Shed some light on NIS2 and how it impacts your organization with 5 facts about the NIS2 directive.
You know the feeling. Summer just began and you are off on vacation. Everything is peaceful and while you are relaxing by the pool with a good crime-novel, a thought hits you – what was it they said about NIS2? Is any of it relevant to me and when will it become relevant?
The short answers to your questions are Yes and Right Now!
Let us get a few facts straight about NIS2
NIS2 is an expansion and a refining of the existing network and information security directive (NIS1), that became effective on 18 May 2018. It is an EU-directive, whose purpose is to heighten the cyber-security of businesses and public authorities. It achieves this through risk-based precautions such as prevention and handling of security events, security in data storage, and data processing, as well as plans for handling being hit by a cyber-attack.
NIS2 should very much be understood in light of the cyber-threat becoming larger and more complex. NIS1 is therefore out of the game, as the directive contained many exceptions, was limited to only a few sectors and was lacking tools within authority supervision and reporting obligations.
NIS2 places the responsibility with the management
NIS2 has brought with it a large focus on the management’s responsibility to implement and educate employees about following the directive. Affected businesses and authorities have a reporting obligation to both responsible authorities and customers.
If the NIS2 is not adhered to, fines as high as 10 million euros or 2% of the business’ revenue, may be issued. In extreme cases, the responsible authority has the ability to completely stop the business’ activities. There is also increased supervision of the affected businesses and authorities.
Will your business or authority be affected?
A far larger number of sectors and fields will be affected by NIS2. A distinction is made between Critical units and Important units, and NIS2 includes businesses and authorities with more than 50 employees or a revenue of more than 10 million euros. But note that smaller businesses may also be affected.
Critical units | Important units |
Energy | Post and courier services |
Transport | Waste management |
The banking system and financial infrastructure | Manufacturing and distribution of chemicals |
Drinking water and wastewater | Manufacturing of medical equipment, computer, electronics etc. |
Digital infrastructure | Food production |
Public administration | Digital providers, including online marketplaces, search engines and social media services |
Health |
NIS2 is a so-called minimum directive, which means that the individual nation-state can make greater demands of sectors’ participation. In the case Denmark, it has already been decided that the regions will be involved, while it has not yet been decided, whether entire or selected areas of the municipalities’ administration will be affected.
When do you have to comply with NIS2?
NIS2 will be enacted shortly. Then, the law will be released to the public, and 20 days following the publication, the legislation will be put into effect. EU-member countries, however, have 21 months to create their own, national legislation, whereafter it will become effective in Denmark and the rest of the EU.
Do not tell yourself that 21 months is a long time. Remember that cybercriminals do not wait for legislation, and there is a big task ahead of you.
What do you need to do?
You should already now be looking into if you will be affected by NIS2. If the answer is Yes, you should, as soon as possible, start analysing what is required to adhere to the directive.
It can wait until after your vacation, but the pool and the crime-novel are just so much better – when you know if you should read up on NIS2.