NIS2
In 2016, the EU introduced the Network and Information Security (NIS) Directive to establish a common level of cybersecurity across Member States.
The NIS2 (Network and Information Security iteration two) directive is the latest expansion of this legislation, aimed at further enhancing cybersecurity in Europe. NIS2 is applicable EU-wide and establishes baseline cybersecurity risk management measures and reporting requirements. This directive affects organizations in various sectors, including energy, transport, health, and digital infrastructure.
Each EU member state has until October 17, 2024, to implement the NIS2 directive into its national legislation.
compliance with the NIS2 directive
Organizations falling under the NIS2 directive must take necessary measures to enhance their digital security and report incidents to national authorities.
The following measures represent the minimum requirements that must be met:
Policy for risk analysis and information system security.
An incident handling process.
Security aspects related to personnel, access policies, and asset management.
Business continuity, including backup management, emergency response plans, and crisis management.
Supply chain security, including security-related aspects related to the relationships between each entity and its direct suppliers or service providers.
Security in the acquisition, development, and maintenance of network and information systems, including vulnerability response and disclosure.
Policies and procedures to assess the effectiveness of measures for managing cybersecurity risks.
Fundamental practices in cyber hygiene and cybersecurity training.
Policies and procedures regarding the use of cryptography and, if applicable, encryption.