NIS2 was decided and EU countries have to transpose the directive into national law by October 2024 - and companies must of course prepare themselves. NIS2 is the European framework for operators of critical infrastructures and defines minimum cyber security standards in the EU.
The European Union (EU) has adopted the NIS2 Directive, which is part of the EU strategy to shape Europe's digital future in the field of IT security and is a direct extension of the 2016 NIS Directive, which was the first IT security law was at EU level.
Background for NIS2
The background to the new directive is a dynamic threat landscape that is increasingly affecting corporate networks and the recognition that the first NIS directive was implemented differently in the individual EU member states. Therefore, the EU wants to create a more unified approach to protecting sectors and supply chains affecting critical infrastructure (KRITIS), as a large-scale cyber attack could have a huge impact on the economy of each individual Member State, but also on the rest of the Union. For example, if a country's national utility company goes offline for a short or long period, electricity prices will increase and since electricity is traded on a European exchange, prices will increase across Europe.
What to expect from the member states
Unlike the GDPR directive, which protects citizens' personal data, the NIS2 directive aims to protect economic data. As part of the new legislation, the member states must, among other things, draft a national IT security strategy and a national law. This is intended to set requirements for risk management and reporting by companies that fall under the NIS2 directive. In addition, a contact point is to be set up at national level.
Affected Institutions
In addition to the sectors already included in the NIS Directive, the new NIS2 covers, among others, the food industry, freight and shipping companies, telecom and data providers, social media platforms and data center providers, as well as companies that are active in waste and wastewater management, as well as manufacturing companies that are important to the country's economy.
The companies covered by the directive are divided into two categories: essential companies (e.g. telecom companies, utilities and banks) and important companies (e.g. food companies and freight companies). However, companies with fewer than 250 employees or an annual turnover of less than 50 million euros are exempt from the directive. However, due to the concept of supply chain responsibility, it is expected that smaller companies that are suppliers to the sectors covered by the Directive will also need to comply with NIS2. The directive also extends to public administrations, but it is currently unclear whether this applies to municipalities, for example.
What to expect for companies
NIS2 places new demands on the companies and organizations concerned. This includes senior management expertise and responsibility, effective risk management, including risk analysis and incident response, and cyber incident reporting and handling. Management is therefore responsible for the company's compliance with the NIS2 guideline and can be held accountable if it fails to do so. The company or organization itself must meet various IT security requirements, including the implementation of security measures and international standards such as ISO27001 or the NIST framework.
Companies that do not comply with the NIS2 directive can be fined up to €2 million or XNUMX percent of total global annual revenue. It's important to note that, as with the GDPR directive, there will be no NISXNUMX label or list that companies must adhere to. It is up to the organization itself to take measures to ensure compliance with data protection regulations. So while security vendors can help, it's up to the organization to set up the necessary reporting.
deadline for implementation
At the end of December 2022, the NIS2 directive was passed and made official in the EU. After that, the member states have 21 months to convert the directive into national law. However, that does not mean that companies can wait until then to implement the new measures. After all, organizations affected by the directive must be able to comply with it 18 months after it has been adopted. While this may seem long, we know from experience that it can take a long time for many companies to introduce new measures, procedures, etc. It is therefore important that all affected institutions and companies start immediately.
Advice on getting started
As mentioned, the NIS2 Directive does not provide a checklist or minimum protection technology requirements. It describes what an appropriate level of protection looks like, which can be interpreted in different ways. However, it is reasonable to assume that organizations will at a minimum require firewall and intrusion prevention technologies on their network, as well as endpoint security and the implementation of multi-factor authentication, data encryption, and restricted access.
However, it is important to mention that not everything can be solved with technology. Process and technology are equally important. This means that companies should take stock and create a plan, rather than just looking for a quick fix. With that in mind, there are some first steps you can take. First of all, it is important to check whether your own company falls under the new directive. If this is the case, the following aspects should be considered:
- Ensure that IT security is a top management priority and that managers are aware of their responsibilities. Start by analyzing your company's needs and creating a roadmap with clear goals and timeline for implementation.
- Identify and prioritize your assets including information, processes and systems.
- Design a framework to build your security on. This could be ISO2001 or NIST. It is also important that you implement risk management for your assets and processes.
- Automate as many processes and routines as possible. For example, IT security should always be part of new systems and cloud launches in the future.
- Consolidate your security functions and solutions. This makes operation easier and safer and reduces personnel costs, among other things.
- Establish a reporting process that conforms to NIS2 requirements and ensure it can be used to mitigate attacks and threats.
Many organizations have already implemented some measures as they had to meet the original NIS requirements. However, other organizations are having to adapt to a whole new reality. This can be a tall and daunting task, even overwhelming for some. For this reason, everyone is well advised to deal with the requirements and possible measures at an early stage and to consult experts.
More at CheckPoint.com
About check point Check Point Software Technologies GmbH (www.checkpoint.com/de) is a leading provider of cybersecurity solutions for public administrations and companies worldwide. The solutions protect customers from cyberattacks with an industry leading detection rate for malware, ransomware and other types of attacks. Check Point offers a multi-level security architecture that protects company information in cloud environments, networks and on mobile devices, as well as the most comprehensive and intuitive “one point of control” security management system. Check Point protects over 100.000 businesses of all sizes.