Navigating Cyber Compliance

The second Network and Information Systems Directive (NIS2) came into force in January 2023. This new legislation follows and replaces the 2018 NIS Directive, broadening the scope of enterprises to which it applies. The Directive also introduces mandatory incident reporting requirements for companies falling under its scope. Its aim is to strengthen cybersecurity networks across a variety of sectors in the EU in a harmonised manner. 

The most significant change that comes with the implementation of NIS2 relates to the scope of sectors deemed “critical” in the EU. Under the previous NIS Directive, eight sectors were classified under “essential services”, and Member States were granted significant discretion in the classification of such services. Under NIS2, an expanded list of 11 sectors falls under “essential services”, and an additional seven sectors (deemed “important services”) are also subject to regulation. Organisations falling under the scope of NIS2 will need to implement 10 cybersecurity measures set out in the Directive. They will also face additional obligations related to incident reporting and supply chain security.  

However, before you begin to implement new cybersecurity and risk management measures, keep in mind that they are only a portion of what NIS2 requires from you. The first step should be to examine the structure of your business and management, as the Directive’s incident response and reporting requirements may call for significant reorganisation of security monitoring, incident response, processes and infrastructure.  

While some aspects of NIS2’s implementation remain ambiguous, you can already take steps to prepare. These include setting up an internal management group focused on compliance and investigating the cybersecurity training options available to you. Interested in learning more about how NIS2 may apply to your business? Read our detailed analysis at the link below.