Cybersecurity & Risk Management

NIS2 Insights: Expert Tips On Compliance And Business Impact

NIS2 Insights: Expert Tips On Compliance And Business Impact
Jonneke
Jonneke
16.10.2024

The NIS2 directive is the latest EU-wide cybersecurity reform to affect organizations in various sectors. It strengthens the measures of the original NIS Directive of 2016 and extends its scope to more sectors. In the face of the increasing number and severity of cyberattacks, NIS2 aims to make companies more resilient and to promote cooperation between EU member states. The following questions shed light on how companies are affected by NIS2 and how they can best prepare.

Table of Contents:

What is NIS2 and what are the changes compared to the NIS Directive?

NIS2 is the revised version of the EU's NIS (Network and Information Security) Directive, which came into force in 2016. The directive aimed to ensure a high common level of cybersecurity in the EU by requiring operators of essential services (e.g. energy supply, healthcare) and digital service providers to meet strict security requirements.

The innovations of NIS2 compared to the original NIS directive include:

  • Extension of the scope of application: NIS2 applies to a wider range of companies and sectors, including health, financial markets, waste water and waste management, public administrations and certain digital service providers.
  • Stricter reporting requirements: Companies must report serious cyber incidents within 24 hours. There are stricter requirements for risk assessment and management.
  • Higher penalties: The penalties for violating the NIS2 directive are stricter and can be as high as €10 million or 2% of a company's global annual revenue in the worst case.
  • Increase in accountability: Company management is explicitly responsible for cybersecurity measures and must ensure that appropriate technical and organizational precautions are taken.
  • Stronger cooperation between member states: The EU is committed to improving coordination and information sharing between national authorities.

See also: How to Achieve NIS2 Compliance: What Businesses Need to Know


How do smaller companies that do not fall directly under NIS2 benefit from better cybersecurity measures?

Even though smaller companies are not directly covered by the NIS2 directive, there are many advantages to improving their cybersecurity measures:

  • Protection against attacks: Cybercriminals often attack smaller companies because they are often less well-protected. Improved security measures can reduce the risk of such attacks.
  • Trustworthiness with business partners: Many larger companies and suppliers subject to the NIS2 Directive prefer partners that meet regulatory requirements and have appropriate information security measures in place. Smaller companies can thus increase their competitiveness.
  • Protect sensitive data: By improving their cybersecurity, small businesses can better protect confidential customer and company data, which protects their reputation and minimizes legal risks.
  • Prepare for future regulations: Cybersecurity requirements are becoming increasingly stringent. Investing in security technologies at an early stage prepares companies for possible future legal requirements.

What are the first steps that companies should take to comply with the requirements without knowing NIS2?

To meet the requirements of the NIS2 directive in good time, companies should take the following steps:

  1. Raise awareness: Management and the IT department should take a close look at the requirements of the NIS2 directive and apply them to their own organization.
  2. Conduct a risk assessment: A comprehensive risk assessment helps to identify potential cybersecurity vulnerabilities. This should include both technical and organizational risks.
  3. Develop a cybersecurity strategy: Based on the risk assessment, a security strategy should be developed that sets clear goals and responsibilities.
  4. Implement reporting processes: Organizations should implement security incident reporting processes to ensure cyberattacks are reported within the given deadlines.
  5. Offer training: Training for employees is crucial to raise awareness of cybersecurity risks and ensure that security policies are understood and adhered to.
  6. Enlist external help: It is advisable to enlist external help to ensure compliance with NIS2.

What practical examples show the benefits of NIS2 compliance and what can companies learn from incidents?

Organizations that comply with cybersecurity requirements early on can benefit from several advantages:

  • Maersk case study: Maersk, one of the largest logistics groups, suffered significant losses as a result of the “NotPetya” attack in 2017, which caused massive business interruptions and cost the company billions. This incident highlighted the far-reaching consequences of a lack of cybersecurity measures. As a result, Maersk invested heavily in improving its security infrastructure and now has one of the most advanced cybersecurity architectures in the logistics sector. Had the company already adhered to stricter cybersecurity standards in advance, the impact of the attack could have been reduced.
  • Lessons learned from incidents like “NotPetya”: The attack on Maersk also highlights how vulnerabilities in the supply chain or with external partners can put companies at risk. From such incidents, companies can learn that tighter security management, including monitoring of partners and suppliers, is crucial to fend off similar attacks in the future.

How do companies embed cybersecurity across the organization and beyond the IT department?

To embed cybersecurity throughout the organization, companies should:

  • Ensure clear communication of responsibility: Senior management must make cybersecurity a priority and communicate its importance across all departments.
  • Provide regular training: All employees should receive regular training in cybersecurity practices, particularly in areas such as phishing defense, password management, and handling sensitive information.
  • Build a culture of security: Cybersecurity should be part of the corporate culture, in which employees take responsibility for protecting data and systems.

Why should companies include supply chains and partners in their cybersecurity strategy, and how does NIS2 support this?

Including supply chains and external partners in the cybersecurity strategy is crucial because many cyberattacks occur through vulnerabilities in the supply chain. The NIS2 directive plays a central role here because it extends responsibility for cybersecurity measures to critical suppliers and service providers. Companies must ensure that their partners maintain similar security standards to minimize the risk of an attack.

Some measures are:

  • Auditing and vetting partners: Companies should conduct regular security audits of their partners to ensure that they are implementing adequate cybersecurity measures.
  • Contractual agreements: Security requirements should be included in contracts to ensure that suppliers and service providers adhere to the same security standards.
  • Joint contingency plans: Companies and their partners should develop joint plans for handling security incidents to ensure a rapid response in the event of an emergency.

NIS2 compliant with heyData

Learn more

More articles

Is-Your-DNA-Safe-EN

Is Your DNA Safe? Genetic Testing Risks and How to Protect Your Data

Delve into the aftermath of the genetic testing data breach, exemplified by the recent incident involving 23andMe, and understand the pressing need to protect genetic information. Uncover the risks posed by such breaches and gain insights into effective solutions to safeguard DNA privacy in an era where technological advancements outpace regulatory frameworks. Explore best practices, regulatory considerations, and expert solutions like heyData, designed to fortify your data privacy defenses and empower you to navigate the intricate landscape of genetic testing with confidence

Learn more
iso27001-eng

ISO 27001: The Ultimate Guide to Compliance and Certification

ISO 27001 is an essential standard for managing information security, ensuring sensitive data is handled systematically. This blog serves as a thorough guide to ISO 27001 certification, outlining its main requirements and advantages for businesses. It emphasizes how organizations of any size can improve data protection and show their dedication to cybersecurity. The article contrasts ISO 27001 with NIS2, explores their distinctions and connections, provides real-world adoption examples, and presents a compliance framework with steps on using tools like heyData for effective implementation.

Learn more
5 Alternatives to Passwords for Business Security

5 Powerful Alternatives to Passwords for Business Security

As cyber-attacks surged by 30% in 2024, businesses are turning to passwordless authentication to enhance security. Traditional password-based methods, which are vulnerable to credential theft, phishing, and human error, are increasingly insufficient. In contrast, passwordless methods offer enhanced protection and convenience. Some alternatives include biometric authentication, hardware-based solutions, token-based methods, Public Key Infrastructure (PKI), and mobile device authentication. These approaches improve security, reduce costs, and provide better user experiences.

Learn more

Get to know our team today, with no obligations!

Contact us