NIS2 requirements
To strengthen Europe’s resilience against cyberthreats, the new Directive introduces stricter requirements and obligations in four key categories: risk management, corporate accountability, reporting obligations, and business continuity.
1. Risk management
Organisations must take the following risk management measures:
- Stronger supply chain security
- Enhanced network security
- Better access control
- Encryption
2. Corporate accountability
Organisations must take the following risk management measures:
- Oversee, approve, and be trained on their entity’s cybersecurity measures
- Address cyber risks
Breaches can lead to management penalties, including liability and a temporary ban from management roles.
3. Reporting obligations
Entities must have processes in place to promptly report security incidents that have had a significant impact on their service or recipients. These must meet the specified notification deadlines.
4. Business continuity
Organisations must plan to ensure business continuity in the event of a major cybersecurity incident. This should consider system recovery, emergency procedures, and setting up a crisis response team.
10 minimum
measures
NIS2 also mandates that essential and important entities implement baseline security measures to address specific forms of likely cyberthreats.
- Risk assessments and security policies for information systems
- Policies and procedures for the use of cryptography and encryption
- Security around the procurement, development, and operation of systems
- Security procedures for employees with access to sensitive or important data
- The use of multifactor authentication
- Policies and procedures to evaluate the effectiveness of security measures
- A plan for handling security incidents
- Cybersecurity training and basic computer hygiene practice
- A plan for managing business operations during and after a security incident
- Supply chain security
