NIS2 Directive

The European Union's NIS 2 Directive entered into force in December 2022 and was transposed into national law by 17 October 2024. The practical application of the NIS2 Directive started on 18 October 2024. This guide explains what is changing, who is affected and what the new NIS2 requirements are.

So there is still time for businesses to prepare and ensure that they are compliant with the new minimum level of corporate security.

Lauri Jurvanen - SAVE Lan Oy

The Network and Information Security Directive (NIS2) aims to ensure a common level of cyber security across the European Union.

KEY ISSUES

What is the NIS2 Directive ?

What is the NSI2 Directive - SAVE LAN Oy

NIS2 or the Cyber Security Directive EU-wide legislation on cybersecurity, which aims to better harmonise and secure the level of cybersecurity in the EU. NIS2 replaces the previous NIS Directive, extending its scope and requirements.

The updated Directive strengthens requirements and responsibilities and the NIS2 Directive aim to improve cybersecurity awareness and threat preparedness of critical and important actors for society in the European Union region and to protect EU actors from the growing number of cyber threats.

NIS2 Directive defines minimum measures, to be implemented by the operator. NIS2 emphasises risk management and introduces a new requirement, including physical security. The Directive includes strict reporting requirements on disruptive incidents and near misses.

With the NIS2 Directive, key players will be monitored actively (ex ante) and important actors passively (ex post). The administrative consequences are significant.

Requirements of the NIS2 Directive

  • Risk analysis and information systems security new policy practices for
  • Handling of derogations and their reporting
  • Business continuity management, such as backup and recovery planning, and crisis management
  • Improving supply chain security, including the security aspects of the relationship between each operator and its direct suppliers or service providers
  • Procurement of network and information systems, development and maintenance security, including vulnerability management and reporting
  • Policies and procedures for assessing the effectiveness of cybersecurity risk management measures
  • Basic cyber hygiene practices and staff cybersecurity training
  • Policies and procedures concerning the use of cryptography and, where appropriate, encryption
  • Staff security, access control policies and asset management
  • If necessary, the following shall be introduced multi-factor authentication or a continuous authentication solution, secure voice, video and SMS communications and the use of a secure emergency messaging system in the operator's operations

Important to know about the NIS2 Directive

Which sectors are covered by the NIS2 Directive? Who are the key and important actors? What will change compared to the previous NIS2 Directive? What are the NIS2 sanctions if an organisation fails to implement the requirements?

  • The NIS2 Directive specifically targets service providers whose disruption could seriously affect the security of citizens, the economy or the functioning of society. Operators are divided into two main categories; essential and critical operators.
  • The Directive automatically applies to all medium-sized companies (50+ employees and a turnover of more than 10 million) and large companies with more than 250 employees operating in key sectors.
  • The NIS2 Directive also applies to all nationally designated critical operators, regardless of size. These operators will be notified separately.
  • Energy (electricity, oil, gas, district heating and cooling, hydrogen)
  • Transport (air, rail, water and road)
  • Health care (public hospitals and private clinics)
  • Water supply (drinking water, waste water)
  • Digital infrastructure (telecoms, DNS, TLD, cloud services, data centres)
  • Finance (banking, financial market infrastructures)
  • Public administration
  • Space
  • Digital service providers (online shops, search engines, social media services)
  • Postal and courier services
  • Waste management
  • Food industry
  • Manufacturing (medical equipment, electronics, machinery, vehicles)
  • Chemicals (manufacture and distribution)
  • Research organisations
  • Increasing number of companies covered by the Directive
  • Increasing importance and requirements for risk management
  • Businesses must comply with stricter security policies and obligations
  • More proactive control and guidance from public authorities
  • Emphasis on ensuring the security of the entire supply chain
  • Reporting requirements are more stringent than before
  • Penalties may apply for breaching the new rules
  • Growing responsibility of management teams for cybersecurity
  • The authority temporarily suspends the services of a key operator
  • Temporary disqualification of the CEO or equivalent legal representative from holding management functions
  • Administrative fine for a key sector up to €10 million or 2 % of turnover
  • Administrative fine for a major operator of up to €7 million or 1.4 % of turnover
  • Administrative sanctions may also include orders to take security or corrective measures.

How to OT VERKKO must be ensured for the NIS2 Directive?

In line with the NIS2 Directive, securing OT networks requires a holistic approach to security. This includes risk management, security compliance and incident management. This includes regular risk analysis, security updates, access management improvements and incident reporting and handling. Every organisation should continuously update and audit its security practices.

Risk management

HAASTE: NIS2 emphasises proactive risk management for SCADA and OT environments vulnerable to cyber-attacks.

ACTION: Businesses must carry out regular risk analyses and continuously update their security practices. Risk management includes the identification, assessment and management of vulnerabilities.

Tougher security requirements

HAASTE: The NIS2 Directive sets stricter security requirements for networks and information systems than before.

ACTION: In SCADA and OT environments, this means security updates, access management improvements and regular auditing of systems. In particular, today's focus is also on improving traffic monitoring.

Deviation management and reporting

HAASTE: NIS2 requires reporting of significant cybersecurity incidents.

ACTION: The company must establish an incident management plan and report cyber incidents in a timely manner and format. A particular challenge is reporting to the authorities within 24 hours. For SCADA and OT systems, incident management should include automated alerts and accurate response actions in the event of a cyber attack.

Ensuring supply chain security

HAASTE: The NIS2 Directive requires supply chain security to be ensured.

ACTION: It is no longer possible to rely on everyone doing their job, but to jointly ensure that in SCADA and OT environments all parties comply with adequate cybersecurity standards.

Cyber hygiene and training needs

HAASTE: In Scada and OT environments, the role of the human element plays a major role in preventing cyber-attacks.

ACTION: Businesses need to maintain high standards of cyber hygiene practices, for example by ensuring protection against email phishing and ensuring ongoing security training.

Business continuity management

HAASTE: Systems backup and recovery planning, and crisis management.

ACTION: Regular testing and restoration of backups to the production system.

How will the new NIS2 requirements be met?

Check out our service packages

NIS2 development projects always start with a free survey, followed by a NIS2 GAP analysis. The actual NIS2 development project can be based on an action plan.

NIS2 Initial mapping

0 €

In the NIS2 initial mapping, we determine the company's baseline situation and what has already been done and where it is heading, as well as the management's understanding of the future NIS2 requirements.

The free initial survey will determine the readiness of the company to implement NIS GAP-ANALYSIS.

Book a free consultation

NIS2 GAP analysis

2690 €

The NIS2 GAP analysis provides the organisation with a comprehensive view of the current state of cybersecurity in relation to the NIS2 requirements. It also provides you with a concrete action plan and a list of steps towards NIS2 compliance. The final report will quantify and analyse the findings and prioritise the recommended actions into a development path. 

Book a free consultation

NIS2 development project

ask for an offer

To help you implement your action plan, Save LAN will provide you with experienced experts who are familiar with the requirements of the NIS2 Directive. We can support you with policy and documentation creation, incident management, solution design and vulnerability management, including physical security and firewall equipment.

Book a free consultation

Frequently asked

For Finland, national implementation of the NIS2 Directive is already underway and must be in place by 17 October 2024. The application of the NIS2 Directive will start on 18.10.2024.

ISO 27001 is an international standard that defines the requirements for the establishment, implementation, maintenance and continuous improvement of an Information Security Management System (ISMS). It helps organisations to protect their information through a systematic risk management process and to ensure the confidentiality, integrity and availability of information.

The requirements of the NIS2 Directive will automatically apply to all medium-sized companies with more than 50 employees or a turnover exceeding €10 million, provided they operate in critical sectors. The Directive sets stricter security requirements, including risk management, incident reporting and ensuring supply chain security. Companies will have to comply with the new security practices and requirements and be prepared for proactive monitoring and possible sanctions by public authorities.

Give us a call