Industrial Security

NIS 2 Is Now Law in the EU: Are You Ready to Comply?

Sarah Kolberg
11.08.2024
Related Tags
Share
On Oct. 17, 2024, the NIS 2 Directive reached its full enforcement deadline. This means it is now getting shifted into national law in EU member states. Are you prepared?

 

Increasing dependency on digital infrastructure is happening in almost every critical industry: healthcare, manufacturing, transportation, power transmission and distribution, etc. Due to the increased attack surface created by IT-OT convergence, many of these industries are increasingly becoming targets of cyberattacks.

 

As a result, cybersecurity regulations are often given more consideration in legislation. Intensifying cybercrime threats require an update to and redesign of legal framework to meet the current security requirements. To achieve comprehensive cyber resilience within the European Union (EU), for example, Europe is working on numerous directives to mitigate the situation through regulations.

 

The EU’s first Network and Information Security Directive (NIS1) took effect in 2016, with NIS 2 extending the minimum requirements for network and information security of the first version of the NIS Directive in 2023. On Oct. 17, 2024, NIS 2 reached its full enforcement deadline, meaning that it now must be shifted into national law in EU member states.

 

The NIS 2 Directive contains the key risk mitigation measures that organizations in critical sectors need to consider so they can survive in the evolving threat landscape. It aims to strengthen the cyber resilience of companies within the EU and create a standardized level of cybersecurity.

 

The scope of NIS2

The scope of NIS 2 is significantly bigger than NIS 1: Approximately 10 times more companies from a total of 18 sectors must implement the measures in comparison to the previous NIS Directive.

 

Smaller companies (less than 50 employees) are also now subject to NIS 2. The requirements obviously apply to companies from European member states, but they also apply to supplier companies that work with EU businesses. It sets a new standard in network and information security with international implications.

 

EU companies that fail to implement these risk management measures will face GDPR-level fines:

  • For “essential” companies: Fines of up to EUR 10 million or 2% of global turnover (the higher amount must be paid)

  • For “important” companies: Fines of up to EUR 7 million or 1.7% of global turnover (the higher amount must be paid)

 

The biggest challenge of implementing NIS 2

Besides other obligations, the risk management measures from NIS 2 Article 21 for companies within critical sectors are the core content of the new edition of the NIS Directive.

 

The main challenge is this: Obligations arising from NIS 2 are not specific enough to directly derive implementation strategies, architectures or the selection of suitable technologies. Neither the NIS 2 Directive nor the legal implementations of the EU member states are sufficient to define suitable cybersecurity solutions.

Risk Management Measures from NIS 2 Directive Article 21

  • Below is a list of the risk management measures listed as part of the NIS 2 Directive:
  • Policies on risk analysis and information system security
  • Incident handling
  • Business continuity, such as backup management and disaster recovery, and crisis management
  • Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
  • Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
  • Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
  • Basic cyber hygiene practices and cybersecurity training
  • Policies and procedures regarding the use of cryptography and, where appropriate, encryption
  • Human resources security, access control policies and asset management
  • The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

 

Companies must work together with their manufacturers and suppliers to implement these requirements.

 

How Belden can help with NIS 2

Belden can help you find your way through NIS 2 and comply with requirements. We work with companies to develop customized solutions for their environments. For example, a good first step on your journey to compliance can be Belden’s Network Assessment Service.

 

In our whitepaper, you’ll find a comprehensive overview of the European cybersecurity standard and all the obligations of NIS 2, along with an explanation of how Belden and its solutions can help you fulfill requirements.

 

 

In addition, our experts explain everything you need to know about the NIS 2 Directive in a webinar.

 

 

Ready to take the first step to enhance your network infrastructure?

 

 

Related links:

 




Previous Post IT Security vs. OT Security: What Are The Key Differences?