NIS2: Are You Ready for the EU’s New Cybersecurity Regulations?

NIS2 is the new EU regulation aimed at ensuring organizations strengthen their digital security approach. But what exactly is it, who does it apply to, and how should your company respond? Let’s break it down!

What is NIS2?
NIS2 stands for the Network and Information Security Directive 2, and as the name suggests, it’s a follow-up to the original NIS directive from 2016. This version has stricter requirements and a broader scope, with the goal of protecting critical infrastructure and essential services from cyber threats. Think of it as GDPR, but for IT security.

Who is affected?
In short: far more organizations than before. While NIS1 primarily targeted the most obvious sectors such as energy, transportation, and healthcare, NIS2 expands to include more industries, such as:

• Medium and large companies in IT, finance, water supply, waste management, and much more.
• Companies that provide services or products to critical infrastructure.

This means that even if you’re not directly managing the power grid, you may still need to comply with the regulations if you’re part of the chain.

What is required of you?
NIS2 imposes requirements on everything from incident reporting to risk management and supplier security. Here are some things to consider:

1. Assess your IT security: What do your current procedures look like? Are you aware of your risks?
   Tip: Make an inventory of all the systems and services you use, and analyze their security level.
2. Train your staff: Security isn’t just an IT issue – everyone in the company must understand their role.
   Tip: Create simple training sessions that explain the most common threats, such as phishing or weak passwords.
3. Secure your suppliers: Do your partners and suppliers maintain the same high-security standards as you?
   Tip: Require your suppliers to comply with standards like ISO 27001 or similar.
4. Incident reporting: Under NIS2, you have a limited time to act and report an incident.

What happens if you don’t follow the regulations?
Just like GDPR, non-compliance can be costly. Penalties can be as high as 10 million euros or 2% of the company’s global turnover. No pressure, but it might be time to take action.

How do you get started?
NIS2 may feel like a major challenge, but with the right strategy, you can see it as an opportunity to strengthen your operations. Start by reviewing your current security level and identifying weaknesses. Consider implementing and certifying ISO 27001, which provides a robust foundation for security and compliance, developing clear security routines and policies that meet NIS2 requirements. Finally, it’s crucial to have incident response plans and conduct tests to prepare for unexpected events.

Here’s a clear and structured starting point:

1. Analyze relevance: Identify if your company is affected and which services are critical.
2. Mapping: Conduct an analysis of your IT/OT infrastructure and risks.
3. Assign a responsibility team: Establish a team for NIS2 work and train staff.
4. Gap analysis: Identify the differences between your current state and NIS2 requirements.
5. Action plan: Prioritize actions, budget, and plan resources.
6. Technical measures: Improve incident and crisis management as well as access control.
7. Reporting system: Implement mechanisms to report incidents to authorities.
8. Follow-up: Continuously monitor and update processes.