External Content: YouTube Video
In order to be able to play the desired video, you agree that a connection to the servers of YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA is established. This transmits personal data (device and browser information (in particular the IP address and operating system) to the operator of the portal for usage analysis.
You can find more information about the handling of your personal data in our privacy policy.
As a recent poll among more than 400 of our prospects suggests, about 20% of them have never heard of NIS2 before. Considering the huge implications the directive has for many companies in the EU – it’s about time to change that!
DataGuard teamed up with business newspaper Handelsblatt to talk with Dr. Marnix Dekker, Head of Sector NIS at ENISA (European Union Agency for Cybersecurity), our DataGuard Co-Founder Kivanc Semen and Dr. Frank Schemmel, Senior Director International Privacy & Compliance at DataGuard about why NIS2 was established, what changed compared to NIS1 and how to best prepare your company for the upcoming laws.
Read on for a summary of the NIS2 webinar.
Why the EU drafted the NIS2 Directive
- Cybercrime is forecasted to cost the world 8 trillion $ in 2023.
- The amount of data stolen in cyber-breaches reached over 260 terabytes in 2021.
- The global average cost of a data breach is 45 million $.
Looking at these numbers, it becomes clear: the newest effort of the EU to strengthen cyber security is not only fundamental but also in the best interest of companies needing to protect their assets.
“The increasing use of technology in our daily lives has made us more vulnerable to cyber criminals who are constantly developing new methods of attacks”, said Schemmel.
“Ransomware is scoring as the prime threat followed by malware and social engineering. That is why the European legislator took action to increase the level of cybersecurity and and cyber resilience in Europe.” he added.
“The NIS Directive is about keeping attackers out and being able to deal with incidents”, Marnix Dekker said, “it’s about making sure that society keeps running, making sure that the economy is not affected.”
“It’s much more a partnership between national authorities and the owners of infrastructure than about compliance.”
External Content: YouTube Video
In order to be able to play the desired video, you agree that a connection to the servers of YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA is established. This transmits personal data (device and browser information (in particular the IP address and operating system) to the operator of the portal for usage analysis.
You can find more information about the handling of your personal data in our privacy policy.
From NIS1 to NIS2 - most important changes
The NIS2 Directive continues the focus on the resilience of NIS1.
It attempts to harmonise the cyber security rules and increase collaboration across EU member states, something that NIS1 was lacking with countries adopting widely different measures and scopes.
There is more detail about what security measures need to be taken and how to implement risk management.
“It’s important to keep in mind that the national authority does not sit on the chair of the CISO”, Dekker noted. “It’s not the government that decides what security measures have to be in place. It’s always risk-based.”
But to increase accountability, national authorities are also given more room for sanctions. Most notably, the C-suite is now personally liable for failure to implement the required measures.
Fines can go up to 10 Mio. € or 2% of total turnover.
Additionally, the number of affected business sectors has drastically increased: “There’s twice as many sectors and more entities covered within each sector”, Dekker told us.
All the more important for companies to find out now if NIS2 applies to them.
Who is affected by NIS2? – The sectors explained
Sectors are divided into two groups – Essential Entities and Important Entities. Essential Entities are subject to increased supervision and sanctions. They were already part of NIS1.
The newly added Important Entities consist of postal and courier services, waste management, chemicals, manufacturing, and digital providers.
Generally, the NIS2 Directive only applies to companies with upwards of 50 employees and 10 Mio. € of yearly turnover. Critical infrastructure, which includes digital infrastructure in NIS2, is affected by the regulations regardless of size.
How to prepare for NIS2
The EU member states have until 18 October 2024 to transfer the NIS2 Directive into national law. But affected companies must start acting now. Kivanc Semen explains why:
“I can say from hiring ourselves and knowing the demand for experts. It’s almost impossible to implement NIS2 on time yourself.
That’s the reason why starting early and getting the few resources on the market, going for a provider that can offer the technology on top of experts, is so important.”
The DataGuard approach of offering expert guidance and digitised processes to help you get ISO 27001 certification has been approved by Marnix Dekker for NIS2 preparation:
“With ISO 27001, you should be ok.”
That’s because there are significant overlaps between ISO 27001 and NIS2 requirements:
.png?width=1920&height=1080&name=Slide%2075%20(1).png)
Next steps
So, where to start? As Kivanc Semen points out, a “22% budget increase is going to be needed for companies that haven’t done NIS2 before”.
If your company is affected by NIS2, that means the first steps are centred around raising awareness with the management to facilitate the necessary budget planning.
Our recommendations to our customers and you:
- Determine if your business is affected by NIS2
- Raise NIS2 awareness with senior management
- Educate management about cybersecurity risks
- Estimate expenses and plan budget
- Review NIS2 cybersecurity risk management measures
- Assess your supply chain
- Simplify incident reporting
- Develop business continuity and crisis management plan
- Implement an ISMS as per NIS2 criteria
- Ensure secure development practices
Take a look at our step-by-step guide to NIS2 compliance to find out more, or watch the full webinar here.
Want to know more about how ISO 27001 can help you with the new NIS2 regulation? Schedule a meeting with us.
