The European Commission is proposing comprehensive legislation aimed at elevating cybersecurity standards across the European Union (EU). Network and Information Security 2 (NIS2) is the revised version of NIS, which was introduced in 2016 as the EU’s first cybersecurity directive.
What is the difference between the two? The scope of NIS2 has expanded its regulatory reach from seven sectors to include 15 sectors; it also has a new size-cap rule. This means companies with more than 50 employees and more than €10m in revenue must comply. Hence, the number of companies in the EU falling under NIS2 regulatory scope has significantly increased, bringing the number up to approximately 150,000.
NIS2 also encompasses a broader spectrum of industry sectors, requiring prescribed cybersecurity measures and establishing stringent incident reporting obligations to further enhance enterprise cybersecurity preparedness. The directive includes provisions for imposing sanctions and fines as a means of enforcement. By October 2024, when NIS2 is expected to be translated into a national law, companies will be required to implement suitable technical and organizational measures to manage risks that may affect the security of their network and information systems.
To ensure effective compliance, the directive empowers national authorities to supervise companies during regular and targeted audits, on-site and off-site checks, requests for information and access to documents or evidence. After the GDPR, NIS2 is the most stringent and extensive cybersecurity legislation passed by the European Commission.
Why Should Companies Act Now?
NIS2 imposes obligations on all large- and medium-sized critical infrastructure providers and digital service providers operating in the EU and companies that operate outside the EU but offer services in the EU. Non-compliance with NIS2 not only leaves organizations vulnerable to cyber threats but also to regulatory sanctions and fines. Management bodies are required to play a proactive role in overseeing and implementing the cybersecurity measures highlighted within the directive. What are the repercussions of non-compliance?
- Fines of up to €10m or 2% of the previous year’s global turnover
- Management liability including penalties and a potential temporary ban from management roles
While large companies may already have certain cybersecurity controls in place, medium-sized companies may not and may need to put in extensive effort to meet the October 2024 deadline.
How can companies know if they are within the scope of NIS2 and check their compliance status?
ISG’s Quick Self-assessment Solution
ISG has developed a self-assessment tool to allow companies to quickly assess the applicability of NIS2 and check the preparedness of their organizational controls. The tool enables companies to evaluate their technical and organizational measures on a maturity scale in domains such as information security management, risk management, awareness, third-party security, access management, HR security, measuring effectiveness, etc. Companies using the tool are provided with a customized snapshot of the maturity of their controls and targeted recommendations for improvement. Not only does the tool provide an opportunity for companies to evaluate the maturity of their controls against requirements of NIS2, it also provides an opportunity to enhance the maturity of controls in general.
The tool is available in English, German and French and can be accessed at no cost.
Are you prepared for NIS2?
What Is the Fastest Path to NIS2 Compliance?
ISG helps enterprises understand the rapidly changing cybersecurity landscape and the ways NIS2 applies to their circumstances. We guide organizations through the necessary steps to enhance their security measures and ensure robust compliance.
We offer the following services:
- Conducting comprehensive maturity evaluations based on NIS2 requirements in areas such as risk analysis, incident management, vulnerability management, business continuity, supply chain security and cryptography
- Developing or transforming the enterprise cybersecurity strategy, including making or buying decisions and deriving an actionable compliance roadmap
- Aligning existing security policies with leading industry standards and best practices, such as ISO 27001 and NIST CSF in a matter of minutes with ISG’s One Align solution
- Conducting management trainings, cyber war games and information security awareness trainings for all employees and third parties
- Creating robust incident response plans and capabilities
- Quantifying cyber risk and compliance in financial terms for management and business
Companies need to embrace NIS2 today to safeguard their future. ISG’s NIS2 compliance self-assessment tool can help you get started. Contact us to find out how.