NIS2: The new directive to strengthen cyber security
The new EU directive NIS2 to strengthen cybersecurity is coming into force: We explain what it means for UK businesses and how you can best prepare for the changing landscape. The cornerstone of NIS2 compliance is an information security management system (ISMS) that meets the requirements of ISO 27001. In fact, if you’re ISO 27001 certified, you already complete 70% of the NIS2 security requirements.
We'll also discuss what’s new in risk and asset management, reporting and business continuity.
Does the NIS2 Directive apply to UK businesses?
The short answer is no, the UK is not implementing NIS2 as they're no longer bound by EU legislation. But they are making changes in their existing cybersecurity laws, such as adding managed service providers to the scope of the NIS regulations, including more supply chain security-related policies, or increasing the incident reporting-related obligations.
What do I need to do about NIS as a UK business operating in the EU?
The good news is that if your organisation is already ISO 27001 certified, you've taken significant steps towards becoming NIS2 compliant. In fact, by building an ISO 27001-compliant ISMS, you complete 70% of the NIS2 requirements. These requirements include risk management, corporate accountability, reporting obligations, and business continuity.
NIS2 Compliance
1. Severe penalties
Under NIS2, national authorities have a much wider range of sanctions at their disposal:
-
Directors and management can be held personally liable for failures in implementation.
-
Fines can be up to €10 million or 2% of total turnover (for essential entities) or €7 million or 1.4% of total turnover (for important entities).
-
Regulators may suspend business operations if necessary for network security.
2. Insufficient protection against cyberattacks
Data breaches cost an average of $4.35 million per incident last year. Yet 83% of companies have already had more than one data incident – many of which go undetected until the damage is done.
To adequately protect your company against these threats, you need to implement the comprehensive measures in the NIS2 Directive as soon as possible.
Current estimates suggest that you’ll need to increase your cybersecurity budget by 22% to make this happen.
You can use our two-pager to provide your CEO with concise and precise information about NIS2 and show how important it is to act quickly.
Only available in German
Download nowWhat are the NIS2 requirements?
The new NIS2 Directive requires companies to strengthen their cybersecurity and to communicate more with national supervisory authorities – for companies that do business in Germany. This is the Federal Office for Information Security (BSI).
The main requirements at a glance:
- Processes must be established for risk analysis and management, information security and cyber incident management. These are based on the ISO 27001 criteria for an ISMS.
- Continuity and recovery plans must be in place to respond to emergencies.
- Significant incidents must be reported to the BSI within very short deadlines – in some cases, 24 hours.
- Company-wide use of encryption technology and multi-factor authentication is required.
- Regular training for all staff to educate them on best practices in information security and changes in the risk landscape must be demonstrated to the BSI.
How to efficiently prepare for NIS2 compliance
We know how challenging it can be for businesses to implement the NIS2 Directive. The requirements are somewhat vague, and Member States are still working on drafts of national legislation.
You need guidance. Like the guidance that Dr Marnix Dekker, Head of Sector NIS at the European Union Agency for Cybersecurity (ENISA), gave us in a recent DataGuard webinar in business newspaper Handelsblatt:
“With ISO 27001, you should be all set.”
So if you base your ISMS on the requirements for ISO 27001 certification, you'll also be well-positioned to meet the requirements of the NIS2 Directive.
How DataGuard can help you achieve ISO 27001 certification – and more
The first step is to conduct a gap analysis with you to identify where your business is vulnerable.
We then provide you with tailor-made recommendations to close these gaps in accordance with ISO 27001 and NIS2.
We also work with you to optimise your risk and asset management processes and develop plans for business continuity, cyber incident management and staff training. In this step, the NIS2 requirements sometimes go beyond ISO 27001 – with DataGuard experts on your side, you can be confident that your business is implementing the right measures.
Ultimately, you will build your ISMS on these company policies before it is certified in accordance with ISO 27001 through an external audit. To date, all DataGuard customers have a 100% success rate on their first go at certification.
Setting up an ISMS is a large investment. So, imperious to use your resources as efficiently as possible. By using our information security platform, you can automate many of the processes involved, reducing the cost of certification by up to 40%.
With DataGuard, nothing stands between you and NIS2 compliance – book your free consultation now!