What is the NIS2 directive?
Is your organization medium or large and active in one of the critical sectors such as energy, transport, health and digital infrastructure? Then new legislation from the EU can have a lot of impact on the requirements for cybersecurity within your organization. “This European directive will help around 160,000 entities to strengthen their grip on security and make Europe a safe place to live and work. The law should also allow for the sharing of information with the private sector and partners around the world.
Is your organization
essential or important?
The way in which enforcement will take place depends on the category in which an organization falls. Under the NIS2 there are two categories under which organizations may fall. Organizations can be labeled as essential or as important. Whether an organization is labeled as essential or important depends on whether the organization falls under a critical or a very critical sector and depends on the size of the company.
Risk assessment & remediation actions
Risk assessment is a key tool to map the cyber security areas and respective level of preparedness. From gap analysis entities define remediation actions based on proportionality of measures principle.
Reporting obligations
Entities should be able to notify authorities within 24 hours of incident occurence and provide detailed description afterward. Also, significant incident was redefined to include situations when harm is not even materialized.
Harsher sanctions
Max fines soared to 10 mil. EUR for Essential and 7 mil. EUR for Important entities (or 2% of the total worldwide annual turnover and 1,4% respectively, whichever is higher).