and promptly.
- The impact of the directive is expected not only to enhance overall cybersecurity measures, but also to motivate organizations to invest in robust security systems to protect their networks and data.
What is new with the NIS2 Directive?
Building on the original regulations, the NIS2 Directive now covers a wider field of application meaning that organizations operating in certain areas might be regulated. The new regulations cover:
Furthermore, the NIS2 Directive includes services such as activities carried out in space, production and distribution of chemicals, and food production. Learn more about the specific areas that are comprised by the regulations here.
What does the NIS2 Directive regulations mean to you?
If your business falls under the NIS2 regulations, the directive requires an adaption to the regulations and implementing the safety measures described by the directive.
In addition, the directive sets requirements for a number of mandatory measures, including:
- Risk analysis and information system security
- Incident handling
- Business continuity (e.g. backup, restoration, and crisis management)
- Supply chain security (management of e.g. subcontractors)
- Security in connection with the acquisition, development and maintenance of network and information systems
- Ongoing assessment of security measures
- Training of employees etc.
- Encryption
- Personnel security and access control
Furthermore, a reporting obligation is required to which a company must notify the competent authority of so-called significant incidents as soon as possible and within 24 hours. Followed up by a report and estimate of the incident within 72 hours.
The new regulations are not yet implemented in the Danish law, though it can be beneficial to start the implementation as soon as possible as it can be quite time- and resource consuming.
As an international vendor of leading cloud SaaS offerings, we place a strong emphasis on safeguarding critical infrastructure from cyberattacks by ensuring cyber resilience through our solutions. Read more about cyber resilience in our blog and see how we can help implement it in your business here.
