In October 2024, the EU NIS (Network and Information Systems) 2 directive will come into effect, expanding on the previous NIS directive. Its aim is to better prepare EU member states for evolving cybersecurity threats by imposing additional obligations on companies. So, what changes will NIS 2 bring? Which entities does it cover? It's worth familiarizing yourself with the directive's principles today, as the penalties for inadequate implementation will be substantial.

The implementation of NIS 2 was driven by the need to address the excessive flexibility in choosing criteria that EU member states gained under NIS (1).

NIS 2 in a nutshell

As mentioned earlier, the directive aims to enhance cybersecurity across the European Union. At a macro scale, member states will need to develop strategies and policies for the security and response to cybersecurity incidents. Inter-state incident liaisons and cooperation groups will be established, and a vulnerability registry supervised by ENISA will be created.

However, that's not all. Companies in the following sectors will have to meet new requirements:

• Entities deemed "important" by NIS 2 include the following sectors: postal and courier services, waste management, production, processing and distribution of chemicals, food, general manufacturing, digital services, and scientific research. These are areas crucial to the functioning of society and the economy, requiring special attention in terms of network and information system security.

• On the other hand, entities labeled as "critical" encompass sectors of strategic importance, such as energy, transportation, banking, financial market infrastructure, healthcare, drinking water, sewage, digital infrastructure, ICT service management, public administration, and space. In this context, critical sectors are treated as vital to the functioning of society and the economy, with their stability and security being strategically important for the entire country. NIS 2 imposes specific security requirements on these critical areas, aiming to protect against potential cyber threats.

What exactly companies have to do?

If your company falls within the category of critical or important businesses, employing at least 50 people or with an annual turnover exceeding 10 million euros, it will need to fulfill a series of obligations introduced by NIS 2.

These primarily include:

• Incident management
• Development of risk analysis and IT system security policies
• Development of policies and procedures for assessing the effectiveness of cyber security risk management measures
• Development of policies and procedures for the use of cryptography and encryption
• Ensuring business continuity through backup management, recovery of pre-failure states, and crisis management
• Ensuring supply chain security, including relationships with service providers
• Ensuring security in the acquisition, development, and maintenance of IT networks and systems, along with vulnerability handling and disclosure
• Best practices and training in cybersecurity
• Securing resource management, including HR resources
• Implementing multi-factor authentication or continuous authentication and secure communication systems within the organization

High penalties for non-compliance with NIS 2 

Companies classified as "critical" or "important" that fail to comply with the new law will face substantial penalties. These can amount to 10 million euros or 2% of the total annual global turnover for "critical" entities, and up to 7 million euros or 1.4% of the total annual global turnover for "important" entities. In addition to financial penalties, management may be held responsible for directive violations, leading to temporary bans on executive personnel and even temporary suspension of services.

Prepare for the implementation of NIS 2 

The remaining year before the NIS 2 regulations take effect is crucial for thorough preparation. We recommend starting with preparatory activities, including conducting an IT security audit, identifying potential threats, and adjusting the protective strategy to the new NIS 2 context.

It is also essential to invest in employee training, enhancing their awareness and skills in responding to potential cyber incidents.

Considering the experiences of many companies with the implementation of European GDPR regulations, it is crucial not to leave preparations to the last minute. Remember that securing digital data is not only a regulatory obligation but also a key element in building customer trust and maintaining a solid reputation in the market.

Hawatel and NIS 2 

In the face of growing challenges related to digital security, Hawatel offers support in preparing infrastructure for compliance with the NIS 2 directive. We understand how crucial it is to enhance the security level of IT systems in today's dynamically changing digital environment. Therefore, we provide a range of proven solutions, such as Web Application Firewall (WAF), Security Information and Event Management (SIEM), and Multi-Factor Authentication (MFA), which are not only effective but also tailored to the individual needs of each client. If you are looking for a partner to help secure your IT infrastructure and align it with the requirements of the NIS 2 directive, contact us today. We guarantee professional advice and support at every stage of implementing security solutions.

Do you have any questions? Contact us!