Ready for NIS 2? An Overview of the new EU IT Security Directive

The NIS 2 directive must be implemented by October 2024. We provide an overview of this new EU directive and tips on how you can prepare for it.

What is the NIS-2 directive?

NIS 2 is the second version of the EU Network and Information Security Directive. The NIS 2 irective came into force in January 2023 and aims to strengthen and standardize the level of cybersecurity within the European Union. EU member states have until October 17, 2024, to integrate this directive into their national legislation. 

What new features does NIS-2 include?

The NIS 2 directive introduces significant changes compared to the first version from 2016. The most important innovations include:

1. Expanded scope: The NIS 2 directive expands its scope to include more sectors and types of companies that are considered essential to the economy and society.
2. Stricter security requirements: Companies need to implement advanced security policies and measures to prevent risks and respond to incidents.
3. Extended reporting requirements: The directive introduces stricter requirements for the reporting of security incidents to enable a faster and more coordinated response.
4. Increased sanctions: In the event of non-compliance, the NIS 2 directive contains provisions for stricter sanctions to ensure that the rules are enforced.

The full content of the NIS 2 directive can be found in the Official Journal of the European Union (PDF).

What does NIS 2 mean for companies?

At the beginning of 2023, NIS 2 became mandatory throughout the European Union. According to the requirements, the EU member states have until October 17, 2024, to integrate this directive into their national legislation. 

However, this does not mean that all requirements must be implemented immediately. The directive offers a transitional period to give the affected companies the opportunity to adapt their internal processes, security guidelines and technical systems to the new requirements. 

This transition period is crucial as it gives companies the time they need to carry out thorough risk assessments, develop comprehensive security strategies, and implement the necessary technical and organizational measures.

Practical implementation of the NIS 2 directive: Strategies and measures for companies

Implementing the NIS 2 directive requires a comprehensive strategy that includes both technical and organizational measures. The basic security measures can vary depending on the size of the company and the industry. However, they generally include:

1. Risk assessment: Identify and evaluate the specific security risks to which your company is exposed. Take internal and external threats into account.
2. Security policies and procedures: Develop comprehensive security policies and procedures that meet the requirements of the NIS 2 directive. These should clearly define how security incidents are identified and handled, how data is protected and how compliance is monitored.
3. Training and awareness-raising: Make sure your employees are informed about the risks and the necessary security measures. Training and training materials can help to raise awareness of cyber security.
4. Emergency plans and response: Create detailed plans for dealing with security incidents. These plans should include clear steps for incident response, communication, and recovery.
5. Mobile Device Management (MDM): Review your device structure and implement MDM solutions where required. This is crucial to securely manage mobile devices and protect them from threats.
6. Security monitoring and auditing: Set up systems to continuously monitor your IT infrastructure. Regular security checks and audits are required to identify and eliminate vulnerabilities.
7. Incident Reporting: Establish procedures to report security incidents, including reporting to the appropriate authorities if required.
8. Documentation and evidence: Keep careful records of all security measures and compliance activities, as you may need to provide evidence of compliance with the NIS 2 directive.
9. Promote a security culture: Establishing a safety culture within your organization where security plays a central role is critical. All team members should be involved in safety efforts.

Conclusion: NIS 2 – both a challenge and an opportunity

The NIS 2 directive represents a significant challenge, but also an important opportunity for companies to strengthen their cybersecurity measures and consolidate the trust of their customers and partners. 

With a proactive attitude and a strategic approach, such as the implementation of a mobile device management solution like Cortado MDM, companies can not only meet the requirements of the NIS 2 directive, but also significantly improve their resilience to digital threats.

And the good news: some of the requirements of NIS 2 are not new but were already required by the General Data Protection Regulation (GDPR). Companies that are already GDPR-compliant are in a good position to meet the requirements of NIS 2. Overall, the NIS 2 directive offers the opportunity to raise cybersecurity to a higher level and to better meet current and future digital challenges.