NIS2 is coming – the best time to start preparations is now

by | Nov 28, 2023 | Cybersecurity, NIS2

What is NIS2?

NIS2 is the new EU-wide legislation on cybersecurity. More technically, it is DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union amending 

  • REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC 
  • Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code

and repealing 

  • DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (the NIS directive).

As NIS2 is a directive, it requires changes to the laws of EU member states by October 17, 2024. In Finland, the current implementation proposal is: Laki kyberturvallisuuden riskienhallinnasta. Local laws will be applied from October 18, 2024 onwards – so the best time to start preparations is right now. 

Does NIS2 apply to you?

NIS2 applies to the following sectors

Annex I: Sectors of high criticality
Annex II: Other critical sectors

If your company works in these areas and the total company size – not just the size of the parts that are working on the above mentioned sectors – is

  • medium: 50 employees OR annual turnover > 10 M€ and annual balance total > 10 M€ or
  • bigger: 250 employees OR annual turnover > 50M€ and annual balance total > 43 M€ ,

then you should definitely check out the details from from Annex I-II of NIS2 directive and/or section C divisions 26-30 of NACE Rev. 2. Notice that certain entities are included regardless of their size – check the details from Article 2.2-2.4 of the NIS2 directive.

What does NIS2 require?

Basic requirements are simple and easy to list. If you have the following in place, you are well on your way:

  1. Cybersecurity Risk Governance: Top management is ultimately responsible for cybersecurity risk management. They must have sufficient cybersecurity risk management knowledge and the skills to approve and actively oversee both cybersecurity risk management approach and cybersecurity risk management measures. They should be aware that management bodies can be held personally responsible for infringements in addition to administrative fines that organisation might face.
  2. Cybersecurity Risk Management: Risk management shall be based on an all-hazards approach that covers security of network and information systems used for operations or the provision of services and their physical environment. It prevents or minimises the impact of incidents on operations, continuity of operations, recipients of services and other services by identification, assessment and treatment of cybersecurity risks.
  3. Basic Cybersecurity Risk Management Measures: The risk Management approach shall consider technical, operational and organisational measures. At minimum, risk management measures include network and information system security, system acquisition, development and maintenance, vulnerability handling and disclosure, ​supply chain security, asset management, human resource security and cybersecurity training, access controls and authentication, use of cryptography, use of secured communication systems, incident handling and business continuity, basic cyber hygiene practices, physical security, and effectiveness evaluation.
  4. Cybersecurity Incident Reporting Channels: The organisation shall be capable of detecting significant incidents and report them to relevant authorities within the given time frames: an early warning within 24 hours, an incident notification within 72 hours, intermediate reports on requests/as needed and a final report within one month after incident notification (or of handling of the incident, if the incident is long term).

If you need more help, contact us and we can help you to figure out your current status and the the way forward. And if you wish to go beyond the basic requirements, we can help to ensure your risk management improvements are done so that they will also pave the way towards potential certifications, such as ISO27001 or IEC 62443-4-1, and towards compliance to the upcoming EU Cyber Resilience Act.