What is the NIS2 directive?
The NIS2-directive is an update and expansion of the NIS-directive. Its purpose is to strengthen cybersecurity in the EU, and it aims to increase resilience and response to cyber threats across vital sectors and digital services.
What does the NIS2 mean?
NIS2 stands for Network and Information Systems Directive 2 and introduces stricter security requirements and reporting obligations for a broader range of companies than the original NIS. This includes essential service providers and digital platforms. It is up to each member state country to refine and implement the directive into their respective national legislation.
Who is covered by the NIS2 directive?
The expansion covers several sectors including energy, transport, banking, healthcare, digital infrastructures, public administration, as well as providers of public digital services and essential digital platforms e.g. social networks and cloud services. Note that as a subcontractor to these industries, you may also be subject to the directive's requirements.
When does the NIS2 directive come into effect?
The original deadline for the EU's implementation of the NIS2 Directive was set for October 17, 2024. However, delays have affected Denmark, where the Ministry of Defence now expects the relevant legislation to come into effect on January 1, 2025. This delay is due to a postponement in presenting the NIS2 and CER legislative proposals, as announced on the Ministry of Defence's website on March 18, 2024.
What minimum requirements does the NIS2 directive set for your organisation?
Management commitment: Requirement for leadership/management to engage directly in cybersecurity management.
Risk analysis and assessment: Extensive and regular assessment and management of cybersecurity risks.
Incident reporting: Reporting cybersecurity incidents to national authorities.
Security measures: Security measures to protect networks and information systems.
Cyber hygiene and awareness: Basic security measures such as regular system updates, strong passwords, multi-factor authentication, and security awareness training.
Information security policy: Implementation of an information security policy based on the company's specific circumstances.
Standards
A good starting point for achieving compliance is working according to IEC standards, as they support the NIS2 Directive's goal of improved cybersecurity.
ISO/IEC 27001 focuses on the overall structure.
ISO/IEC 27002 provides guidance on security practices and controls.
ISO/IEC 27005 helps identify, assess, and address security risks.
These standards help organisations implement effective security measures and risk management, which is essential for meeting NIS2 requirements.
DBI can help you meet the new legal requirements
Specific examples of our services:
