Preparing for NIS2 - A checklist for affected entities
While the enforcement date of the NIS2 (Network and Information Systems 2) directive may appear distant, it is just around the corner – scheduled for October 17, 2024. Much like the challenges posed by the General Data Protection Regulation (GDPR), NIS2 compliance demands careful preparation and strategic execution. This blog provides a checklist for affected entities to navigate and prepare for the complexities and revolutions NIS2 will bring to cybersecurity within the EU.
New to NIS2? Read our blog to cover the basics.
Is your entity affected by the NIS2 directive?
To start, let us explore whether your entity is affected by the NIS2 directive and how this can be determined. Your initial focus should not be on whether your entity is important or essential, as many may think. Instead, concentrate on determining whether your entity is part of the sectors and services affected – the question of qualification comes later.
To ascertain if you are affected, check to see if your entity comes under:
- Article 2,
- Annex I or,
- Annex II.
For example, determine if your company qualifies as a trust service provider (Article 2), an electricity provider (Annex I), or is engaged in manufacturing medical devices (Annex II).
Next, assess whether your organization falls under the categories of important or essential entities, depending on your sector and size.
- For some specific entities mentioned in Article 3 §1, categorization as essential is not determined by size but by criticality. For instance, qualified trust service providers and providers of public electronic communications networks are considered essential, regardless of their size.
- For those sectors listed in Annex 1, the distinction between important and essential is based on whether the organization has more than 250 employees or an annual turnover exceeding 50 million euros.
- If your business operates in one of the sectors outlined in Annex 2, it is considered important, regardless of its size.
The key difference in being classified as important or essential lies in the supervision each entity undergoes. If your entity is categorized as important, it will be audited under an ex-post supervisory authority, triggered by evidence of non-compliance, such as a security breach or alert. In contrast, entities deemed essential face audits under an ad-hoc regime, allowing supervisory authorities to conduct on-site inspections at their discretion, without requiring specific evidence of non-compliance. As a result, important entities share the same cybersecurity obligations as essential entities but benefit from a somewhat less rigorous supervisory authority.
For example, a small company in the transport sector initially had a turnover of €5 million and 10 employees. It was not subject to NIS2 regulations.
A year later, the company expanded, reaching a turnover of €20 million and had 40 employees. The company would then be categorized as important under NIS2. While it would have to adhere to all NIS2 obligations, it would not need to be concerned about an unexpected audit from the supervisory authority.
Then, two years later, the company experienced substantial growth, achieving a turnover of €60 million and employing 80 staff members. It would then be classified as essential. Although its obligations under NIS2 would remain unchanged, it should anticipate an on-site audit from the supervisory authority at any time.
What if your entity is not affected?
Even if your organization is not directly impacted by NIS2, prioritizing cybersecurity should be on every organization's agenda. The dynamic cyber threat landscape poses risks beyond regulatory classifications. In our interconnected digital world, all entities contribute to the overall resilience of critical functions.
Adopting NIS2-aligned cybersecurity measures is forward-thinking. It safeguards against current threats, strengthens competitiveness, and positions your organization strategically in the evolving cybersecurity and regulatory landscapes.
Getting started: 5 actions for ensuring compliance
Preparing for NIS2 is not a task to be taken lightly. By starting early, understanding the legislation, implementing crucial security measures and educating the entire organization, affected entities can navigate the complexities and ensure compliance with the forthcoming directive.
It is time to embark on the journey toward a secure and resilient cybersecurity future. Here are 5 actions to get you started:
- Check the minimum requirements of NIS2
Explore EU Directives for NIS2 by delving into the minimum requirements outlined in Article 21. Ensure compliance with these standards. Move away from traditional perimeter concepts and passwords. The directives emphasize implementing Zero Trust, Multi-Factor Authentication (MFA), and encryption solutions as fundamental and minimum-security measures.
Each country’s competent agency provides a helpful summary: for comprehensive guidance in Germany, consult BSI; in France, ANSSI provides detailed information. The Swedish Civil Contingencies Agency (MSB) offers a valuable summary in their "Policy Overview - Initiatives at EU Level Affecting Sweden's Information and Cybersecurity Work."
- Check whether you have certifications in place and conduct a gap analysis
Ascertain whether the company holds any certifications and has established a Security Operations Center (SOC). For entities with, for example, ISO27001 certification, perform a gap analysis to ensure alignment with NIS2 requirements and Article 21 for minimum security requirements.
- Map and engage with suppliers
Understand the impact of current suppliers on your business. Initiate meetings with suppliers to evaluate how their services align with the new directive and existing legislation.
- Educate the organization
Regular training is essential for a cybersecurity-aware organization. It empowers employees to recognize and address cyber threats, ensuring compliance with NIS2 regulations. Beyond compliance, it fosters a proactive risk-management culture by integrating security into daily operations. Training keeps employees updated on evolving threats, promoting adaptability. Additionally, it covers legal and ethical aspects, encouraging a security mindset for identifying suspicious activities. These sessions are a proactive strategy for NIS2 compliance and building a security-aware culture.
- Budget and reporting for success
Allocate a robust budget for 2024 to fortify cybersecurity resilience, strategically positioning your organization for the anticipated challenges in 2025. This financial commitment is not just about compliance; it signifies a proactive investment in digital defense. Additionally, establish clear reporting mechanisms to inform stakeholders of progress and challenges, fostering transparency and continuous improvement.
How can Nexus help?
To meet the minimum requirements of NIS2, it is crucial to emphasize the implementation of Zero Trust (Never trust, always verify), Multi-Factor Authentication (MFA), and encryption solutions as fundamental and indispensable cybersecurity measures.
At Nexus, we assist leading global organizations worldwide in fortifying and safeguarding their workforce and workplace from cyber threats. As a European vendor of PKI-based trusted identities, we can help you implement NIS2 requirements. Our solutions and services provide highly secure and convenient Multi-Factor Authentication (MFA) to secure your services, devices, and network. Additionally, we offer solutions for issuing digital certificates and managing the lifecycle of all certificate-based identities. By utilizing our highly secure, performant, and certified PKI platform, you can ensure that your digital identities consistently adhere to the latest European standards. In doing so, we not only support your Zero Trust strategy within the context of NIS2 but also aid in your transition to the cloud.