We introduced the EU NIS2 directive in our previous NIS2 blog post. The deadline when NIS2 requirements will start to apply is approaching soon, so most impacted organisations are probably well on their way to being compliant. However, the improved level of cybersecurity that NIS2 is calling for is an ongoing activity, and new organisations are continuously becoming aware that they will be indirectly impacted through their customers. So let us recap what NIS2 is all about!
Main requirement areas
Main requirement areas are listed in the following picture:
You can find more information about these in our presentation material. It is also good to remember that if you already concluded that your company is not in scope of NIS2, it might still affect you via your customers. NIS2 requires supply chain security, which means that if your customers are in NIS2 scope, it is very likely that they will also set at least some NIS2-related requirement towards you.
Timeline
NIS2 directive was approved 14.12.2022. As it is a directive, it requires local laws to be implemented. In the following picture you see the expected timeline for Finland:
Current law proposal for Finland is available (in Finnish) at:
Some other EU countries have already approved their local laws whereas for others we are still waiting for proposals. Some countries have already declared that local laws will not be ready in time. Nevertheless, the NIS2 directive sets the minimum requirements and gives good grounds for starting the work, if you haven’t already done so. It is also good to remember that cybersecurity is not a project – activities need to be done on continuous bases.
Executive summary
As said in the title, NIS2 puts cybersecurity to the top management agenda. In practice this means, that from 18th of October onwards top management has very specific responsibilities related to cybersecurity:
- Approving cybersecurity risk management approach
- Overseeing implementation of cybersecurity risk management approach and cybersecurity risk management measures
- Gaining sufficient knowledge and skills to complete the above-mentioned tasks
In Finland current law proposal states that
- Top management = Board of Director and CEO
The following diagram illustrates the four most important things that should be on the top management agenda.
If you get at least these four things done, then you should avoid the potentially substantial administrative fines that a company may be given for not complying with NIS2, at least here in Finland. Other countries might have additional requirements.
Ps. Even if you are not in direct scope of NIS2, your customers (that are) are likely to require at least the ones in the top row and informing you customers about incident in timely manner.