NIS2 directive: Who is affected and what to do now?

NIS2 directive

The European Union is upfront about what is important when implementing its updated standards for cyber security: The Network and Information Security 2 (NIS2) directive, officially known as “directive (EU) 2022/2555” or “NIS2” for short, is mainly about harmonizing measures across the region and the need for collaboration. Let’s see who is affected by the new regulation and what organizations must do to comply now.

This EU directive must be transposed by member states by October 17, 2024, and stresses the importance of proactive measures like strong encryption to protect systems from cyber threats. By implementing its guidelines, organizations strengthen defenses, identify vulnerabilities, and improve incident response mechanisms.

This directive is replacing the initial version of NIS. Acting according to the second version is crucial for organizations to stay ahead of new cyber threats, reduce breach numbers, and build resilience.

Why does the NIS directive need updating anyway?

The first set of NIS guidelines paved the way for increasing the level of cyber security and resilience. In the light of recent targeted cyber-attacks findings, it’s time to reassess and reflect on how to move on across Europe.

NIS2 is one of the EU’s answers, and it’s setting an example for states outside the Union too. The directive aims to tackle the differences among EU countries in how they handle cybersecurity as the latter is currently causing problems for businesses operating across borders and weakening overall protection against cyber threats. NIS2 sets basic rules, updates obligations for an extended set of sectors, and provides measures to ensure these rules are followed effectively. This proactive approach is aimed at mitigating risks, protecting sensitive information, and maintaining stakeholder trust.

The new standards are also about improving enforcement and encouraging cooperation between authorities. The directive encourages agencies, companies, and authorities to share information, best practices, and threat intelligence.

Will NIS2 affect my organization?

NIS2 will apply to organizations working within 12 key sectors. Companies under the NIS2 remit will generally have more than 50 employees and an annual turnover of over €10 million, although smaller organizations may be included if they are judged to be critical for a member state to function.

NIS2 will affect organizations working within the following sectors:

  • Energy (including electricity, oil, gas, and hydrogen)
  • Transport
  • Banking and financial markets
  • Healthcare
  • Drinking and waste water
  • Digital infrastructure (including telecom, DNS, cloud, and trust services, as well as data centers)
  • Digital services (including search engines, online markets, and social networks)
  • Space
  • Postal and courier services
  • Waste management
  • Chemicals
  • Food (including production, processing, and distribution)
  • Manufacturing (specifically, but not limited to, medical, computer, and transport equipment)

For all these organizations, early adoption of NIS2 is vital. Taking extra time to prepare for NIS2 will allow companies to proactively address vulnerabilities, reducing the risk of data breaches and system failures. Companies will be able to benefit from collaboration and information sharing within the cybersecurity community, strengthening their defenses and improving incident response capabilities.

But early compliance has another benefit. Organizations that fortify their cyber defenses, mitigate digital risks, and contribute to a more secure digital environment can prune inefficiencies in their everyday workflows, gaining a competitive edge.

Elsewhere, taking a public stand on cybersecurity is a show of commitment to your clients. Companies can boost their reputation and credibility by proving that they handle consumer data safely and securely.

What does NIS2 entail?

Perhaps unsurprisingly, NIS2 is a lengthy and complex document. However, we’ve outlined some of the key steps that companies should take in order to start preparing for the directive.

  • Organizations should make use of cryptography and encryption
  • Encryption is a way of altering data so that it can’t be read by outside eyes. Most mainstream digital tools will use encryption in some way to protect your information from unauthorized users. However, the type of encryption that companies use can vary widely. In order to comply with NIS2, organizations should ensure the encryption used in their workplace solutions is up to scratch. Tresorit uses industry-leading end-to-end encryption, which means that data is secured both when it is stored, and from the moment it is sent from one device to another.

  • Companies should ensure that good data protection practices run throughout their wider supply chains
  • Your organization might have impeccable cybersecurity practices — but what happens when your precious data is passed on to a supplier or contractor? Responsible companies will make cybersecurity a consideration when choosing their partners. It’s also important to ensure that any collaboration tools that your office uses to work with outside parties — whether that’s a file-sharing platform or simply email — can protect the digital property of all parties. Most mainstream online solutions don’t use high-level digital security tools, so take your time and research what your organization really needs.

  • Organizations should be prepared for a cybersecurity event
  • No organization wants to deal with a major incident such as a data leak — but they should be prepared if the worst should happen. All companies should have a comprehensive playbook on how to deal with a cybersecurity event, whether accidental or malicious. Data handling during a major event can also be strengthened by using an ultra-secure cloud solution that ensures only necessary personnel, the authorities, and CSIRTs access sensitive information in case of an accident.

  • Companies should be sure they can continue their work in the event of a cybersecurity incident or other large-scale event
  • If your organization was hit by a threat such as ransomware, or even a natural disaster, could it keep operating? Business continuity is important for everyone — but for companies that deal with vital resources such as water supply and healthcare, it can be critical for the community at large. Many organizations are now shifting to cloud-based storage for backup management and disaster recovery, so that their computer systems can keep operating when faced with disruption — backup files stored on the cloud can be accessed 24/7 from almost anywhere. Whichever path your organization chooses, you need to be sure that data can be restored easily and securely, even if the worst should happen.

  • Organizations should be prepared to share information on vulnerabilities
  • Information sharing is at the heart of NIS2. But while it’s vital that organizations and agencies work together to minimize security risks, disseminating information on your system’s potential vulnerabilities is inherently risky: it’s exactly the kind of information that you don’t want falling into the wrong hands. One way to mitigate this risk is to encrypt your data before sending it onward. Many collaboration tools that are designed with cybersecurity in mind will do this automatically — just be sure to check what kind of protection your office platforms offer before you click send.

  • Companies should be aware of good cyber-hygiene practices, and ensure they are followed
  • Cybersecurity is everyone’s responsibility. It’s important that all team members across your organization have some basic training in how to recognize and deal with cyber threats, and that that knowledge is regularly refreshed.

    It’s also important that any software or system that you’ve put in place to ensure better cybersecurity is intuitive and easy to use. If employees find a certain platform difficult to use, then they will most likely find a way to work around it, such as relying on an unsecured messaging app rather than wrestling with an unwieldy e-mail encryption program. This can open your organization up to a range of threats, so it’s better to simply make sure it doesn’t happen in the first place.

  • Organizations should ensure they have strong access control and asset management policies
  • Access control and asset management policies go hand in hand. A company with strong asset management will conduct and maintain an accurate inventory of all hardware and software owned by the organization. Good access control means that the company will also know who has access to all of these items, and can ensure that sensitive data, files, or devices remain out of reach to unauthorized users. While this can seem like a daunting task, specialized security software such as Tresorit will be able to automatically log when (and by whom) different files have been opened, helping you to identify suspicious events. These platforms will also allow you to control who can access which files on a granular level, ensuring the only people who can access certain data are the ones who truly need it.

  • Companies should outline an IT security maintenance procedure
  • Cyber threats are constantly changing and evolving. Luckily, so is cybersecurity — but to get any real benefit from these improvements, your IT system should be properly maintained. Before choosing a new piece of software or digital platform to incorporate into your daily office workflow, you should check that it is still regularly updated with new patches and releases. At Tresorit, for example, we place high emphasis on Secure Software Development Life Cycle, to ensure our software’s security as a SaaS provider.

How does NIS2 tie in with the Critical Entities Resilience Directive?

If you’ve heard of the NIS2 directive, then you may have also heard of the Critical Entities Resilience Directive (CER).

The CER directive is another piece of EU that went into effect on January 16, 2023. It was designed to work in tandem with NIS2 — although instead of focusing solely on cybersecurity, it also looks at physical security and resilience.

The Critical Entities Resilience Directive (CER) is designed to ensure that key infrastructure across the European Union can withstand and recover from threats such as natural disasters, terrorist attacks, insider threats, or sabotage.

It largely applies to the same sectors deemed critical by NIS2: energy, transport, banking, health, drinking and wastewater, digital infrastructure, public administration, space, and food production and distribution.

The directive asks EU member states to identify “critical entities” that provide essential services. Individual governments must then adopt a national strategy to make their critical infrastructure more resilient under different threats, and carry out risk assessments every four years.

Meanwhile, organizations that are deemed “critical entities” must take their own steps to improve their resilience and inform the authorities in the event of an incident.

Just as most modern companies have a digital and physical presence, the Critical Entities Resilience Directive (CER) requires organizations to look at both their cyber and real-life security. In many cases, the two can overlap. Robust digital communication systems are more likely to ensure that resources can be redirected in case of an emergency, for example.

Tresorit’s got you covered with a special guest appearance in the second part of the NIS2 focus topic, by the way. Sign up for Tresorit InfoSec Insider and be the first to read it.

What should I do next?

In the face of new legislation, one of the most important things that organizations can do is take the time to sit down and examine how data is stored and shared across their company.

Taking this time is vital to understand where your business may face weaknesses and vulnerabilities, and how they could be solved.

It’s also important to make sure you have a good idea of how your employees work, and how any new technology or policies could help, rather than hinder, their daily workflow. If colleagues find cybersecurity tools or protocols difficult or cumbersome to use, they’ll often try to circumvent them — leaving your organization open to attacks and accidental data leaks.

Outlining which problems you may need to solve (preferably well in advance) will allow you to consult with experts and find the right tools to help your organization achieve its goals.

Tresorit offers a range of industry-leading secure digital products to help organizations handle data safely: from cloud-based file storage and sharing to encrypted e-mail plug-ins.

If you have questions on how our tools could make your company more secure, contact our team by clicking here.