Q&A from NIS2 Webinar

Verify whether the company is referenced in Articles 2 and 3 or falls within the directives’ designated sectors outlined in Annex I or II. For instance, determine if the company qualifies as a trust service provider (Article 2), an electricity provider (Annex I), or engaged in the manufacturing of medical devices (Annex II). Conduct a gap analysis in alignment with Article 21 of the NIS2 directive. Assess if the minimum requirements, such as Multi-Factor Authentication (MFA), have been implemented. Additionally, ascertain if the company holds ISO27001 certification and has established a Security Operations Center (SOC).

While using SMS One-Time Password (OTP) is certainly better than just the traditional password, it is not very user-friendly. Implementing it, for example, in the Windows login method, can be challenging. Moreover, SMS OTPs are not phishing-resistant. The consensus is that an SMS-based solution cannot be considered a robust form of Multi-Factor Authentication (MFA). Also read (in French): The French supervisor authority explicitly does not recommend SMS-based OTPs.

NIS2 offers a significant advantage by establishing minimum requirements applicable across countries. This allows international companies to formulate a cohesive ‘European’ cybersecurity model without getting bogged down in local nuances. It’s crucial to note that the directive applies to ‘entities,’ defined as natural or legal persons recognized under national law. Therefore, subsidiaries within a larger company may be deemed important entities, necessitating individual assessments. Each legal entity at every organizational level must determine its significance, enabling the implementation of cybersecurity measures, potentially at a European level.      

While differences may exist, they are not expected to be as pronounced as in NIS1. The minimum cybersecurity requirements are immutable, and the directive’s scope is already well-defined.

We see a common thread in these cybersecurity directives and regulations — prioritize your security. Without delving into the specifics of each legislation, we believe it’s imperative for every company to assess its cybersecurity measures and address current cyber risks actively. Similar to how you expect a key for the doors of your home, every top manager should anticipate securing their IT systems, and every consumer should expect security for their devices, such as a smartwatch. Operating a business without proper cybersecurity measures will likely become illegal within the EU in the coming years.

Nexus only offers professional services and expertise connected to our products and services, including assistance with implementation and configuration. In addition, Nexus has an extensive partner network in each region and we would be happy to provide recommendations for regional partners, please reach out to us to know more. Explore our partner network here.

The Swedish Civil Contingencies Agency (MSB – Myndigheten för samhällsskydd och beredskap) provides valuable information on NIS2. A special investigator (‘särskild utredare’) appointed by the Swedish government is tasked with proposing the necessary adaptations within Swedish law required for the implementation of NIS2. The special investigator is expected to submit the report to the government no later than February 23, 2024.

The national supervisory authorities for cybersecurity in Germany, France, and Sweden are as follows:

• Germany, BSI (Federal Office for Information Security)
• France, ANSSI (Agence nationale de la sécurité des systèmes d’information)
• Sweden, PTS (The Swedish Post and Telecom Authority)

For further reading on this topic, you may explore the official websites of these agencies and relevant cybersecurity legislation in each country.