NIS2 DIRECTIVE: STRENGTHENING EUROPEAN CYBERSECURITY FOR THE FUTURE

The NIS2 Directive, adopted in 2022 and in force since January 17, 2023, must be transposed by individual countries by October 17, 2024.

This regulation represents an evolution of the previous NIS Directive: it promotes a culture of cybersecurity and encourages shared responsibility in risk management and the adoption of measures against increasingly sophisticated attacks.

NIS2 responds to rapid technological advancements and the escalation of cyber threats, expanding its scope and introducing more stringent regulatory requirements.

The Directive imposes the following obligations on companies:

  • Analyze and assess the security risks of information systems
  • Manage cybersecurity incidents with a plan and continuous monitoring
  • Develop a business continuity and activity management plan
  • Regularly test IT infrastructure security
  • Ensure the security of supply chains

Relevant Sectors and Entity Classification:

The aim of the NIS2 Directive is to ensure a high level of cybersecurity in all member states, ensuring that digital infrastructures are resilient against cyberattacks. NIS2 extends its scope to a larger number of entities, expanding the sectors considered essential, including energy, transport, financial markets, digital infrastructure, public administration, and space.

The Directive classifies entities into two groups:

  • Essential
  • Important

“Essential” entities must comply with stricter security requirements due to their crucial role in society, while “Important” entities are subject to less stringent obligations, despite playing a significant role in the EU’s cyber ecosystem.

Essential and Important Sectors Subject to the NIS2 Directive
Credits to: https://www.cyberacademy.online/blog/nis2-in-cosa-consiste-e-perche-e-importante

Implications for Companies and Governments

Organizations subject to the Directive must conduct a detailed assessment of their cybersecurity policies and procedures while investing in necessary training and technologies.

The NIS2 Directive requires governments to establish or strengthen national cybersecurity frameworks, including the appointment of competent authorities, the training of computer security incident response teams (CSIRTs), and the development of national cybersecurity strategies.

Sanctions

Entities subject to NIS2 must be aware of the following sanctions in case of non-compliance with the Directive: for Essential entities, fines can reach up to 10 million euros or 2% of the global annual turnover, whichever is higher. For Important entities, fines can reach up to 7 million euros or 1.4% of the global annual turnover, whichever is higher.

The NIS2 Directive emphasizes the importance of combining a reactive approach with a proactive component, as it will be almost impossible to remain unscathed from cybercriminal attacks.

The Cinetix Solution:

Cinetix offers an innovative approach across the entire supply chain, leveraging the expertise of specialist partners:

  • Starting from the analysis of the existing situation
  • Highlighting non-compliance and compliance gaps
  • Defining an implementation plan for the Directive
  • Suggesting the most suitable solutions in terms of both procedures to follow and technological nature (such as encryption rules, artificial intelligence, machine learning, DNS traffic analysis, and supervision)

This third-party approach by Cinetix (focusing on needs and identifying the “best solution”) combined with periodic control, significantly enhances companies’ security levels.