New NIS2 Directive for increased cyber security protection

To protect the cyber landscape, the European Union enacted EU-wide NIS legislation in 2016. The NIS2 Directive was revised in 2023 to further improve cybersecurity and address the ever-changing threat landscape.

What does the NIS2 Directive mean for businesses? Does it only affect companies in the EU, or does it also affect companies outside the EU?

The new NIS2 directive («The Network and Information Security (NIS) Directive ») requires companies and organizations in the critical infrastructure sector and certain digital service providers to achieve a minimum level of security to make the entire infrastructure more resilient. The directive applies to companies in 16 sectors (waste management, wastewater, banking, chemicals, digital infrastructure, energy, financial market infrastructure, healthcare, ICT service management B2B, food, public administration, postal and courier services, drinking water, processing/manufacturing, transport and space). Among other things, improved risk management and consideration of supply chains and dependencies on partner companies are required.

Companies based outside the EU may also be affected by the Directive, as they will need to meet certain requirements in order for EU-based companies to work with them.

Specifically, the new NIS2 Directive means stricter oversight measures for national authorities and enforcement requirements.

• Secure supply chains: All companies in the 16 sectors will be required to address cybersecurity risks in the supply chain.
• Risk management: In addition, a risk management concept that includes key security elements must be in place.
• Security incidents: There are clear rules for the reporting of security incidents, the content of the report and the reporting deadline. Under NIS2, for example, significant security incidents must be reported within 24 hours and an assessment must be made to the authorities within 72 hours.

Companies that fail to comply with the NIS2 Directive will face heavy fines. You should therefore take appropriate measures within your company.

How can we help you implement the NIS2 directive?

Training and sensitization of employees

Training is becoming increasingly important and employees are required to attend training sessions on a regular basis. There are many new and clear regulations that your employees need to be trained on. For example, the new risk and information security policies. Or that security incidents must be reported within a certain period of time.

To ensure that your employees behave correctly and securely, i.e. in accordance with the NIS2 directive, it is important that you train your employees and raise their awareness of cyber threats such as phishing or social engineering techniques. We can help you with our e-learning courses on 18 information security topics or create your own e-learning course to meet your needs.

Measuring security culture

But before you take any action, such as training, it is important to understand the state of your security culture and develop an action plan based on that assessment. At this point, we recommend our Security Awareness Radar®, which measures awareness, behavior, and culture around information security. Such a measurement reveals weaknesses and opportunities for improvement, for example, if employees cannot easily find policies in the repository system or are unfamiliar with key security processes.

With our Security Awareness Radar®, you get a detailed analysis of your situation and can take targeted measures to make your company fit for the new NIS2 directive and the future.

‍

Do you need our support or do you have a question? Please do not hesitate to contact us.

‍

Subscribe to our newsletter now and never miss more information security and security awareness news and blogs. Subscribe using the form below.