Sectors Covered by NIS2
Posted: Thu Feb 13, 2025 5:27 am
NIS2 significantly expands the number of sectors that must comply with these requirements. Sectors now covered include:
Energy: supply, distribution, transmission and sale.
Transport: air, rail, road and sea.
Finance: credit, trade, market infrastructure.
Health: research, production, suppliers and manufacturers.
Drinking water and wastewater.
Digital infrastructure: DNS services taiwan telegram data, data centers, cloud services, managed service providers.
Public administration, postal and parcel services, waste management, chemicals, food and production of electronic equipment and machinery.
Requirements for Organizations
The NIS2 Directive imposes new requirements in four main areas: governance, reporting to authorities, risk management and business continuity.
Management : Management must be aware of and understand the policy requirements and risk management efforts. They have direct responsibility for identifying and addressing cyber risks.
Reporting to authorities : Organizations should establish processes to ensure proper reporting to authorities, including an obligation to report major incidents within 24 hours.
Risk management : Measures should be implemented to minimize risks and consequences, including incident management, supply chain security, network security, access control and encryption.
Business continuity : Organizations should consider how to ensure business continuity in the event of major cyber incidents, including system recovery, emergency procedures, and establishing a crisis response team.
Minimum Measures
Not all of the directive's requirements apply to all organizations. Depending on the size, social function and exposure of the organization, the level of requirements varies to ensure that they are proportionate. However, there is a set of minimum measures that all relevant companies must implement:
Risk assessments and security policies for information systems.
Plan for handling security incidents.
Plan for managing business operations during and after a security incident.
Supply chain security.
Policies and procedures to evaluate the effectiveness of security measures.
Security in the acquisition, development and operation of systems.
Cybersecurity training and basic computer hygiene practices.
Policies and procedures for the use of cryptography and encryption.
Security procedures for employees with access to sensitive or important data.
Use of multi-factor authentication, continuous authentication solutions, and encryption of internal communications, where appropriate.
Consequences of Non-Compliance
Organizations that fail to comply with NIS2 from October 2024 will face significant fines. Companies categorized as “essential” could be fined up to €10 million or 2% of their global annual revenue, while “important” ones could face fines of up to €7 million or 1.4% of their global annual revenue.
In addition to fines, the directive allows management teams to be held legally liable for failing to comply with the new requirements. This emphasizes the importance of ongoing cybersecurity training for both management and all employees.
Steps to Comply with NIS2
Complying with the NIS2 Directive requires a proactive and strategic approach to cybersecurity management. Here are some key steps organizations should take to ensure compliance:
Risk Assessment: Conduct comprehensive risk assessments to identify and mitigate vulnerabilities.
Planning and Policies: Develop clear policies and response plans for security incidents.
Training: Implement cybersecurity training programs for all employees.
Security Technologies: Adopt advanced security technologies, such as multi-factor authentication and encryption .
Continuous Monitoring: Establish continuous monitoring systems to quickly detect and respond to security incidents.
Energy: supply, distribution, transmission and sale.
Transport: air, rail, road and sea.
Finance: credit, trade, market infrastructure.
Health: research, production, suppliers and manufacturers.
Drinking water and wastewater.
Digital infrastructure: DNS services taiwan telegram data, data centers, cloud services, managed service providers.
Public administration, postal and parcel services, waste management, chemicals, food and production of electronic equipment and machinery.
Requirements for Organizations
The NIS2 Directive imposes new requirements in four main areas: governance, reporting to authorities, risk management and business continuity.
Management : Management must be aware of and understand the policy requirements and risk management efforts. They have direct responsibility for identifying and addressing cyber risks.
Reporting to authorities : Organizations should establish processes to ensure proper reporting to authorities, including an obligation to report major incidents within 24 hours.
Risk management : Measures should be implemented to minimize risks and consequences, including incident management, supply chain security, network security, access control and encryption.
Business continuity : Organizations should consider how to ensure business continuity in the event of major cyber incidents, including system recovery, emergency procedures, and establishing a crisis response team.
Minimum Measures
Not all of the directive's requirements apply to all organizations. Depending on the size, social function and exposure of the organization, the level of requirements varies to ensure that they are proportionate. However, there is a set of minimum measures that all relevant companies must implement:
Risk assessments and security policies for information systems.
Plan for handling security incidents.
Plan for managing business operations during and after a security incident.
Supply chain security.
Policies and procedures to evaluate the effectiveness of security measures.
Security in the acquisition, development and operation of systems.
Cybersecurity training and basic computer hygiene practices.
Policies and procedures for the use of cryptography and encryption.
Security procedures for employees with access to sensitive or important data.
Use of multi-factor authentication, continuous authentication solutions, and encryption of internal communications, where appropriate.
Consequences of Non-Compliance
Organizations that fail to comply with NIS2 from October 2024 will face significant fines. Companies categorized as “essential” could be fined up to €10 million or 2% of their global annual revenue, while “important” ones could face fines of up to €7 million or 1.4% of their global annual revenue.
In addition to fines, the directive allows management teams to be held legally liable for failing to comply with the new requirements. This emphasizes the importance of ongoing cybersecurity training for both management and all employees.
Steps to Comply with NIS2
Complying with the NIS2 Directive requires a proactive and strategic approach to cybersecurity management. Here are some key steps organizations should take to ensure compliance:
Risk Assessment: Conduct comprehensive risk assessments to identify and mitigate vulnerabilities.
Planning and Policies: Develop clear policies and response plans for security incidents.
Training: Implement cybersecurity training programs for all employees.
Security Technologies: Adopt advanced security technologies, such as multi-factor authentication and encryption .
Continuous Monitoring: Establish continuous monitoring systems to quickly detect and respond to security incidents.