NETWORK AND INFORMATION SECURITY DIRECTIVE (NIS2)
The Network and Information Security Directive (NIS2) is the EU-wide legislation on cybersecurity, providing legal measures to enhance the overall level of cyber security and standardise cyber resilience across the EU. EU member states are required to transpose NIS2 into their national legislation by 17th October 2024, which means organisations should be ready to achieve compliance well in advance.
Whilst the UK has left the EU, NIS2 still impacts UK organisations that fall under the scope, as they must be compliant to do business in the EU, including with companies in Ireland. Bureau Veritas is here to help businesses in the UK and Ireland to identify their requirements and achieve NIS2 compliance.
UNDERSTANDING THE NIS2 DIRECTIVE
NIS2 is the second Network and Information Security Directive, extending the scope across more sectors, with more stringent requirements and bringing in stricter penalties for non-compliance compared with the existing NIS.
Apart from a few exemptions, it applies to medium and large-sized companies (50 or employees or an annual turnover of €10 million), in sectors including healthcare, digital services and infrastructure, banking and finance, and food.
The main aim of the NIS2 Directive is to promote a cyber security culture and ensure the resilience of essential services, under three key areas:
-
Risk management and incident response
NIS2 states that organisations must conduct regular risk assessments to identify potential risks and have robust incident response plans to make sure they can respond to and recover from cyber incidents effectively.
-
Security Measures
It requires organisations to implement technical and organisational measures to ensure the security of their networks and information systems. This includes access controls, encryption, and regular security updates.
-
Reporting Requirements
Organisations must also report significant cyber incidents to the relevant authorities.
WHAT UK AND IRISH BUSINESSES NEED TO KNOW
Whilst NIS2 does not directly apply to UK businesses, the changes coming into force in October 2024 include adding managed service providers to the scope. As such, the NIS2 Directive applies to organisations operating or carrying out activities for EU businesses (including those in Ireland) within the scope.
This includes companies that fit the description of an 'essential' or 'important' organisation in a defined list of sectors, such as internet providers, energy suppliers, drinking water companies, waste processors, banks, transporters, healthcare institutions, factories producing food, and digital infrastructure providers.
For our customers in Ireland, NIS2 applies as with any other EU member country.
Failure to act could be costly. Under NIS2, national authorities can impose a wider range of sanctions compared with NIS. For example:
- Directors and management can be held personally liable for failures in implementation
- Fines can be up to €10 million or 2% of total turnover (for essential entities) or €7 million or 1.4% of total turnover (for important entities)
- Regulators may suspend business operations if deemed necessary
Applicable sectors include:
NIS2 COMPLIANCE SERVICES FROM BUREAU VERITAS
Our experts at Secura, a Bureau Veritas company, offer a range of services to support compliance with NIS2, wherever you are on your cyber security journey - whether you are a UK or Irish business.
Your steps to compliance, including our services to help you achieve them:
Verify if NIS2 applies to your organisation
The first step is to establish whether your organisation falls under the scope, if you are supplying services to the EU. NIS2 applies to important and essential entities. Whether a company is so classified depends on the size and sector in which the company operates.
TRAINING FOR YOUR BOARD AND STAFF
Training your employees, both at the boardroom level and other levels, is an essential part of the NIS2 Directive. We have developed the NIS2 Boardroom Training and SAFE Awareness Programme, helping you meet these requirements at all levels.
Map where your organisation currently stands
To determine what steps you need to take to meet the requirements of the NIS2, it is important to have a good idea of what the security maturity levels of different parts of your organisation currently are. Our NIS2 gap assessment service measures where you are and where you need to go. With this insight, you know which steps you need to take to comply with NIS2.
Implement improvements
After mapping where your organisation currently stands, you can implement any improvement measures that might be required. Our wide range of solutions including CISO support and incident response services can support you both in the implementation and in the interpretation of measures.
Achieve NIS2 compliance
After completing these steps, you will be NIS2 compliant, and your organisation will be more secure in the face of cyber threats. We also support throughout the process with our CyberCare programme.
WHAT ARE THE BENEFITS OF NIS2 COMPLIANCE?
WHY CHOOSE BUREAU VERITAS FOR YOUR NIS2 COMPLIANCE NEEDS?
- Experienced team with decades of governance risk and compliance experience
- A range of services specifically developed to meet your NIS2 needs and help you become NIS2 compliant
- Cybersecurity experts in the field of people, processes and technology
- Supporting UK and Ireland businesses to identify and meet their specific requirements
- A single point of contact and proven partnership approach
- A clear roadmap to become and stay NIS2 compliant
- Backed by the global expertise of Bureau Veritas, a world leader in testing, inspection and certification services
-
HOW DOES NIS2 DIFFER FROM NIS?
NIS2 focuses on the same objectives as NIS, but covers a wider range of sectors, has stricter requirements for risk management and incident reporting, and higher penalties for non-compliance. It also expands the scope of organisations covered.
-
CAN YOU SUMMARISE THE MAIN REQUIREMENTS OF NIS2?
NIS2 states that processes must be established for risk analysis and management, information security and cyber incident management. Continuity and recovery plans must be in place to respond to emergencies. Significant incidents must be reported to the relevant authorities. Company-wide use of encryption technology and multi-factor authentication is required. And regular training is required for all staff to educate them on best practices in information security.
-
HOW DOES NIS2 RELATE TO ISO 27001?
While both ISO 27001 and NIS2 both aim to enhance cyber security, they have different scopes, applicability and overall approach towards cyber security. If your Information Security Management System (ISMS) is certified to ISO 27001, you will be on the way to NIS2 compliance, but additional measures and processes are likely to be required.