Discover how the Network and Information Systems Directive (NIS2) strengthens cybersecurity across the EU and learn practical steps to prepare your organization.
NIS2 isn't something to panic about - it's mostly about implementing sound, well-known cybersecurity practices. Let's explore what NIS2 is, how organizations can prepare, and how to work effectively with service providers.
So, what is NIS2? Simply put, NIS2 is an updated EU directive that aims to improve the cybersecurity capabilities of member states and the resilience of critical infrastructure. It emphasizes the responsibility of management in dealing with cybersecurity risks, managing supply chain risks and the need to notify authorities of security incidents.
In addition, an organization must have, for example, cybersecurity policies and procedures, an incident handling process, including preparedness for major incidents, security awareness training for employees, identity and access management, and all good so-called cyber hygiene practices to ensure secure networks and systems throughout their lifecycle.
It's estimated that around 160,000 organizations in the EU are directly affected by NIS2 - less than 1% of all organizations. However, the requirements will undoubtedly cascade down the supply chain. As NIS2 is an EU directive, it will be implemented differently in each Member State's legislation, so there may be differences between countries.
Beyond organizations, NIS2 places many responsibilities on national governments, such as adopting a national cybersecurity strategy, designating competent authorities, and establishing a Computer Security Incident Response Team (CSIRT). There are also requirements for cooperation at EU level. However, this article focuses on what it means for your organization.
Preparing for NIS2 starts with understanding whether it applies to your organization. This will depend on your sector and size, so the first step is to identify your competent authority and provide the necessary information, such as IP ranges and contact details.
If you're worried about the NIS2 requirements, it's important to remember that NIS2 doesn't introduce anything groundbreaking - it's based on known good cybersecurity practice. The NIS2 requirements are designed to be proportionate to the level of risk your organization faces. The key is to be effective and adaptable, and to verify that your measures are working.
If your organization is ISO 27001 certified, or already meets other regulatory or customer cybersecurity requirements, you may already be in good shape. However, organizations with less mature security practices have more work to do. It's wise to base your efforts on cybersecurity standards such as ISO 27001, making NIS2 compliance a by-product of good security work.
Think of security compliance as the baseline you need to achieve - it's rarely enough. Conducting a cybersecurity maturity assessment is a great way to identify areas for improvement and ensure you're on the right track.
Tietoevry Tech Services is a key service provider for many organizations that provide vital services to society. Although we have quality and security certifications as well as security assurance reports, we go further by conducting regular cybersecurity maturity assessments, now also with NIS2 requirements in mind. Our aim is not only to comply with legal requirements, but also to achieve a higher level of cybersecurity.
The EU Commission is set to publish an Implementing Act, which will set out more specific cybersecurity requirements for Service Providers, including defining what constitutes a significant incident, which Service Providers need to report to their supervisory authority.
A key to success under NIS2 is understanding the shared responsibility between service providers and their customers. Service providers need to ensure that their platforms and processes are NIS2 compliant. It is important for customers to understand their own cybersecurity risks and requirements, and to specify these requirements in contracts with service providers.
In practice, this means customers should conduct their own risk assessments, understand their regulatory and business requirements, and determine the right level of cybersecurity for their needs. Due diligence on your service providers to understand their cyber capabilities is essential, as is setting contractual requirements based on your own needs.
Remember that cybersecurity is a team effort. Shared responsibility and collaboration between service providers and customers is critical to achieving compliance and improving overall security.
The NIS2 directive is a significant step forward in improving cybersecurity across the EU, but it's not something to be feared. Instead, it should be seen as an opportunity to strengthen your organization's cybersecurity posture. Whether or not your organization is directly affected, the ripple effects will touch every supply chain, making it critical for businesses and their service providers to work together.
By focusing on good security practices, understanding your risks and building strong relationships with your service providers, you will be well on your way to not only complying with NIS2, but also improving your overall cybersecurity capabilities.
Let's use NIS2 as an opportunity to build stronger, more resilient organizations.
Navigate regulations, tackle cyber threats and enhance security with this expert-authored guide. Gain actionable insights and practical steps to protect your digital assets.
DOWNLOAD EXPERT GUIDE