WhatsApp

Blog summ-it

#Bez kategorii

What is the NIS 2 directiveand does it apply to your company?

25 July 2024

Avatar for Wiktoria Kiewro

Reading time: 5 minutes

NIS 2

At the beginning of 2023, the NIS 2 Directive came into force, which will reshape cybersecurity in European Union member states. They have 21 months to implement the provisions of NIS 2 into national law – the deadline is October 18, 2024. From then on, the new regulations are to be applied in all EU countries, and as a result, organizations must meet strict requirements.

Do you want to learn more? Read our article on NIS 2 and find out if the aforementioned changes will affect your company.

What is the NIS 2 directive?

NIS 2 is an amendment to an existing European Union law that specifies security requirements, as well as the incident reporting process. It stems from the fact that threats in cyberspace are increasingly sophisticated, harmful and common. The new regulation is aimed at enhancing online security. The EU directive mandates strict protection of digital infrastructure data. The regulations have been updated to simplify reporting and create consistent rules and penalties across the EU.

Who is affected by the NIS 2 directive?

Companies should start adapting to the changes resulting from the NIS2 Directive now. However, not all of them are aware that it is their sector that is covered by the new regulations. Who is affected by the NIS 2 directive? New obligations will be introduced in key sectors and in important sectors, which are described in the graphics below.

The NIS 2 directive – who is subject to the new regulations?

👉 medium-sized enterprises (more than 50 employees), with annual revenues of €10 million or an annual balance sheet total of up to €43 million,
👉 large enterprises (more than 250 employees), with annual revenues of €50 million or an annual balance sheet total equal to €43 million or more.

The new obligations will not apply to micro and small enterprises.

What obligations does the NIS 2 directive impose?

The directive NIS 2 – requirements defined by employer:
 1) Risk assessment and management:
Organizations must regularly assess cybersecurity risks and implement appropriate measures to manage them. Compliance with the NIS2 directive will ensure implementation of a strategy

  • threat identification,
  • vulnerability analysis,
  • assessment of potential effects and incidents.

👉 Examples of technical and operational measures:
Organizations can implement advanced security measures such as:

  • firewall,
  • detection systems,
  • intrusion prevention systems,
  • data encryption,
  • endpoint security,
  • regular software updates.

It would also be necessary to monitor the network and systems to respond promptly to cybersecurity incidents. It is worth conducting security audits, which identify possible security gaps, so that missing elements can be filled in.
2) Incident management:
Organizations should develop and implement incident management processes. These should include:

  • detection procedures,
  • response procedures,
  • reporting procedures,
  • recovery procedures.

Serious security incidents should be reported to the adequate national authorities. – learn more.
3) Operation continuity management:
The organization should develop and implement a continuity plan to ensure that critical functions and services are maintained in case of incidents.
4) Trainings and awareness:
Building employee awareness of cybersecurity and potential cyberthreats through regular trainings is key.

👉 It is also recommended to conduct regular audits to assess compliance with the requirements of the NIS 2 directive and report the results to the adequate supervisory authorities and take corrective actions when threats are detected.

The NIS 2 EU directive – responsibility and penalties

Organizations not complying with the NIS 2 directive will incur heavy penalties.

NIS 2 image

What actions should be taken regarding NIS 2?

As a first step, it is worth checking whether the new regulations apply to your company. To this end, it would also be worth designating appropriate points of contact in an organization – people who will be responsible for matters related to cybersecurity and the NIS 2 directive.

Organizations should assess the scale of the changes they will face as soon as possible, including assessing the risk/potential threats to systems and data, implementing the right technical and organizational measures to both prevent cyber incidents and, when they do happen, have developed actions to mitigate effects, and also consider organizing training for employees in this area.

In addition, it’s worth keeping up to date with changes made to the national cybersecurity system law.

It’s likely that your company already meets some of the requirements, so focus on what’s missing – primarily, you should analyze your company’s existing security architecture and the tools you have. With their use, you can develop new processes to meet the requirements that the NIS 2 directive sets. It is worth paying attention to the processes and implementing the missing elements within the organization, while keeping in mind that we are limited by time. If we are affected by the NIS 2 directive, we should start tracking what kind of deficiencies exist in our company now and how we can most effectively fix them in order to be in time for October 2024.

If you are unsure how to conduct such an audit at your company and check whether the existing solutions meet the requirements of the NIS 2 directive, then you can use professional audit services. summ-it is well-experienced in audits and support of databases – as part of our audit service, we provide a detailed report on the security and performance of your systems.

NIS 2 image

How can summ-it help your company comply with the NIS 2 directive?

Cybersecurity and constant attention to it is crucial. Thanks to this, your organization will run smoothly – without worrying about attacks from the network.

On the other hand, we are aware that the implementation of the requirements due to the EU NIS 2 directive is a complex process, requiring expertise and cybersecurity knowledge. We offer the support of our experienced specialists who can assist you in adapting your company’s processes to the requirements of the new NIS2 regulations by conducting an audit.

Do you want to learn more about the changes associated with NIS 2, as well as the opportunities resulting from a security and an IT architecture performance audit?

Contact us

Author of the article

Avatar for Wiktoria Kiewro

Related posts

10 May 2023

Read more

16 June 2023

Read more

23 October 2016

Read more

Jakub Mazerant
Head of Sales

Get a free quote!

Consult your company’s needs with our experts. Find out about solutions that will help your company improve business processes and ensure data security.

Get in touch with us

Your message has been sent. Thank you!
Save data icon Your data is secure.
More about data protection