What is the NIS2 Directive?

NIS2 is the second iteration of the EU’s Network and Information Security (NIS) directive, and it is the primary cybersecurity standard in the EU. NIS2 updates NIS by expanding the sectors affected by the law and its requirements. By October 17, 2024, EU member states are required to implement NIS2 in their national laws, so all organizations affected by NIS2 must be in compliance by Q4 2024.

Infinity Global Services Contact an Expert

What is the NIS2 Directive?

The Importance of the NIS2 Directive

NIS2 creates a standard set of cybersecurity requirements for organizations providing essential or important services to EU member states. By doing so, it reduces the risk that cyberattacks against these organizations could result in significant repercussions for EU citizens.

Sectors Affected By The NIS2 Directive

The NIS2 directive classifies sectors into essential and important entities. Examples of essential entities (EE) include:

  • Energy
  • Transportation
  • Finance
  • Public administration
  • Healthcare
  • Space
  • Water supply
  • Digital infrastructure

NIS2 also impacts important entities (IE), such as:

  • Postal services
  • Waste management
  • Chemicals
  • Research
  • Food
  • Manufacturing
  • Digital providers

In addition to sectors, NIS2 compliance is also affected by the size of the organization. In general, EEs must have at least 250 employees and an annual turnover of over 50 million euros or a balance sheet of 43 million euros. IEs generally must have at least 50 employees and an annual turnover or balance sheet of at least 10 million euros. However, these rules vary by sector. Additionally, companies that are the sole provider of a particular service within an EU member state may be classified as an EE or IE regardless of size.

What are the NIS2 Requirements?

NIS2 creates four sets of high-level organizational requirements, including:

  • Risk Management: Organizations should manage their cyber risks via incident response, supply chain security, network security, access control, and the use of encryption.
  • Corporate Accountability: Corporate management is accountable for the organization’s security and should take an active, informed role in cyber risk management.
  • Reporting Obligations: NIS2 defines reporting requirements for significant security incidents, including a 24-hour “early warning”.
  • Business Continuity: Affected organizations should have business continuity strategies in place, including creating recovery plans, emergency procedures, and a crisis response team.

Additionally, it specifies a set of ten minimum requirements, which include:

  1. Performing risk assessments and implementing security policies for IT systems.
  2. Implementing policies and procedures for the use of cryptography and encryption.
  3. Securing and managing vulnerabilities in system procurement.
  4. Implementing security procedures for users who can access sensitive data.
  5. Using multi-factor authentication (MFA), continuous authentication, and encrypted communications when appropriate.
  6. Evaluating the effectiveness of the security controls put in place.
  7. Planning for incident detection and response.
  8. Training employees on basic computer hygiene.
  9. Planning for business continuity and disaster recovery (backups, continued access, etc.)
  10. Securing the supply chain and how the company manages potential vulnerabilities in third-party relationships.

Penalties for NIS2 Violations

NIS2 lays out various types of penalties that can be levied against an organization for non-compliance, including:

  • Non-Monetary Penalties: National supervisory authorities are permitted to force organizations to become compliant, follow binding instructions, carry out a security audit, or notify their customers about a potential threat.
  • Administrative Fines: Administrative penalties depend on the type of entity. EEs are subject to fines of the greater of 10 million euros or 2% of global annual revenue. IEs can be fined up to 7 million euros or 1.4% of global annual revenue.
  • Criminal Sanctions: In the event of gross negligence, NIS2 allows top management to be held personally responsible for security incidents. This includes ordering the company to make compliance violations public, publicly state what violation occurred and who is at fault, and temporarily barring individuals from holding management positions.

Ensure that Your Business is in Compliance with the NIS2 with IGS

The NIS2 directive is designed to limit the risk that cyberattacks against essential and important entities within the EU will impact their ability to provide services to EU citizens. This update to the original NIS expands the scope of the directive, implements updated requirements, and provides regulators with the power to levy additional, more stringent penalties against organizations that fail to comply with its requirements.

Achieving compliance with the NIS2 directive by deadlines in Q4 2024 is essential for all affected organizations and requires the implementation of a robust cybersecurity program. Check Point offers support for companies attempting to achieve this and other cybersecurity goals through its Infinity Global Services program.

 

Check Point’s NIS2/DORA Readiness Assessment involves an on-site assessment by senior Check Point consultants of an organization’s existing compliance with the NIS2 directive. Based on this assessment, Check Point provides guidance on how organizations can close identified security gaps and achieve compliance with the standard. For more information on how to achieve your NIS2 compliance goals before the deadline, contact us.

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK