– Mia Louise Bukholt, Principal Cybersecurity Consultant, NNIT
The EU’s NIS2 Directive makes the cybersecurity requirements companies have to fulfil more stringent. The extensive new rules will apply to far more companies and sectors, and breaches will incur larger fines. We explain how you can prepare for the new requirements below.
In our digital age, cybersecurity threats are a major concern for businesses, governments, and individuals. This is why the EU is updating the previous NIS Directive to NIS2. We give you and your company answers to some of the most pressing questions about the far-reaching directive below.
What is the NIS2 Directive?
NIS2 expands cybersecurity requirements and sanctions in order to harmonize and streamline the level of security across member states. The directive builds on the EU’s previous cybersecurity rules from 2016 (NIS), and expands the number of companies and sectors deemed to be critical to society.
At the same time as requirements for cyber preparedness are being raised for companies, the potential sanctions are also increasing, and member states also have to ramp up monitoring of compliance with the rules.
The NIS2 Directive means your company has to prepare for new and stricter requirements regarding management responsibility for risk management, business continuity, and reporting to the authorities.
Who is covered by the NIS2 Directive?
NIS2 will apply to far more companies than previously. The old directive covered companies in seven sectors. The new rules will apply to 16-18 sectors. The table at the bottom of this page shows the sectors covered.
According to a survey conducted by the Danish Industry Foundation, over 1,000 Danish companies will be covered by NIS2 (whereas only 150 companies were previously covered). One reason why the group of covered companies is expanding is because the directive introduces supply chain responsibility. This means that suppliers to NIS2 companies must be able to account for their handling of IT security.
What requirements does NIS2 place on your business?
NIS2 sets a number of ‘minimum requirements’ that must be met. Member states may choose to set higher standards than these minimum requirements. Companies in the energy sector, for example, are already subject to stricter requirements than those described in NIS and in the upcoming NIS2.
The directive can be broadly divided into four categories: