<img alt="" src="https://secure.leadforensics.com/779964.png" style="display:none;">
General

NIS 2 Directive and Cybersecurity of European Companies

Sagenso Team
01 June 2023
SHARE

The EU NIS 2 Directive, which has been discussed for the past few years, finally came into force in early 2023. It introduces several changes to the previous NIS Directive, allowing European Union member states to better navigate the world of accelerated digital transformation. What is the NIS 2 Directive? How was it introduced? To what extent does it impact the cybersecurity of european companies? Which businesses need to comply with the new regulations? Find out in the article.

 

Origins of the NIS 2 Directive

 

In 2016, the European Parliament adopted the NIS Directive, which was the first European law concerning cybersecurity. The directive required member states to implement appropriate regulations in their national legislation to ensure the security of digital networks and information systems.

In 2020, the world faced a series of changes primarily due to the COVID-19 pandemic. The accelerated digitization and increased reliance on online services led to a rise in the number and types of cyberattacks. This necessitated updating the NIS Directive to align with the new reality and provide more effective assistance in dealing with the consequences of cyber incidents. Hence the introduction of the NIS 2 Directive.

 

NIS 2 Directive and Security Policy and Risk Analysis

 

The NIS 2 Directive is a directive on measures for a high common level of cybersecurity across the European Union. It not only expands upon the NIS Directive but also forms an important part of the Shaping Europe's Digital Future cybersecurity strategy. It focuses on the protection of economic data, thus strongly influencing the economies of member states, including the functioning of companies.

The NIS 2 Directive extends the scope of cybersecurity provisions to new entities and sectors. Its aim is to improve European cyber resilience, enhance risk analysis, and streamline incident response systems at all levels: from private and public organizations to state authorities and the entire European Union.

 

Impact of the NIS 2 Directive on the cybersecurity of european companies

 

The NIS 2 Directive supplements the list of sectors covered by the NIS Directive, including telecommunications and data providers, the food industry, data center providers, social media platforms, freight and transportation companies, waste management and sewage companies, and economically significant manufacturing companies. These entities must adapt to the newly implemented regulations, effectively manage risks, and prioritize security policies.

 

Organizations covered by the NIS 2 Directive are divided into key entities (such as banking, energy, transportation, healthcare, and public administration) and significant entities (including food, postal and courier services, waste management). Companies operating in key sectors must ensure an appropriate level of security measures and notify the relevant state authorities of any incidents. The requirements of the directive also apply to key digital service providers, including cloud services, online trading platforms, and search engines.

The provisions of the NIS 2 Directive increase the readiness of member states and accelerate responses to cybersecurity incidents. They focus on supporting and fostering cooperation among all EU countries in terms of information exchange and establishing cybersecurity strategies. They require the implementation of specific risk management solutions, including risk analysis and IT system security, business continuity plans, and incident management policies.

 

Requirement to implement changes resulting from the NIS 2 Directive

 

The NIS 2 Directive was officially announced in December 2022 and came into force on January 16, 2023. Within 18 months of the directive's adoption, the key organizations covered by it must comply with its guidelines. Failure to do so will result in a financial penalty: €10 million or 2% of the total annual turnover, whichever is higher. For significant entities, the penalty is €7 million or 1.4% of the total annual turnover.

 

If a company employs fewer than 250 employees or has an annual turnover of less than €50 million, it may be exempt from implementing the changes. However, it is worth considering this possibility if the company is part of the supply chain with larger entities covered by the directive.

 

How can you ensure that your company maintains a high level of cybersecurity? Conduct a free IT security audit that will uncover any vulnerabilities in your security measures. Additionally, regularly visit our blog and follow our fan page or LinkedIn profile, where we share valuable information about online security.

See you!

Sagenso Team
Sagenso Team

Sagenso Team

Sagenso - blog-Apr-19-2023-07-46-44-4955-AM
Pharmaceutical industry

Challenges in cybersecurity for pharmaceutical industry

Pharmaceutical industry has developed pretty fast and the pandemic time only helped with that. All...
Read More
MIT CEE Boston Bootcamp Sagenso Cybersecurity
General

MIT CEE Boston Bootcamp

On June 2022 we took part on MIT CEE Boston Bootcamp, as the Enterprise Forum describes it, ‘a...
Read More

Conduct a free cyber security audit!

The audit report is available immediately!

Conduct a free cyber security audit