EU NIS2 Directive: Comply with requirements
With the NIS2 Directive, mandatory security measures and reporting obligations will apply to many companies from October 2024 – even those not previously affected.
The NIS2 Directive (Network and Information Systems 2 Directive) is a comprehensive piece of EU legislation designed to enhance cybersecurity across member states. From October 2024, it will replace the original 2016 NIS Directive, extending the scope of application to more critical sectors and setting higher security requirements. In particular, digital service providers and platforms are now also included in the scope of NIS2, which significantly extends the reach of the directive.
Is your company affected by the NIS2 Directive?
Check whether you will be affected and which requirements you need to fulfil:
Topics the NIS2 Directive covers:
– Risk analysis and security policies for information systems
– Incident handling
– Business continuity management
– Backup management
– Crisis management
– Supply chain security
– Security measures for the acquisition, development,
and maintenance of network and information systems
– Vulnerability management
– Evaluation of the effectiveness of risk management measures
– Security procedures for employees with access to sensitive or important data
– Cybersecurity training and awareness
– Concepts for the use of cryptography
– Access control and asset management
– Use of multi-factor authentication (MFA) or continuous authentication (SSO)
– Secured voice, video, and text communication and, if necessary, secure emergency communication systems
– Implementation of an information security management system
To get an overview of all topics, you can download our NIS2 checklist.
What are the requirements of the NIS2 Directive?
Reporting obligations for cyber incidents: What should you report?
It’s crucial to know which cyber incidents need to be reported, to whom, and in what timeframe. For example, an initial early warning must be sent to the country-specific security authority within 24 hours of a suspected incident. If the suspicion is substantiated or confirmed, a report on the security incident must follow within 72 hours. Lastly, a final report must be sent no later than one month after notification of the confirmed incident.
The final report must include the following:
- Incident response report
- Discussion of the exploited vulnerability
- Remedial measures taken and ongoing
- Area of impact
If the incident is not resolved within a month, organisations are required to deliver a progress report instead. In this case, the final report should follow no later than one month after the security incident has been dealt with.
As you can see, these deadlines are extremely tight. To save valuable time in the event of an incident, we recommend an annual ‘incident response emergency drill’ and a framework contract for incident response activities. This enables the response team to familiarise themselves with your systems in ‘peacetime’. It also allows you to define contact people, crisis teams and decision-makers in advance and familiarise them with important processes in the communication chain.
Not sure what to do next? Our experienced consultants can help you.
The directive is extensive, with many considerations and possible solutions. Airbus Protect has a team of experts who can support you to make NIS2 compliance less of a headache.
Our experts use purpose-built methodologies and frameworks and tailor our services to your needs. These include:
- Inventory
- NIS2 audit and gap analysis
- Advice on cost-effective solutions
- Planning and organisation of the next steps
- Support with implementation
- Ongoing support and optimisation
Do you need support in implementing the NIS2 directive? Contact us!
Get in touch today to discover how we can support you