Aiming to enhance the security of network and information systems within the EU, NIS2 came into force in October 2024, causing a headache to many organizations. Compared to NIS, NIS2 simplifies reporting obligations. However, it imposes more stringent measures and sanctions, making the compliance journey rather complicated. For many companies, ensuring that their cloud infrastructure remains secure and achieving compliance is now a top priority. The truth is that a typical compliance process includes security assessments, auditing, consulting and implementation, that may last for about 12 months. It is a process bearing a significant cost for the organizations, both in terms of human and financial resources.
But are all organizations affected by the NIS2 Directive?
The answer is NO. The NIS2 Directive is estimated to affect about 160K companies, covering a total of 15 sectors (energy, health, transport, finance, water supply, digital infrastructure, public administration, digital providers, postal services, waste management, space, foods, manufacturing, chemicals and research). Furthermore, it applies only to entities that provide essential or important services to the European economy and the European society. To make sure whereas your organization falls under the NIS2’s scope, you can check the information provided in the ANEX I of the EU Directive 2022/2555 here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555#anx_I
Or:
- if you are operating in the Greek market, you can take a NIS2 eligibility test here: https://cyber.gov.gr/nis2-scope/
- if you are operating in the Spanish market, you can check the website of INCIBE (Instituto Nacional de Ciberseguridad), here: https://www.incibe.es/incibe-cert/sectores-estrategicos/eres-NIS2
What changes?
The NIS2 introduces new requirements and obligations for the organizations, focusing in four areas: (i) risk management, (ii) corporate accountability, (iii) reporting obligations and (iv) business continuity.
Cyber risks need to be minimized through measures, like enhanced network, encryption and better access control, among others. The above-mentioned cybersecurity measures need to be overseen and approved by the corporate management. At the same time, the whole entity needs to be trained on them, resulting on strengthened corporate accountability being mandatory. In terms of reporting, the organizations need to establish processes, ensuring prompt reporting of security incidents. In the meantime, specific notification deadlines apply, such as the 24-hour “early warning”. Finally, all organizations need to to ensure the continuity of their business, in case a major cyber incident happens. Their plans are expected to include system recovery measures, emergency procedures and crisis-handling teams.
Overall, organizations are expected to ensure security of their cloud infrastructure and systems and achieve compliance with the requirements of the Directive. Apart from the four overarching areas described above, the NIS2 Directive requires the implementation of 10 baseline security measures, so that organizations are able to address specific forms of cyberthreats. The 10 minimum measures include:
How can you comply?
If you had prepared yourself for GDPR compliance, you are more than halfway there. Having already in place risk analysis and crisis management policies, along with business continuity plan and processes to handle vulnerabilities, you can now focus on the technical tools that will allow you to ensure that you have fully cybe secured your cloud infrastructure and your organization as a whole.
Thankfully, there are numerous reliable solutions to secure your workloads, ranging from backup and disaster recovery tools to keep your business running 24/07 (check Antyxsoft’s backup and DRAAS solution here: https://antyxsoft.io/veeam/) to modern solutions for the protection of your endpoints and cloud workloads (check Antyxsoft’s Marketplace for such solutions here: https://antyxsoft.io/product/pritunl/). In between, a variety of services and products, designed to make your everyday business operation easier, in a cost-effective way.
To design the NIS2 plan that best suits your needs, allowing you to ensure security and achieve compliance, consult our sales representatives, who will introduce you to the right solutions for your business. Contact them here: https://antyxsoft.io/contact/ and start implementing your security measures.