The purpose of this directive is to ensure the security of networks and information systems across the EU, as well as promote cooperation between Member States on cyber security matters.
The NIS Directive, otherwise known as the Network and Information Security Directive, is a directive that was adopted by the European Union in 2016. To cope with recent worldwide surges in cybercrimes, the previous Directive has been updated to the NIS2 Directive. This blog post will outline the key focus areas for NIS2 compliance and how companies can stay compliant.
What is the NIS2 Directive?
On January 16th 2023, EU Directive (EU) 2016/1148 was repealed and replaced by the Directive (EU) 2022/2555, also known as NIS2.
The NIS2 Directive (Network and Information Systems Directive) is a directive issued by the European Union that aims to increase the security of networks and information systems throughout Europe. The directive applies to both public and private sectors and applies to all organizations that provide essential services such as health care, energy, transport, water, digital infrastructure, finance, and banking.
The NIS2 Directive focuses on improving the security of networks and information systems across Europe and includes requirements for companies to implement appropriate technical and measures to prevent, detect, and respond to security incidents. These incidents must also be reported to their national competent authorities.
To ensure compliance with the NIS2 Directive, organisations must implement effective processes for identifying and managing risks, as well as put in place an incident response plan. NIS2 compliance is essential in order to ensure the security of their networks and information systems and protect both customers and employees from cyber-attacks.
Key focus areas for NIS2 compliance
The NIS Directive is an important piece of legislation that seeks to protect the public from cyber threats. It applies to all essential service providers, such as energy and transportation, as well as digital service providers, such as online marketplaces, search engines, and cloud computing services.
To comply with the directive, organisations must take a risk-based approach to cyber security, putting measures in place to protect networks and information systems from cyber-attacks covering the key focus areas of NIS2 compliance:
- Access control: Controls must be in place to monitor who can access their networks and information systems, and limit access to only those who need it.
- Data integrity: All data stored on networks and systems have to be secure and accurate, preventing any malicious tampering.
- System security: Networks and systems have to be protected against unauthorised access or use, using measures such as firewalls and anti-virus software.
- Incident management: Companies should have processes in place to detect, respond to, and manage incidents such as cyber-attacks and data breaches.
- Risk assessment: Businesses should identify and assess potential risks to their networks and information systems and put measures in place to mitigate those risks.
By ensuring that these key areas of NIS2 compliance are addressed, organisations can help protect their networks and information systems from cyber-attacks and keep themselves compliant with the NIS Directive.
NIS2 Compliance Requirements
Compliance with the NIS2 Directive is crucial for companies operating in the European Union. The Directive requires all operators of essential services, digital service providers and operators of digital marketplaces to implement appropriate measures and procedures to protect the security and availability of their network and information systems.
Important compliance deadlines for NIS2 Directive include:
- EU-CyCLONe will need to submit an assessment of its work to the European Parliament and the Council by 17 July 2024 and every 18 months thereafter.
- Before 17 October 2024, the Member States must publish their strategy to meet the objectives of the NIS Directive.
- With effect from 18 October 2024, Directive (EU) 2016/1148 (the NIS Directive) is repealed.
- The Member States are required to establish a list of essential and important entities by 17 April 2025. On a regular basis and at least every two years thereafter, Member States should review and update that list.
- A list of essential and important entities for each sector will be submitted to the Commission and the Cooperation Group by 17 April 2025 and every two years thereafter.
- The Commission shall review the functioning of this Directive by 17 October 2027 and every 36 months thereafter.
How can companies stay compliant with the NIS2 Directive?
To begin with, the following measures should be taken to comply with the Directive:
- Establish a secure system architecture: Ensure that the systems are architected in a way that limits the risks of attack. This includes using robust firewalls, software patches and secure authentication protocols. With Build38, you can extend the network perimeter to the pocket of your user, as an App protected with it is firewall against the potential vulnerabilities present in the user´s device.
- Monitor the system: Establish an effective monitoring system that can detect intrusions, detect suspicious activities, and alert the authorities when necessary. Build38´s solution provides an observability module that reports and alerts whether a threat is occurring or about to occurred.
- Implement response and recovery plans: Companies should develop comprehensive plans that detail how they will respond to an attack and what steps they will take to recover from it. With Build38 Self-Defending mechanisms, the App protected by Build38 can react to threats by locking or wiping sensitive information in case of risk of leakage or take-over, helping companies to meet this point.
- Review data protection policies: Companies must ensure that their data protection policies comply with the NIS2 Directive.
It is important for companies to stay compliant with the NIS Directive to protect their networks and information systems. Businesses looking to meet the compliance requirements of the Directive, must implement and deploy at least the following defence measures:
- Risk analysis policy and a security policy for information systems.
- Incident response and handling programs.
- Business continuity plans: including backup management, disaster recovery, and crisis management.
- The security of supply chains: including security-related aspects of relationships between entities and their direct suppliers.
- Security in the acquisition: development and maintenance of networks and information systems, including the handling and disclosure of vulnerabilities.
- Cybersecurity risk-management policies and procedures for assessing effectiveness.
- Training in cybersecurity and cyber hygiene.
- Policies and procedures regarding cryptography and encryption.
- Development of strict access control policies: as well as asset management and human resources security programs.
Use of multi-factor authentication: a secure voice, video, and text communications system, along with secure emergency communication systems, where appropriate, should be implemented by the entity.
By taking these steps, companies can ensure that they are compliant with the NIS2 Directive and are better protected against cyber threats. Compliance with the NIS2 Directive is not just a legal obligation; it’s also an investment in the safety and security of a company’s network and information systems.
NIS2 Directive Non-compliance Implications
Non-compliance with the NIS Directive can lead to serious repercussions for businesses. The EU has put in place hefty fines for non-compliance, with a maximum penalty of up to Fines up to 10 million EUR or 2% of the total global annual turnover (whichever is greater).
Companies found to be in breach of the NIS2 Directive could also face legal action and reputational damage alongside other complications such as:
- Management liability.
- Temporary bans against managers.
- Designation of a monitoring officer.
Businesses must ensure they understand the implications of non-compliance and take appropriate steps to ensure they are adhering to the regulations laid out in the Directive. This includes having robust security measures in place, as well as having processes in place to detect and report cyber incidents.
Build38 your partner to become NIS2 compliant
The EU’s Network and Information Systems Directive (NIS Directive) sets out a framework for improving the security of critical infrastructure. NIS2 compliance is essential for organisations to protect themselves and their customers from cyber threats and other risks. Implementing the NIS Directive can be challenging, but there are clear steps companies can take to ensure they are compliant specially if you have robust in app protection.
Understanding the key focus areas, staying up to date with regulations, and implementing effective cybersecurity measures are all essential for organisations to remain compliant with the NIS2 Directive. Failure to comply with the NIS2 Directive can have serious consequences, so companies must remain vigilant and ensure they have adequate security in place.
Build38 ensures that your business critical mobile Apps meet the requirements of NIS2 and contributes to the overall NIS2 compliance of your organization. For more information on how Build38 can help you be MIS2 compliant contact us.