EU's reimagined NIS 2 cybersecurity vision to go live

"The intensifying cyber threat landscape demands a coordinated and comprehensive cybersecurity strategy at the EU level," says Carlos Salas, cybersecurity expert at NordLayer. "The NIS 2 represents a significant step forward in unifying and elevating cybersecurity standards across our critical economic sectors and digital infrastructure."

With the directive's requirements coming into force, NordLayer aims to help businesses turn the challenges of NIS 2 into achievements that elevate their security posture. As an advocate of effective cybersecurity solutions, we are committed to enabling organisations to navigate the NIS 2 compliance journey.

What is NIS 2?

The Network and Information Security 2 Directive (NIS 2) is an update and expansion of the original 2016 NIS Directive. It mandates more robust cybersecurity measures for companies operating critical infrastructure and providing essential services. Key enhancements over NIS include:

• A broader scope covering more sectors like pharmaceuticals, electronic communication services, waste management, and manufacturing.
• Expanded cybersecurity risk management requirements and stricter incident reporting obligations.
• Stronger enforcement through higher penalties of up to €10 million or 2% of global annual revenue, depending on which is higher.
• Accountability for top management in cases of non-compliance.

What does NIS 2 mean for businesses?

The NIS 2 directive aims to raise cybersecurity standards and resilience across the EU's critical sectors and digital supply chains. For businesses in scope, complying with NIS 2 is not just a check-box exercise but a comprehensive undertaking.

"NIS 2 requires a risk-based approach where organisations protect their systems equal with the gravity of the threats they face," says Salas. "It mandates concrete steps like implementing risk analysis policies, safeguarding the security of supply chains, and having robust incident response and recovery plans in place."

The directive emphasises collective responsibility, with management teams facing personal sanctions for non-compliance. Incident reporting obligations are also stricter to improve threat intelligence sharing.

Under NIS 2, organisations are classified as either "essential entities" or "important entities" based on their significance. Essential entities span critical sectors like energy, transport, health, digital infrastructure, and finance. Important entities include telecom operators, digital service providers, public regional administration bodies, and other crucial services. NIS 2 requires these entities to take extensive risk management measures.

How can NordLayer contribute to your NIS 2 compliance strategy?

NordLayer's solutions encompass secure access solutions like multi-factor authentication and single sign-on. Also, network security capabilities with firewalls, intrusion prevention, and encrypted remote access tools to protect distributed workforces. Our product suite helps organisations align with NIS 2 requirements, including access control, incident handling, and encryption for data in transit.

“Complying with NIS 2 is about fostering a robust cybersecurity culture and adopting a holistic strategy across people, processes, and technology. NordLayer offers a comprehensive suite of solutions to assist companies on their NIS 2 journey,” adds Salas.

As the EU strives for cyber resilience with NIS 2, businesses must start preparing to align with the new directive's mandates, as national laws implementing the directive will come into effect on October 18. Companies are advised to start compliance preparations now to avoid potential disruptions and costly penalties down the line.