NIS2 Directive (EU)
Cyber-attacks are becoming more frequent, particularly targeting critical infrastructure with potentially severe real-world consequences. To enhance the security of Europe’s essential services, the Network and Information Security Systems Directive (NIS 2) has been introduced. Member states are required to incorporate NIS 2 into their national laws by October 17, 2024. These new regulations will take effect on October 18, 2024, replacing the existing laws established under the first NIS Directive.
NIS2 Directive Scope
Entities are brought into scope of the NIS2 Directive based on their size and importance:
- Medium-sized organisations: 50+ employees or €10 million+ annual turnover/balance sheet total.
- Large organisations: 250+ employees or €50 million+ annual turnover or €43 million+ balance sheet total.
- Exceptions: Smaller entities may be included if they play a critical role in essential sectors like energy, transport, and health.
This ensures cybersecurity resilience for critical sectors across Europe and Ireland.
Fines, Penalities and Sanctions under NIS2
Under the NIS2 Directive, organisations that fail to comply with cybersecurity requirements face significant penalties:
- Fines: Up to €10 million or 2% of the global annual turnover, whichever is higher.
- Sanctions: May include orders to implement corrective measures, suspension of operations, or public disclosure of non-compliance.
- Penalties: Applied for failure to meet the required security measures, incident reporting, or cooperation with authorities.
These penalties aim to enforce strict compliance and enhance cybersecurity across essential and important sectors.
nis2 Sectors in scope
The NIS2 Directive applies to a broad range of sectors and industries, classified into two main groups: Essential Entities and Important Entities. Below are the sectors and industries in scope:
Essential Entities:
- Energy: Electricity, including production, transmission, and distribution. Oil, including production, refining, distribution, and storage.Gas, including transmission, distribution, storage, and supply.
- Transport: Air transport, including airlines, airports, and air navigation services. Rail transport, including infrastructure and operators. Water transport, including maritime ports, shipping, and inland waterways. Road transport, including operators of road infrastructure and passenger services.
- Banking: Credit institutions, including banks.
- Financial Market Infrastructures: Trading venues, central counterparties, and central securities depositories.
- Health: Healthcare providers, including hospitals, private clinics, and telemedicine services. Digital infrastructure, such as data centers, cloud computing services, and content delivery networks.
- Drinking Water Supply and Distribution: Providers of potable water.
- Wastewater: Wastewater collection, treatment, and disposal services.
- Digital Infrastructure: DNS service providers, TLD name registries, cloud computing service providers, data centers, and content delivery networks.
- Public Administration: Public entities at central and regional levels that provide essential services to the public.
These sectors are considered critical to the economy, society, and public safety, and the NIS2 Directive aims to enhance the cybersecurity resilience of entities operating within them.
Important Entities:
- Postal and Courier Services: Services related to postal delivery and courier activities.
- Waste Management: Providers of waste collection, treatment, and disposal services.
- Chemical Industry: Production, storage, and distribution of chemicals.
- Food Production, Processing, and Distribution: Includes large-scale food production and processing facilities.
- Manufacturing: Manufacture of medical devices, pharmaceuticals, and other critical products.
- Space: Providers of services related to space operations, such as satellite services.
- Research & Development in Critical Technologies: Entities involved in research and development in sectors crucial for national security and public safety.
How can CommSec Help with NIS2?
Unlock Compliance with Expert Guidance
Start your compliance journey with a tailored consultancy service. At CommSec, we take a consultancy-led approach to ensure your organisation meets all NIS2 obligations. Every compliance requirement is unique, requiring thorough investigation and scoping.
Our process begins with a comprehensive gap analysis to identify your current standing. From there, we work closely with you to bridge those gaps, providing expert advice and helping you select world-class tools to achieve full compliance.
Get in Touch Today to Discuss Your Requirements and Take the First Step Towards NIS2 Compliance.
Nis2 10 minimum controls
These miniumum controls are essential for organisations to manage cyber security risks effectively, ensuring resilience against potential cyber threats (Source: NCSC Quick Reference Guide).
# | Cybersecurity Control | Explanation |
---|---|---|
1 | Risk Analysis & Information System Security | Conduct risk assessments and implement tailored security measures to address specific threats. |
2 | Incident Handling | Establish processes to detect, manage, and respond to cybersecurity incidents effectively. |
3 | Business Continuity Measures | Implement strategies like backups, disaster recovery, and crisis management to maintain service continuity. |
4 | Supply Chain Security | Secure supply chains by assessing and managing risks related to third-party vendors and providers. |
5 | Security in System Acquisition, Development, and Maintenance | Integrate security throughout the lifecycle of systems and software, including vulnerability management. |
6 | Policies and Procedures for Cybersecurity Effectiveness | Regularly assess and improve the effectiveness of cybersecurity measures in place. |
7 | Basic Computer Hygiene and Training | Ensure basic cybersecurity practices are followed, and provide regular training to staff. |
8 | Use of Cryptography and Encryption | Govern the appropriate use of cryptography and encryption to protect sensitive data. |
9 | Human Resources Security, Access Control, and Asset Management | Manage personnel access to systems and secure assets throughout their lifecycle. |
10 | Use of Multi-Factor Authentication and Secured Communications | Implement MFA for system access and ensure secure communication channels for sensitive information. |
get in touch
WHAT HAPPENS NEXT?
A member of our team will get back to you as soon as possible. They will find a suitable time to speak with you, answer any questions you have and help find the perfect solution to suit your requirements.