Technology, cyber security and business news.

Do you have questions or concerns in the IT Industry? Contact our dedicated team of experts through social media or email for fast and personal assistance. If you are interested in advertising opportunities, please do not hesitate to inform us. We look forward to hearing from you!

nis2 executive

New NIS2 Directive: New rules for improved cyber security

Cyber attacks are multiplying and becoming increasingly sophisticated. The 2022 attacks made it clear that cyber threats such as ransomware, phishing and presidential fraud do not discriminate between small, medium and large businesses. This trend toward “supply chain attacks,” where subcontractors are focused on infiltrating their customers' networks, has increased, with notable compromises such as SolarWinds. In 2020, SolarWinds, a company specializing in network management and IT security software, disclosed that it had been infiltrated by cybercriminals who compromised its Orion software. This attack allowed the attackers to distribute malicious updates of this software to many client organizations. The attackers managed to inject malicious code into updates for SolarWinds Orion software, compromising the networks of many companies and government agencies that use the software. This widely publicized attack was called a “supply chain attack” because it exploited users' trust in software updates from a reputable source. The SolarWinds attack had far-reaching repercussions and highlighted potential vulnerabilities in the software supply chain, prompting many companies to strengthen their security measures to protect against such attacks. Instead of attacking companies directly, cybercriminals are increasingly choosing to go through their subcontractors to more easily spread into their customers' networks. All businesses are now susceptible to cyber attacks. SMEs are 4.5 times more likely to fall victim cyber attacks than larger companies combined. They are specifically targeted by malware that can encrypt their information systems and destroy their backups. This way of working has shown its ability to cause business failures in the most serious cases. This underscores the importance of all businesses being prepared for any attack.

Against this background, the NIS2 Directive (Directive on Network and Information Systems Security) is a major development aimed at strengthening the protection of digital infrastructures in Europe. The NIS2 Directive, the successor to the NIS 1 Directive, is one of a number of major initiatives aimed at creating a more robust and harmonized framework for network and information system security. For many companies, this new directive is the subject of much debate and questioning. What will be its impact and significance for companies and administrations in the EU?

nis2 sweden
NIS2 directive: New rules

What is the NIS2 Directive?

NIS2 directive (Network and Information Security, Version 2) is a European regulation designed to harmonize and strengthen cyber security within the EU. It is the successor to the NIS 1 directive and introduces new measures to ensure a high level of security for networks and information systems. The NIS2 directive was adopted in January 2023. EU member states will have a certain amount of time to incorporate this directive into their national legislation.

Who is affected by NIS2?

The NIS2 Directive covers a wide range of business sectors. The NIS2 directive is aimed at private companies, public administrations and other entities operating within the EU.
One of the strategic goals of NIS2 is to expand the scope of NIS to include key service operators and digital service providers in sectors deemed "critical for the economy and society". NIS2 will cover providers of public electronic communications services, digital services (covering platforms for social networking services and data center services) and healthcare services, including entities operating in the medical devices and life sciences sectors, in particular pharmaceutical research and development, as well as manufacturers of medical technology products.

The NIS 2 Directive mainly concerns two categories of devices:

Operators of Essential Services (OSE): Essential Entities (EE), which are already in the first version of the NIS1 directive. OSEs / EEs are entities that run services that are essential to society and the economy. This includes sectors such as energy, transport, healthcare, banking and financial services, water, digital infrastructure and digital services.

Digital Service Providers (DSPs): Significant entities. DSP/IE are companies or organizations that provide digital services, such as cloud services, online platforms, search engines, e-commerce services and other similar services. They are covered by the directive if they meet certain threshold conditions in terms of the number of users or the economic value of the services provided.

According to the NIS 2 Directive, an entity qualifies as material or significant on the basis of two criteria:

  • Size of the entity (number of employees, sales, annual balance sheet);
  • Criticism of business: what type of entity refers to the activities performed by the entity?

What are the main changes compared to NIS1?

The NIS 2 Directive introduces several important changes compared to the NIS 1 Directive, including:

Extension of the scope: NIS2 extends the scope of the directive to a wider range of business sectors and digital service providers. Companies in new categories could therefore be subject to cyber security obligations.
Enhanced security requirements: The directive imposes enhanced security requirements, including stricter preparedness and incident management measures, as well as stricter incident reporting obligations.
Security Score: NIS 2 introduces a security scoring system to assess the resilience of PSDs and ESOs. This will enable competent authorities to identify players with higher security levels.

The NIS 2 directive introduces several new obligations for the entities concerned. For important and important units, new technical, organizational and operational measures will have to be introduced:

  1. Contractual obligation for security in the supply chain. Entities must ensure that information security is maintained throughout the supply chain. This means that suppliers, subcontractors and other partners must also comply with appropriate security standards.
  2. Reporting obligation. The directive requires that security incidents with a significant impact on the continuity of essential services be reported to the competent authorities within a specified time frame.
  3. Management responsibility. Management is responsible for ensuring that security policies and procedures are implemented, maintained and regularly reviewed.

What steps must companies and local authorities take to comply with the NIS2 Directive?

Companies and local authorities will need to strengthen their security standards, establish incident reporting mechanisms and possibly conduct risk assessments and security audits. They will also need to work closely with the relevant national authorities.

Implementation of specific cyber security measures:

  • implementation of risk analysis and security policies for information systems. Each entity must therefore review its structure to assess the cyber risk,
  • incident management,
  • establish Business Continuity Plans (BCPs) and Disaster Recovery Plans (DRPs). Measures to ensure business continuity in the event of an incident. This concerns, for example, the correct management of backups and crisis management measures.
  • security in the acquisition, development and maintenance of networks and information systems,
  • assessment of cyber risk management measures,
  • the application of cryptographic policies and procedures, and the use of cryptographic techniques to encrypt information for better protection,
  • asset management and access control policies: exemplary access control, to avoid intrusions and benefit from robust security;
  • training of employees in good cyber hygiene, including best practices to be systematized throughout the company,
  • implementation of multi-factor authentication solutions. Multi-factor authentication (MFA) and strong authentication should be favored for increased security.
  • the obligation for companies to issue a first warning to ANSSI within 24 hours i event of a security incident.

What does a company risk if it does not comply with this directive?

Companies that do not comply with the NIS 2 directive may face financial penalties. NIS2 will introduce a system of fines for non-compliance. Maximum potential fines for non-compliance can be either EUR 10 million or 2 % of global annual sales for “important” entities, or EUR 7 million or 1.4 % of global annual sales for “important” entities. In particular, when non-compliance with NIS 2 may also involve a personal data breach, no fines will be imposed under the EU NIS2 and RGPD systems, if the breach is a result of the same security event. Furthermore, in the event of a security incident resulting from non-compliance, they may be held liable for any operational or financial damages. Each member state has to October 2024 at the latest to incorporate the NIS2 Directive into their national regulations. It is conceivable that some countries will speed up the process, as the national versions of NIS2 are based on the existing national versions of NIS1.

Responsibility for top management

The NIS 2 directive emphasizes the responsibility of top management within organisations. Top management must take an active role in managing cyber security and ensure that appropriate measures are in place to protect networks and information systems.

Raise awareness among teams and management

Cyber security awareness is essential to ensure compliance with the NIS2 directive. Companies must invest in training their staff to recognize and prevent cyber threats. Management must also be made aware of the importance of cyber security and compliance with the directive.

The NIS 2 directive represents an important milestone in strengthening cyber security in Europe. Businesses and local governments must take immediate action to comply with these regulations, strengthen their resilience against cyber-attacks and prevent security incidents. Compliance with the directive is important to avoid significant financial penalties and protect your organization's reputation and trust. There are many resources available to help companies comply with the NIS2 directive, such as the guides and recommendations published by ANSSI (Agence nationale de la sécurité des systèmes d'information) in France. It is also possible to enlist the help of specialized cyber security service providers to support your company in its efforts.

Altospam's solutions help companies partially comply with the NIS2 directive by strengthening the security of their email (the first attack vector) and protecting their information systems against cyber threats. Altospam's Mailsafe offers advanced protection against threats including phishing attacks, ransomware and malware. The solution's anti-spam, phishing, ransomware and malware filters block malicious emails before they reach users' inboxes. Altosspam solutions can form an important part of a company's overall security strategy to meet NIS2 requirements. However, full compliance requires a holistic approach to information security and risk management.

Share this article
Shareable URL
Prev Post

Freja expands its use to 53 countries

Next Post

Dynatrace expands its platform with more powerful AI support

Read next