In these times when cyberattacks are becoming increasingly common and sophisticated, cybersecurity presents a critical challenge for businesses. Facing heightened risks that can impact business continuity, reputation, data protection, and customer security, the European Union has taken significant steps. Indeed, it has updated its legislative framework with the NIS2 directive, replacing the NIS (Network and Information Security) directive, to strengthen protection against these threats.
The NIS2 directive establishes a high level of cybersecurity within the EU, imposing strict requirements on actors providing essential or digital services. It extends to sectors previously not covered, including postal, financial, healthcare, public services, transportation, energy production and distribution, and many others, marking a significant step in the fight against cyber threats.
In this article, discover the essence of the NIS2 directive, its impact on businesses, the key obligations it imposes, as well as strategies to comply effectively and protect your business from cyber threats.
What is Nis2 and how does it concern businesses ?
Context and evolution of the NIS directives
Adopted in 2016, the NIS (Network and Information Security) Directive was the first European legislative initiative dedicated to cybersecurity. Its goal was to establish a high and uniform level of cybersecurity across the European Union, requiring key players, such as essential and digital service providers, to implement security measures and report incidents. However, its implementation revealed obstacles, leading to fragmentation in the internal market.
In response to the challenges posed by increasing digitalization and the rise in cyberattacks, the European Commission proposed replacing the NIS Directive with NIS2 in December 2020. This new directive, adopted in November 2022 and enforced in January 2023, aims to strengthen security measures, integrate supply chain security, streamline notification procedures, and introduce stricter controls and sanctions within the EU. Member States have until October 2024 to incorporate these directives into their national legislation.
Why NIS2 is crucial for businesses ?
NIS2 is crucial for businesses because it ensures strong and consistent cybersecurity across the EU, an essential aspect for their competitiveness, growth, and resilience against cyber threats. Cyberattacks can cause enormous losses for businesses, impacting their operations, reputation, data protection, and customer security. According to Cybersecurity Ventures, the costs of cyberattacks could reach $20 billion in 2021, with a business being targeted every 11 seconds.
Furthermore, NIS2 plays a key role in establishing a more integrated and harmonized digital single market within the EU by mitigating cybersecurity gaps between Member States. This offers businesses a clear legal framework, reduces administrative costs, and increases consumer and partner trust. The directive also promotes cooperation and information sharing between national authorities and businesses, as well as among businesses themselves, which is crucial for preventing and managing cybersecurity incidents.
Scope and affected sectors
The scope of NIS2 is broader than the NIS Directive, affecting not only essential or digital service providers but also those offering important services. Essential services include those whose disruption would severely impact the health, safety, economy, or social functioning of the EU or its Member States. Digital services concern activities relying on information networks and systems, such as search engines, online platforms, or cloud infrastructures. Important services cover those with significant economic or societal reach, such as postal, financial, or healthcare services.
As a result, a larger number of sectors are impacted by NIS2 compared to the NIS Directive, including public services, transportation, energy production and distribution, waste management, drinking water, the chemical sector, aerospace, defense, civil security, and electoral processes. Affected entities must meet certain criteria, such as employing more than 50 people or generating an annual global turnover exceeding 10 million euros for essential services, and employing more than 250 people or having an annual global turnover exceeding 50 million euros for digital services.
The main obligations of businesses under NIS2
Cybersecurity Measures to Implement
The NIS2 Directive requires companies to adopt cybersecurity measures that are appropriate to the nature, size, and activities of their entity, as well as the level of risk they face. These measures must cover technical, organizational, and human aspects related to the security of networks and information systems. They must also ensure the security of supply chains by ensuring that suppliers and subcontractors adhere to basic security standards. Guidelines, standards, and best practices published by competent authorities, such as ANSSI and ENISA (the European Union Agency for Cybersecurity), serve as a reference.
Incident Notification and Risk Management
The NIS2 Directive obligates companies to quickly detect and report to the relevant authorities any cybersecurity incidents that may interfere with the continuity or quality of their services. This notification must include details about the nature, causes, and consequences of the incidents, as well as the measures taken or planned to resolve them. Close collaboration with competent authorities and Computer Security Incident Response Teams (CSIRTs) is crucial for effectively managing these incidents and minimizing their impacts. It is also essential to regularly develop and revise risk management procedures and plans.
Potential Sanctions for Non-Compliance
Failure to comply with the obligations outlined in the NIS2 Directive exposes companies to severe and harmonized sanctions. Member States are responsible for establishing specific rules and procedures to impose administrative sanctions that are effective, proportionate, and deterrent. These sanctions may include fines of up to 10 million euros or 2% of the company’s annual global turnover, whichever is higher, as well as warnings, injunctions, or even revocation of licenses or bans on operating.
How can businesses prepare for NIS2 ?
Assessment of Compliance with NIS2
To prepare for NIS2, businesses must evaluate their compliance with the requirements of this directive. It is crucial to identify the services provided, the relevant sectors, and the eligibility criteria for NIS2. An audit of the current cybersecurity situation is essential. This audit examines risks, vulnerabilities, existing measures, and potential gaps. The next step is to develop an action plan to achieve NIS2 compliance. This plan should outline goals, priorities, resources, timelines, and performance indicators.
Strategies for Implementing Security Measures
To meet NIS2 requirements, businesses must adopt security measures tailored to their specific context and risk level. It is recommended to refer to standards, guidelines, and best practices suggested by competent authorities such as ANSSI and ENISA. Supply chain security should not be overlooked; suppliers and subcontractors must meet minimum security requirements. Among the measures to be implemented are software updates, data protection, employee awareness and training, access management, intrusion detection and prevention, data backup and recovery, and the development of business continuity and disaster recovery plans, covering technical, organizational, and human aspects.
Roles and Responsibilities Within the Company
Effective implementation of NIS2 requires the involvement of all stakeholders within the company, with clear definitions of their roles and responsibilities. It is essential to appoint a cybersecurity officer to coordinate, supervise, communicate, and report. Employee, manager, executive, and partner training and awareness of cybersecurity issues and best practices are crucial. Finally, establishing a relationship of trust and cooperation with competent authorities, CSIRTs, and other entities related to NIS2 is fundamental for fruitful information exchange, incident reporting, and access to advice and support.
Conclusion
NIS2 represents the latest European regulation on cybersecurity, imposing stricter standards and greater harmonization for businesses providing essential, digital, or critical services. The goal of NIS2 is to ensure a uniform and high level of cybersecurity within the EU, which is fundamental for the competitiveness, growth, and resilience of businesses against cyberattacks. To comply with NIS2, businesses must adopt appropriate security measures, report incidents, manage risks, and collaborate with competent authorities. They must also anticipate potential sanctions in case of non-compliance with these directives.
If you are seeking support in your efforts to comply with NIS2, Ballpoint, a cybersecurity specialist, is at your service. Ballpoint offers personalized solutions designed specifically to meet the requirements of your sector, business size, and your unique needs. With Ballpoint, you’ll benefit from an accurate assessment of your compliance level, the implementation of necessary security measures, training and awareness programs for your teams, and proper incident management. Ballpoint is committed to ensuring the optimal security of your networks and information systems, thus strengthening the trust of your customers and partners.
Don't miss out on this opportunity—contact Ballpoint today for tailored and high-quality cybersecurity support.