NIS2 makes it mandatory to strengthen the cyber resilience of critical and important companies.
The European directive NIS2 makes it mandatory to strengthen the cyber resilience of critical and important companies. A large group of people are now obliged to ward off attacks without being directly affected: companies that are part of a supply chain must also comply with the guidelines. However, if rules are disregarded, fines can be imposed.
Companies face a challenge when it comes to protecting themselves against cyber attacks. The digitalization of the market and the opportunities it offers increase the risk of cyber attacks being successful. Companies must therefore take comprehensive measures to protect themselves. These include constantly revising cybersecurity standard procedures and raising employee awareness of the potential risks.
The European Union ensures that critical organizations and companies in its member states are better protected and can withstand attacks. In 2016, it issued the NIS1 directive ("Network and Information Security") with strict security regulations.
The new NIS2 Directive has been in force throughout the EU since January 2023 and replaces the old one. This has significantly expanded the group of affected companies and, in addition to critical infrastructure, also includes important industries and, under certain conditions, smaller companies that operate as suppliers.
The EU divides companies affected by NIS2 directives into two categories: "Essential" and "Important". Companies designated as "Essential" were named in the first version of the NIS regulations, but in the new version the category includes more classes. The second group of important organizations is redefined. Companies that have at least 50 employees and an annual turnover of over 10 million euros are directly affected:
NIS2 is not normally relevant for companies with fewer than 50 employees and an annual turnover of up to ten million euros. However, there are exceptional cases where company size is irrelevant. Providers of DNS services, TLD name registries and public electronic communications networks and services must comply with the NIS2 requirements.
Medium-sized and small companies can also be the target of attacks if they supply services or materials to companies directly affected by the new EU Cybersecurity Regulation. In some cases, they often need to take the same measures in terms of security systems to protect themselves from breaches of the regulation. For example, a car manufacturer may require its suppliers to implement certain cybersecurity techniques or procedures to avoid falling foul of EU directives.
Organizations covered by the NIS2 directive must implement appropriate and proportionate techniques, procedures and measures to reduce the security risks to their network and information systems and to minimize the potential impact of security incidents on recipients of their services and other services. They must also continuously assess their network and information systems to ensure security at all times.
The directive specifies various areas and measures that must be complied with as a minimum, including
Organizations should make all of the above preparations as far as possible when adopting NIS2. Key steps include:
We can help you meet regulatory requirements and enhance your organization's operational security with various frameworks.
Our design options: