Ensuring NIS2 Compliance
What is NIS, NIS2 and CER?
The NIS Directive, officially known as Directive (EU) 2016/1148, was an EU-wide legislation aimed at enhancing the cybersecurity of network and information systems. It would apply to public and private entities in certain sectors, including energy, transportation, banking, healthcare, and digital services, focusing on critical infrastructure and essential services.
The objective of the directive was to improve the overall resilience of critical infrastructure and services against cyber threats, and foster cooperation among EU member states and relevant stakeholders. To do so, concerned entities had to:
Implement security measures to manage risk in their network and information systems.
Report significant incidents to national authorities.
Cooperate and share information on cyber security incidents.
Where non-compliance would result in administrative fines.
The NIS2 Directive, officially known as Directive (EU) 2022/2555, was adopted by the European Commission and Council in December of 2022, with a purpose of establishing a high common level of cybersecurity among its members states as a recognition of the growing cybersecurity threats faced by both public and private sectors.
The new directive also includes private and public entities that fall under certain categories and qualifies as a medium-sized enterprise. What the definition of a medium-sized enterprise is can differ from one member state to the other. As an example, in Sweden the definition is:
The main establishment must reside in Sweden.
They have a yearly turnover which exceeds 10 million Euro.
They have 50 or more employees.
Lastly, the CER Directive (Directive on the resilience of critical entities), officially known as Directive (EU) 2022/2557, was adopted at the same time as the NIS2 directive. With a purpose of enhancing the resilience of critical entities within the EU and improve their ability to withstand and recover from incidents that could disrupt essential services.
Besides each member state deciding their own resilience strategies, risk assessment frameworks, and implementation support, which will be provided to critical entities. Critical entities will be required to take steps to improve their own resilience. This may involve measures like:
Implementing robust cybersecurity measures.
Developing business continuity plans.
Investing in backup systems.
These critical entities play vital roles in supporting societal functions, the economy, public health and safety, and environmental preservation. The eleven sectors and subsectors covered by the CER-directive are:
Energy sector, with services such as electricity production and energy storage.
Transport sector, with services such as management and maintenance of airport or railway infrastructure.
Banking sector, with essential services such as taking deposits and lending.
Financial market infrastructure sector, with services such as the operation of trading venue and of clearing systems.
Health sector, with distribution, manufacturing, provision of healthcare, and medical services.
Drinking water sector, with drinking water supply and drinking water distribution.
Waste water sector, with wastewater collection, treatment, and disposal services;
Digital infrastructure sector, with services such as the provision and operation of internet exchange point service, domain name system, top-level domain, cloud computing and data center.
Public administration sector services.
Space sector, with the operation of ground-based infrastructure services.
Production, processing, and distribution of food sector, with the large-scale industrial food production and processing, food supply chain services and food wholesale distribution services.
The CER Directive, along with the NIS & NIS2 Directive, aims to bolster the EU's resilience against various threats, including cyberattacks, crime, public health risks, and natural disasters.
What should concern companies do?
To comply with the NIS2 Directive, which is the latest directive to become effective in the fall of 2024, companies need to take several important steps to enhance their cybersecurity resilience. Below we have listed some key requirements and measures:
Determine Applicability: First, does your company fall under the scope of the NIS2 directive? Each member state will determine their specific guidelines you have to comply with.
Risk Management: Implement measures to minimize cyber risk which includes:
Incident management procedures.
Stronger supply chain security.
Enhanced network security.
Access control and encryption.
Accountability: Management must:
Oversee and approve cybersecurity measures.
Be trained in addressing cyber risks.
Understand that breaches may result in fines, including liability and temporary management bans.
Reporting Obligations: If an incident were to occur, the company needs to have processes in place for prompt reporting to the correct authorities and adhere to specific notification deadlines (e.g., 24 hours).
Continuity planning: Companies must develop plans for ensuring business continuity during major cyber incidents. Consider:
System recovery.
Emergency procedures.
Crisis response teams.
Prepare for Compliance: You should determine the impact on different units within the organization and evaluate existing security measures and policies. That way it becomes easier to plan and budget for the upcoming NIS2 compliance.
At the very least, even if your company is not determined to be a critical entity, companies should implement baseline security measures including:
Risk assessments and security policies.
Evaluation of security effectiveness.
Policies and procedures for the use of cryptography and encryption.
A standard operating procedure for handling security incidents.
Policies for handling and reporting vulnerabilities in the development and management of systems.
Cybersecurity training and basic computer hygiene.
Security procedures for employees with data access.
Security assessment of suppliers and procedures in place in case of an incident.
A plan for managing business operations during and after an incident.
Multi-factor authentication and encryption.
Even though the member states strategies, frameworks, and support plans may not be fully in place yet, companies must actively prepare for its requirements. No measurement taken is in vain.
Borgent and NIS2
Borgent is highly experienced in securing and structuring business data and ensuring compliance throughout your business processes. With our expertise and solutions, you can centralize all your data while maintaining compliance in the tools you already use, such as Microsoft Teams, Word, PowerPoint etc.
To learn more about achieving and maintaining ISO standards and GxP compliance in Microsoft 365, contact us.
You can also read our blog to find out more.