Arctic Wolf
What does the NIS2 directive mean for organisations?
Increasing cyber-resiliency for European Union Member Countries
The Network and Information Systems 2 (NIS2) directive is a Directive of the European Union to improve the security and resilience of networks and information systems and achieve a high common level of cybersecurity across the member countries in the EU. Companies will be required to disclose network and computer system incidents beyond just data breaches, as critical infrastructure and limited other industries were required under the initial directive.
About the NIS2 Directive
The previous Network and Information Systems (NIS) directive (EU-2016/1148) was updated and expanded to form the new NIS2 (EU 2022/2555) directive that was enacted on 14th December 2022, and comes into force, when transposed into local law in each member state, by 17 October 2024.
The directive sets out the extensions and modifications to the systems put in place for the original directive to enable better co-ordination in response to cyber-attacks across a wider breadth of industries and organisations.
NIS2 aims to make the EU as a whole more resilient to cyber threats and strengthen cooperation between Member States on cybersecurity. It builds on the previous NIS Directive and represents a further development of measures to meet the challenges of an increasingly digitalised world.
Who Does NIS2 Impact?
EU Member Countries
NIS2 applies to substantially more industries and organisations than its predecessor. To determine who must comply with the directive, organisations are deemed as very critical or critical and then sub-categorised as ‘Essential’ and ‘Important.’
A full list of covered entities can be found in NIS2 Annex I and II.
Supply Chain
Supply chain issues are regulated in the Article 21(2)(d) of the NIS2 Directive. According to this provision, one of the responsibilities of key and important entities will be to put in place appropriate and proportionate technical, operational and organizational measures to ensure supply chain security. For this reason, companies delivering into EU NIS2 sectors will also need to be NIS2 critical compliant.
Micro-enterprises
NIS2 does not generally apply to micro-enterprises with fewer than 50 employees and an annual turnover of less than 7 million euros. However, such micro-enterprises would be covered under the Directive if the entity is deemed a vital service.
In addition, the NIS2 will continue to be a guiding framework for most businesses.
Non-EU Member Countries
If you are a non-EU member country, that does business within the EU, you are not bound by this EU legislation. However, non-EU member states doing business with any EU member countries will need to be compliant and should be prepared to implement similar comprehensive and resource-consuming measures.
Compliance can be overwhelming.
Multiple frameworks. Overlapping requirements. Let Arctic Wolf be your guide.
Ready to Understand and Meet Your Compliance Needs?
Additional Resources For
Security Leaders
Thursday, 21 March | 11:00 GMT
How European Organisations Can Get Ready and Set for the European Union’s NIS2 Regulation
Ready to find out how Arctic Wolf can help you prepare for NIS2?
Contact us.
Member states have until October 2024 to implement NIS2 into national law.
However, many organisations are already facing enormous challenges in implementing the requirements and appropriate security measures: a lack of specialist knowledge, scarce human resources and great difficulties in finding and retaining suitable IT staff in the long term to enable 24/x7 monitoring and faster response times. Learn how Arctic Wolf can support you with NIS2 compliance.
