The EU’s NIS2 cybersecurity directive requires EU member states to step up their national cybersecurity strategies and work more proactively across borders to mitigate growing security threats. It came into effect in late 2024, with an expectation that member states transpose this directive into local law.
The NIS2 directive applies to a wide range of essential and important sectors. Here’s the breakdown to determine where you fit in:
Organizations in essential and important sectors must adhere to several key requirements under NIS2. This is a high-level overview of those requirements.
New and evolving regulations can be overwhelming for any organization. Here are a few key steps to take to build momentum and secure some ‘easy wins’ as you embark on your NIS2 journey.
Understanding how NIS2 impacts your organization is the first step. Determine whether your company falls under the directive’s scope by assessing your societal role and the criticality of your services. This involves evaluating if all or just parts of your business are affected and how they align with the NIS2 criteria.
Using ISO 27001 as a foundational cybersecurity framework can help your organization comply with many NIS2 requirements. ISO 27001 provides a comprehensive set of controls for managing information security risks, which is well-aligned with NIS2’s focus on organization resilience. However, NIS2 introduces additional requirements, beyond ISO 27001, including incident reporting within 24 hours and supply chain security measures.
According to the European Union Agency for Cybersecurity (ENISA), while ISO 27001 provides a solid baseline, it must be supplemented with additional measures to fully comply with NIS2 standards.
Senior management are now more accountable than ever for cybersecurity. Under NIS2, they could be personally liable for violations. This means they must have a robust approach to cybersecurity in their organizations and allocate the necessary resources. The EU underscores the importance of leadership commitment in achieving compliance and enhancing the organization’s cybersecurity posture. This involves ensuring that senior leaders are engaged, informed, and proactive about risks and mitigation strategies.
NIS2 places emphasis on business continuity planning for ICT systems. Organizations must have plans in place to maintain operations during cyber incidents, particularly for critical functions such as video communication. Effective business continuity planning means that essential services can continue without significant disruption. The NIS2 directive mandates that organizations be prepared to both handle and recover from ICT service disruptions, ensuring greater resilience and minimal productivity losses during an attack.
With NIS2, organizations are encouraged to be even more proactive when it comes to cybersecurity, moving beyond basic compliance and into strategic risk management. With this comes regular risk assessments, continuous monitoring of threats, and the implementation of advanced security measures. NIS2 also stresses the importance of collaboration between organizations and national authorities to enhance resilience. According to ENISA, by fostering a culture of security awareness and implementing best practices, organizations can better protect themselves against evolving cyber threats.
Get started on your business continuity planning. We’re here to help you ensure video communication and collaboration no matter what. Find out more here.