NIS2 DIRECTIVE: MORE THAN JUST A NEW CYBERSECURITY REGULATION
The digital landscape is constantly evolving, and with it, the security challenges faced by businesses across Europe. According to the ENISA Threat Landscape 2024 report [1], there has been a dramatic rise in cybersecurity attacks, with both the number of incidents and the variety of incidents increasing.
Denial-of-service (DoS, DDoS, RDoS) and ransomware attacks remain the most common threats across the EU, with cybercriminals shifting from encryption-based attacks to data exfiltration. Another worrying trend revealed by the report is that small and medium-sized businesses (SMBs) are becoming more attractive targets for cybercriminals. Lastly, hacktivist activities are also increasing and becoming more unpredictable.
These trends underline the importance of the NIS2 Directive (Network and Information Security Directive). NIS2 strengthens cybersecurity cooperation across the EU and introduces new security requirements to enhance Europe’s digital resilience against cyber threats.
WHO DOES THE NIS2 DIRECTIVE AFFECT?
The NIS2 Directive affects around 160,000 organizations across the EU, extending the scope of the original NIS Directive to include a wider range of sectors. For example, it establishes stricter rules for critical sectors like energy, transport, health, banking, digital infrastructure, and public administration, which are classified as “essential entities”.
NIS2 also covers other critical sectors, such as manufacturing, production, and postal services, which are classified as “important entities”. Unlike the original directive, NIS2 also applies to small and medium-sized businesses (SMBs) as well as large enterprises, increasing the number of organizations that must follow its guidelines.
This means that each EU Member State must implement a national cybersecurity strategy, with policies for supply chain security, vulnerability management, and cybersecurity education and awareness. What’s more, the NIS2 Directive also stipulates that they must establish and regularly update a list of operators of essential services to help ensure that these entities comply with NIS2 requirements.
KEY REQUIREMENTS UNDER NIS2
Businesses can ensure NIS2 compliance by implementing strict cybersecurity measures, including:
- Risk Management & Security Policies: Establishing strong security frameworks to prevent and respond to cyber threats effectively, as required by the obligation to continuously monitor risk.
- Incident Reporting: Reporting significant security incidents within 24 hours and providing a full report within 72 hours.
- Business Continuity & Crisis Management: Developing clear response strategies to minimize the impact of cyberattacks.
- Supply Chain Security: Ensuring the security of suppliers and partners to ensure compliance throughout supply chains.
- Management Accountability: Leadership teams must actively oversee cybersecurity measures, with potential personal liability for non-compliance.
The NIS2 Directive turns cybersecurity into more than just an IT issue, making it a board-level priority. Leadership must take an active role in compliance and risk management to ensure that their own company’s critical services (and those of their suppliers) meet stringent cybersecurity standards.
More than simply adapting to new regulations, businesses should look to foster and promote a culture of security, where employees at every level within the company are actively engaged in safeguarding both operations and data.
PREPARE FOR NIS2 COMPLIANCE
Navigating NIS2 compliance can be complex. Fortunately, T Business Europe provides expert guidance and tailored cybersecurity solutions to help businesses like yours meet the latest requirements.
Companies don’t necessarily need to overhaul existing cybersecurity measures to comply with the NIS2 Directive. Many businesses already have the tools they need, and it’s simply a question of utilizing them fully, particularly in cloud environments. Before investing in new systems, businesses should therefore assess and enhance their existing cybersecurity measures, e.g., with our vCISO service.
Now is the time for businesses to assess their cybersecurity strategies and take action. There are a few simple first steps companies can take, such as appointing a cybersecurity manager, establishing clear policies and responsibilities, and carrying out a cybersecurity audit within the company.
Regardless of the approach you take, it’s important to keep in mind that the NIS2 Directive isn’t just about imposing more regulations on companies. Instead, it’s about helping organizations secure their data and business—which should be a top priority for almost any company.
T Business Europe is committed to helping businesses navigate these new challenges. It’s our mission to keep your operations secure in today’s ever-changing digital landscape—because your cybersecurity is our business!
For more information on how to prepare for NIS2 compliance, visit our dedicated page here.