The updated Network and Information Security Directive (NIS 2) entered into force last January 2023, with the European Commission setting the deadline for the implementation of its requirements on October 17, 2024. This gives organizations that operate and provide services within the 27 Member States of the European Union only a few months left to adjust their compliance practices and align with NIS 2.
To ensure that your organization is ready to go through the compliance process, we have prepared a guide to help you navigate the changes and new obligations that you need to fulfill. Read on to learn more:
The original NIS Directive was enacted in 2016 as the first official law that establishes a cybersecurity risk management framework for enhancing the security posture of critical service providers in the EU. It was since revised and replaced by the NIS 2 Directive, which was published in December 2022.
Just like the first directive, NIS 2 outlines a set of requirements in the form of minimum security measures that organizations in specified sectors must implement. These include conducting risk assessments, establishing information security policies, reporting high-severity incidents to national authorities, evaluating the effectiveness of cybersecurity risk management measures, and more. Significant changes between the previous directive and NIS 2 include:
While NIS 1 covers private and public entities that are either operators of essential services or digital service providers, NIS 2 now applies to all medium companies (those with 50 to 249 employees) and large entities (those with 250 or more employees) that fall under essential and important categories. These categories refer to sectors that are deemed vital to the economy and society by the EU. NIS 1 initially consisted of 7 essential sectors, but NIS 2 has broadened its scope to include 4 new essential sectors and 7 new sectors under important entities:
Entities are responsible for determining whether their services are within the scope of NIS 2 and have the option to register their organizations under the Member States in which they operate.
As mandated by NIS 1, each Member State assigns its own Computer Security Incident Response Team (CSIRT) or an equivalent authority to coordinate incident reporting from entities. Now, NIS 2 defines more stringent incident reporting procedures and timeframes for organizations. Aside from submitting a full notification report to their Member State’s CSIRT within 72 hours of any major incident, both essential and important entities also have to issue an early warning within 24 hours of the incident. They must also submit a temporary report and a final report or progress report – if the incident is still ongoing – within 1 month of submitting the notification report.
NIS 2 also puts greater emphasis on supplier relationships and addressing risks in supply chains. Under the directive, entities are in charge of assessing the cybersecurity practices of their suppliers and service providers and securing their own supply chains. This means that organizations that are not within the scope of the directive are still affected and must comply with the requirements of NIS 2 if they are providing products or services to registered essential or important entities. Suppliers and service providers will not be supervised by national authorities but by the entities they are working with.
One of the most important provisions of the NIS 2 Directive is the personal responsibility delegated to the members of an organization’s management. NIS 2 requires the complete involvement of boards and executive leadership in cybersecurity risk management activities. This includes overseeing risk assessments, approving risk treatment plans, and undergoing cybersecurity training. For essential entities, failure to comply can result in corporate managers being held personally liable for security incidents and stripped of their authority to exercise leadership functions.
Lastly, under NIS 2, organizations are subject to hefty fines and stricter oversight from national authorities. In case of non-compliance, important entities face penalties amounting to €7 million or 1.4% of their total revenue for the previous year, while essential entities are looking at up to €10 million or 2% of their total annual turnover. Authorities are also permitted to conduct onsite or off-site inspections, regular and ad hoc audits, and random checks and security scans and are granted full access to an organization’s data and other information or evidence of their cybersecurity implementation.
The 6clicks platform can equip your organization with AI-powered capabilities and cybersecurity risk management solutions to fast-track your NIS 2 compliance.
Start your compliance journey by getting access to the NIS 2 Directive. The 6clicks Content Library is where users can freely download the NIS 2 framework among other standards, regulations, templates, and more. Then, quickly analyze and assess your compliance with NIS 2 using the compliance mapping capability of Hailey, 6clicks’ AI engine.
6clicks’ IT Risk Management solution enables you to store and organize your risks, perform risk assessments, and create risk treatment plans, all within one powerful risk register to streamline your risk management efforts. You can also onboard, assess, and manage risks and issues associated with your suppliers and service providers using 6clicks’ Vendor Risk Management and Issue & Incident Management features.
Meanwhile, you can utilize 6clicks’ custom incident submission forms, automated workflows, and integrated task assignment capabilities to optimize and align your incident reporting and response processes with the requirements of NIS 2.
Finally, 6clicks’ Policy & Control Management capability allows you to enforce and monitor security controls to comply with the security measures mandated by the NIS 2 Directive.
Learn the various ways 6clicks can benefit your organization by scheduling a consultation with one of our experts.