NIS2 Directive
The European Union's NIS 2 Directive entered into force in December 2022 and must be transposed into national law by 17 October 2024. The practical application of the NIS2 Directive will start on 18 October 2024. This guide explains what will change, who will be affected and what the new NIS2 requirements are.
So there is still time for businesses to prepare and ensure that they are compliant with the new minimum level of corporate security.
Lauri Jurvanen - SAVE Lan Oy
KEY ISSUES
What is the NIS2 Directive ?
NIS2 or the Cyber Security Directive EU-wide legislation on cybersecurity, which aims to better harmonise and secure the level of cybersecurity in the EU. NIS2 replaces the previous NIS Directive, extending its scope and requirements.
The updated Directive strengthens requirements and responsibilities and the NIS2 Directive aim to improve cybersecurity awareness and threat preparedness of critical and important actors for society in the European Union region and to protect EU actors from the growing number of cyber threats.
NIS2 Directive defines minimum measures, to be implemented by the operator. NIS2 emphasises risk management and introduces a new requirement, including physical security. The Directive includes strict reporting requirements on disruptive incidents and near misses.
With the NIS2 Directive, key players will be monitored actively (ex ante) and important actors passively (ex post). The administrative consequences are significant.
Requirements of the NIS2 Directive
Important to know about the NIS2 Directive
Which sectors are covered by the NIS2 Directive? Who are the key and important actors? What will change compared to the previous NSI Directive? What are the NSI2 sanctions if an organisation fails to implement the requirements?
- The NIS2 Directive specifically targets service providers whose disruption could seriously affect the security of citizens, the economy or the functioning of society. Operators are divided into two main categories; essential and critical operators.
- The Directive automatically applies to all medium-sized companies (50+ employees and a turnover of more than 10 million) and large companies with more than 250 employees operating in key sectors.
- The NIS2 Directive also applies to all nationally designated critical operators, regardless of size. These operators will be notified separately.
- Energy (electricity, oil, gas, district heating and cooling, hydrogen)
- Transport (air, rail, water and road)
- Health care (public hospitals and private clinics)
- Water supply (drinking water, waste water)
- Digital infrastructure (telecoms, DNS, TLD, cloud services, data centres)
- Finance (banking, financial market infrastructures)
- Public administration
- Space
- Digital service providers (online shops, search engines, social media services)
- Postal and courier services
- Waste management
- Food industry
- Manufacturing (medical equipment, electronics, machinery, vehicles)
- Chemicals (manufacture and distribution)
- Research organisations
- Increasing number of companies covered by the Directive
- Increasing importance and requirements for risk management
- Businesses must comply with stricter security policies and obligations
- More proactive control and guidance from public authorities
- Emphasis on ensuring the security of the entire supply chain
- Reporting requirements are more stringent than before
- Penalties may apply for breaching the new rules
- Growing responsibility of management teams for cybersecurity
- The authority temporarily suspends the services of a key operator
- Temporary disqualification of the CEO or equivalent legal representative from holding management functions
- Administrative fine for a key sector up to €10 million or 2 % of turnover
- Administrative fine for a major operator of up to €7 million or 1.4 % of turnover
- Administrative sanctions may also include orders to take security or corrective measures.
How to OT VERKKO must be ensured for the NIS2 Directive?
In line with the NIS2 Directive, securing OT networks requires a holistic approach to security. This includes risk management, security compliance and incident management. This includes regular risk analysis, security updates, access management improvements and incident reporting and handling. Every organisation should continuously update and audit its security practices.
Risk management
HAASTE: NIS2 emphasises proactive risk management for SCADA and OT environments vulnerable to cyber-attacks.
ACTION: Businesses must carry out regular risk analyses and continuously update their security practices. Risk management includes the identification, assessment and management of vulnerabilities.
Tougher security requirements
HAASTE: The NIS2 Directive sets stricter security requirements for networks and information systems than before.
ACTION: In SCADA and OT environments, this means security updates, access management improvements and regular auditing of systems. In particular, today's focus is also on improving traffic monitoring.
Deviation management and reporting
HAASTE: NIS2 requires reporting of significant cybersecurity incidents.
ACTION: The company must establish an incident management plan and report cyber incidents in a timely manner and format. A particular challenge is reporting to the authorities within 24 hours. For SCADA and OT systems, incident management should include automated alerts and accurate response actions in the event of a cyber attack.
Ensuring supply chain security
HAASTE: The NIS2 Directive requires supply chain security to be ensured.
ACTION: It is no longer possible to rely on everyone doing their job, but to jointly ensure that in SCADA and OT environments all parties comply with adequate cybersecurity standards.
Cyber hygiene and training needs
HAASTE: In Scada and OT environments, the role of the human element plays a major role in preventing cyber-attacks.
ACTION: Businesses need to maintain high standards of cyber hygiene practices, for example by ensuring protection against email phishing and ensuring ongoing security training.
Business continuity management
HAASTE: Systems backup and recovery planning, and crisis management.
ACTION: Regular testing and restoration of backups to the production system.
How will the new NIS2 requirements be met?
Check out our service packages
NIS2 development projects always start with a free survey, followed by a NIS2 GAP analysis. The actual NIS2 development project can be based on an action plan.
NIS2 Initial mapping
In the NIS2 initial mapping, we determine the company's baseline situation and what has already been done and where it is heading, as well as the management's understanding of the future NIS2 requirements.
The free initial survey will determine the readiness of the company to implement NIS GAP-ANALYSIS.
NIS2 GAP analysis
The NIS2 GAP analysis provides the organisation with a comprehensive view of the current state of cybersecurity in relation to the NIS2 requirements. It also provides you with a concrete action plan and a list of steps towards NIS2 compliance. The final report will quantify and analyse the findings and prioritise the recommended actions into a development path.
NIS2 development project
To help you implement your action plan, Save LAN will provide you with experienced experts who are familiar with the requirements of the NIS2 Directive. We can support you with policy and documentation creation, incident management, solution design and vulnerability management, including physical security and firewall equipment.