Framework for implementing the NIS 2.0 directive
-
The NIS 2 Directive (EU 2022/2555) aims to strengthen cyber security in the European Union by introducing strict standards for the security of networks and information systems in critical sectors. Here we present the main NIS 2.0 rules and requirements that must be met to ensure your company's compliance with the directive.
-
NIS 2.0 applies to entities in both core sectors and important sectors as defined in the directive. These entities include, but are not limited to:
Main services:
• Energy (eg electricity, gas, oil)
• Transport (e.g. air, rail, road, sea)
• Banking and financial services
• Healthcare (e.g. hospitals, pharmacies)
• Drinking water supply
• Digital infrastructure (e.g. cloud services, data centers)
• Public administration
Digital Service Providers:
• Cloud computing services
• Online markets
• Search engines
!! Your actions: Identify all the sectors in which your company operates and check whether they fall within the scope of the NIST 2.0 directive (core or important entities) by assessing which internal and external services are affected by the directive.
-
NIS2 requires companies covered by the directive to implement effective risk management and security measures.
The main requirements include:
- Cybersecurity risk assessment - should be carried out regularly, taking into account the likelihood and impact of potential threats.
- An internal risk management framework that organizations must implement, including cyber security measures, incident response plans and protection of critical data.
- Implementation of Security Measures, appropriate technical and organizational, to manage the identified risks, which
include: Encryption of sensitive data; Multi-factor authentication (MFA) for access to critical systems; Access control to prevent unauthorized access; Network segmentation to minimize damage in the event of a breach.
- Supply chain and third party risk management - You must be confident that cyber security also applies to supply chain partners and service providers through third-party risk assessments and compliance with NIS 2.0 standards
-
Under NIS 2.0, reporting of cyber security incidents must be done in strict time frames and include detailed information about the incident.
The main requirements include:.
- Incident Reporting – You are required to notify relevant national authorities and stakeholders of any significant cyber security incident within 24 hours of discovery and provide regular updates and a final report detailing the impact, cause and resolution of the incident.
- Incident Response Plan – An incident response plan should be created that covers procedures for detecting, responding to, containing and recovering from cyber incidents. Regularly review and update this plan through simulations and training exercises.
-
NIS 2.0 requires clear governance structures to ensure compliance and continuous improvement of cybersecurity.
The main requirements include:
- Cybersecurity governance: Cybersecurity should be a strategic priority at the highest levels of the organization, meaning that senior management, such as the CEO, should be accountable for cybersecurity policies and measures. It is also good practice to appoint a cybersecurity officer to oversee the implementation of NIS2 and lead security efforts.
- Monitoring compliance by conducting ongoing internal and external audits of cybersecurity practices to verify compliance with NIS 2.0.
- Maintain constant contact with national cyber security authorities and share information on threats, incidents and best practices.
-
NIS 2 establishes significant penalties for non-compliance, including fines and penalties for non-compliant companies. !! Your actions:
• The application of the necessary security measures and the requirements for reporting on time
• Incident reporting and implementation of risk management practices.
• Staff training in accordance with NIS 2.0
• Document all compliance efforts to have clear evidence in case of regulatory audit or incident.
-
Compliance schedule
Member States have until 17 October 2024 to implement NIS 2.0 into their legislation. and your company must comply with the directive's requirements by that date to avoid significant penalties.
-
Documentation and Accountability - Ensure you have detailed documentation of all processes and actions related to meeting NIS 2.0 requirements. Document risk assessments, security measures, incident reports, third party assessments and governance structure. Ensure the provision of annual or ad-hoc compliance reports to internal and external stakeholders.
-
The NIS 2.0 Directive introduces important changes to improve cyber security in critical sectors in the European Union. Compliance with these requirements will not only ensure compliance with the directive, but also significantly improve your organization's cyber security. This framework provides the basis for creating a comprehensive cybersecurity program that meets EU standards.
In conclusion, we would like to note that the services offered by Cybernetics can provide your organization with a solution to meet the requirements of the NIS 2.0 directive. From risk identification and implementation of security measures to training and consultations, our team of experts will be available to ensure your compliance with all regulatory requirements. We will help you achieve the necessary level of security, making your organization visible as reliable and secure during audits and inspections.