NIS2 Compliance Is your organisation ready to be compliant with NIS2? The NIS2 Directive aims to increase the cybersecurity level in the EU, imposing new cybersecurity requirements on organisations in many industries. As NIS2 will be in effect per October 2024, organisations in scope need to start assessing their NIS2 compliance and remediating any gaps. Failure to comply with NIS2 can lead to an administrative fine of up to €10 million or 2% of the total global annual revenue (for essential sectors). What is NIS2? The Network & Information System (NIS2) Directive is focused on increasing cybersecurity in the European Union (EU) and helping to shape the EU’s digital future. A special focus has been put on cybersecurity incident response, with reporting obligations for significant incidents and sharing of this information between EU member states’ Cyber Security Incident Response Teams (CSIRTs) to prevent cybersecurity incidents from spreading.NIS2 will replace the Network & Information System Directive (NIS) from May 2018, and will go into effect on 18 October 2024. EU member states must have the directive enacted into national legislation and have local supervisory and enforcement authorities established.The European Commission has agreed on significant penalties for organisations failing to comply with the NIS2 requirements. They can receive an administrative fine of up to €10 million or 2% of the total global annual revenue for essential sectors, or €7 million or 1.4% of total global annual revenue for important sectors, and potential suspension of the organisation's top management. To which sectors NIS2 applies The sectors in scope of NIS2 are divided into two groups – essential and important:NIS2 applies to more sectors compared to the NIS Directive, as shown in the picture above. NIS2 also applies to organisations outside of the EU if they provide essential or important services within the EU. Furthermore, (IT) suppliers of organisations in scope of NIS2 will have to comply with the NIS2 requirements as well, being part of the organisations’ supply chains. What are the key requirements of NIS2? The NIS2 Directive sets a general direction for the cybersecurity risk management requirements, and more detailed requirements are being developed. However, the significant effort in meeting the NIS2 requirements will be in the following areas:Risk assessment and security policiesIncident handlingBusiness continuity, disaster recovery, and crisis managementSupply chain securitySecurity in systems development and maintenanceSecurity assessment policies and proceduresCyber hygiene, training, and (board) awarenessCryptography policies, and proceduresHuman resources security, access control, and asset managementReporting obligationsOne of the new requirements is the board level responsibility for overseeing, approving, and monitoring cybersecurity risk management measures. The board should be trained on cybersecurity and can be held (personally) liable should the organisation fail to meet the NIS2 requirements.An important NIS2 requirement is the reporting of significant cybersecurity incidents. The reporting timelines are challenging, as supervisory authorities need to be notified within 24 hours after becoming aware of a significant incident. Within 72 hours an incident report must be provided, followed by a final report one month afterwards. Also, customers need to be informed and provided guidance on how they should protect themselves from any threats related to the incident. How can we help?As NIS2 will go into effect in October 2024, organisations need to start assessing their NIS2 compliance and start remediating any gaps now. We can help by providing:Board-level NIS2 awareness training: to ensure your board members understand their NIS2 obligations and the importance of NIS2 compliance for the organisation.NIS2 health check: to determine your organisation’s compliance gaps against the NIS2 requirements and roadmap for improvement.NIS2 implementation: to remediate your organisation's compliance gaps and implementing the required controls and management processes and supporting GRC-tooling.Unified Control Framework development: to help your organisation to meet regulatory security requirements in an efficient and effective manner using a unified control framework (audit once and report to many), to meet NIS2, DORA, ISO27001, SOX, PCI-DSS compliance and others. Our teams are combined of experienced security professionals who can help you on this journey and support you in making your company compliant with the requirements of the NIS2 Directive. Leadership Stan Oparanov Stan Oparanov is Director at Protiviti Milan and Protiviti Bulgaria. Stan is one of the leaders of Protiviti Bulgaria and focuses on the use of technology and innovation in management consulting, risk management, compliance and internal audit.He has strong ... Learn more Andrea Rista Andrea Rista is Director at Protiviti Italy and Protiviti Bulgaria, with focus on Business Risk Consulting, Corporate Governance and Internal Audit services.In Protiviti since 2004, he developed strong skills in internal audit, risk management, corporate governance, and ... Learn more