As of 18th October 2024, the NIS2 Directive (Directive (EU) 2022/2555) comes into effect, marking a significant milestone in enhancing cyber security across Europe. With stricter regulations and broader applicability, organisations must quickly assess their preparedness. The question is: Are you ready for NIS2?
What is NIS2?
NIS2 builds on the 2016 NIS Directive, which aimed to improve the cyber security resilience of essential services across the EU. However, in response to rapidly evolving digital threats, NIS2 introduces stricter requirements and expands its scope, affecting more sectors and businesses. It covers not only medium and large enterprises, but also critical infrastructure across industries such as healthcare, transport, and energy, regardless of size.
Key impacts of NIS2
The directive introduces several critical changes:
- More sectors are now in scope: NIS2 expands the number of regulated sectors from 7 to 18, incorporating industries like cloud services, digital infrastructure, and public administration. If your organisation has over 50 employees or generates an annual turnover of €10 million, you may be affected.
- Personal accountability: A key difference with NIS2 is the introduction of personal responsibility for upper management. CEOs and other decision-makers may face penalties, including fines or disqualification, if their organisation fails to meet cyber security risk management requirements.
- Stricter risk management: NIS2 mandates robust security measures, including incident response and supply chain security. Organisations must assess their current posture and adapt their processes to ensure compliance with the new regulations.
- Increased penalties: Non-compliance will have serious consequences. For essential entities, fines can reach €10 million or 2% of global turnover, whichever is higher. Important entities face fines of up to €7 million or 1.4% of global turnover.
What should your organisation do?
With NIS2’s far-reaching implications, organisations must take immediate action to ensure compliance. Here are key steps to take:
- Assess your applicability: Determine if your organisation falls under the directive’s scope. This includes reviewing sectoral definitions and identifying whether you are classified as an ‘essential’ or ‘important’ entity.
- Enhance risk management: Review and update your cyber security frameworks, focusing on incident handling, supply chain security, and business continuity measures.
- Prepare for personal responsibility: Senior management must take a proactive approach, ensuring that risk management protocols are in place and robust enough to prevent penalties.
As NIS2 reshapes the cyber security landscape, organisations must act now to mitigate risks and safeguard their operations. The time to prepare is running out. Will you be ready?
