Any company can be the victim of a cyberattack, from a large multinational to a small company. And, starting next October 2024, organizations will have to adapt to new legislation on cybersecurity.
In order to clarify any doubts and to put on the table the challenges and opportunities that arise from the new NIS2, I am sharing with you what cybersecurity should be like in the NIS2 era. Find out what the NIS2 directive is, which companies it is aimed at, why it is going to be implemented and what obligations and sanctions it contemplates.
The NIS2 Directive (Network and Information Systems Directive) taiwan telegram data is a key regulation adopted by the European Union to strengthen cybersecurity in its Member States. This new directive, which will enter into force in 2024, expands and strengthens the requirements established by the original NIS Directive of 2016, imposing stricter measures and more severe sanctions to ensure a uniform level of cybersecurity throughout the Union.
What is the NIS2 Directive?
The NIS2 Directive aims primarily to increase the collective level of cybersecurity in EU Member States. Unlike its predecessor, NIS1, which established a basic framework for the security of networks and information systems, NIS2 imposes stricter requirements and broadens its scope to include more sectors considered critical to society.
Differences between GDPR and NIS2
It is important to distinguish between the NIS2 Directive and the General Data Protection Regulation (GDPR) . While the GDPR focuses on the protection of personal data, NIS2 is geared towards the cybersecurity of critical infrastructure. Both regulations, however, share the goal of strengthening resilience and security in their respective areas.
Sectors Covered by NIS2
NIS2 significantly expands the number of sectors that must comply with these requirements. Sectors now covered include:
Energy: supply, distribution, transmission and sale.
Transport: air, rail, road and sea.
Finance: credit, trade, market infrastructure.
Health: research, production, suppliers and manufacturers.
Drinking water and wastewater.
Digital infrastructure: DNS services, data centers, cloud services, managed service providers.
Public administration, postal and parcel services, waste management, chemicals, food and production of electronic equipment and machinery.
Requirements for Organizations
The NIS2 Directive imposes new requirements in four main areas: governance, reporting to authorities, risk management and business continuity.
Management : Management must be aware of and understand the policy requirements and risk management efforts. They have direct responsibility for identifying and addressing cyber risks.
Reporting to authorities : Organizations should establish processes to ensure proper reporting to authorities, including an obligation to report major incidents within 24 hours.
Risk management : Measures should be implemented to minimize risks and consequences, including incident management, supply chain security, network security, access control and encryption.
Business continuity : Organizations should consider how to ensure business continuity in the event of major cyber incidents, including system recovery, emergency procedures, and establishing a crisis response team.