The NIS2 directive: what it is and how it might impact your organisation
As the EU puts cybersecurity at the top of the priority list with the approval of the NIS2 legislation, organisations across a wide range of essential industries and sectors will be faced with increased requirements for strengthening their cyber resilience.
Back in 2016, the Network And Information Security (NIS) Directive was the first legislation in the EU to tackle cybersecurity. Its goal was to achieve a ‘high common level of cybersecurity’ across all member states. Fast-forward to 2022. With the pandemic catalysing digitisation across multiple sectors, fragmented implementation, and a growing threat from cyberattacks, the EU has taken steps to boost its collective resilience, replacing the current directive with NIS2.
So what do we know about NIS2? How does it differ from the previous directive? And how might it impact risk management and reporting obligations for your organisation?
What is the NIS2 directive?
The incoming directive – Network And Information Security 2 (NIS2) – is a new set of cybersecurity laws for EU member states. It was adopted on 28th November 2023, and EU member states can start enforcing the regulation by the end of August 2024.
The aim of the revised directive is to harmonise cybersecurity requirements and the implementation of cybersecurity measures across all EU member states. To that end, it describes the minimum requirements for regulatory frameworks, provides mechanisms for effective cooperation between authorities, and includes remedies and sanctions to support enforcement.
Another of its overarching goals is to increase the long-term cybersecurity of Europe. To achieve this aim, NIS2 will bring more organizations under cybersecurity regulation. Some of the key sectors covered by the new legislation include transport, health, energy, and digital infrastructure.
There are also changes for medium-sized and large organizations which provide essential services. That’s because these types of organisations are frequently targeted by cybercriminals.
Important changes under NIS2
Under the NIS2, there will be a number of important differences from the first directive. Here’s a summary of the headline changes which could affect your organisation:
- The list of sectors and activities subject to cybersecurity regulations has been expanded, with clear remedies and sanctions to ensure enforcement.
- All medium-sized and large entities operating within the sectors or providing services covered by the directive will fall within its scope.
- NIS2 will apply to public administrations at a central and regional level. Member states will decide whether it applies at a local level as well.
- The new directive has been aligned with sector-specific legislation, including the regulation of digital operational resilience for the financial sector (DORA).
- It will streamline reporting obligations to avoid over-reporting – minimising the administrative burden on the organisations covered.
- A voluntary peer-learning system will aim to increase mutual trust and learning from good practices and experiences within the EU.
Impact on risk management and reporting
As with other EU directives, NIS2 outlines the compulsory measures – in this case, cybersecurity risk management and reporting obligations. In between these imperatives, organisations will have other functions and processes in place. The minimum required measures are:
- Risk analysis and security policies
- Significant incident handling
- Business continuity and crisis management
- Supply chain security
- Network and system security
- Auditing and review
- Governance and personnel
The full scope of the impact in terms of the number of organisations covered by NIS2 is currently unknown. What we do know is that cybersecurity is a key challenge facing every sector, and countering it requires ever-stronger risk and incident management processes.
As a provider of document and process management software in Europe, WorkPoint is poised to ensure our product and services comply with the incoming legislation. Not only that, we’re also confident that our solutions will help our end-customers meet their regulatory requirements, particularly when it comes to document management and information security.
We know that NIS2 will affect a range of our customers, and we are keeping our eyes on how NIS2 will be implemented. Information security is a priority for WorkPoint both as an organisation and as a product – and we strongly believe that our solutions can be a support for our customers in their journey towards compliance with NIS2.
Stay up to date with the latest developments on WorkPoint and the NIS2 directive – as well as other news – by reading the WorkPoint blog.