NIS2 cybersecurity directive enters into force in the EU

17 Oct 2024

Image: © SappiStudio/Stock.adobe.com

According to NIS2, upper-level corporate management are now required to be trained on their company’s cybersecurity measures.

Starting tomorrow (18 October), all EU member states have to start complying with the Union’s new stringent regulations to boost cybersecurity standards.

The Network & Information Security 2 (NIS2) Directive is the second iteration of the NIS Directive first introduced in 2016, which aims to heighten the security of an organisation’s network and information systems by making it mandatory for organisations to implement appropriate security measures and report any relevant incidents to the authorities.

The directive covers entities operating in sectors that are critical for the economy and society, including providers of public electronic communications services, ICT service management, digital services, space, health and more.

Today, the Commission adopted the implementing act of the legislation ahead of tomorrow’s deadline, which establishes uniform conditions for implementation of the directive. The act applies to specific categories of companies providing digital services, such as cloud computing service providers, data centre service providers, online marketplaces, online search engines and social networking platforms.

For each category of service providers, the act specifies when an incident becomes “significant,” and when it should be reported.

Compared to the older NIS, the NIS2 Directive has an expanded security requirement and covers more organisations and sectors.

To comply with the new regulation, organisations must implement stronger supply chain and network security, have better access control and encryption.

Organisations are also obligated to have measures in place for reporting incidents, including deadlines – such as a 24-hour ‘early warning’.

Additionally, higher level corporate managers are now required to be trained on the company’s cybersecurity measures. A breach of these rules by one of these individuals could potentially result in a temporary ban from management roles.

Companies are now also required to have a plan in place on how they will continue the functioning of their companies in case of any major cyber incident. The plan in place should include measures on system recovery, emergency procedures and the establishment of a crisis response team.

“It’s no longer good enough to look after the security within the four walls of your business. You now need to look at your supply chain and ensure that the right security measures are in place there as well,” Michael McNamara, BT Ireland’s security and compliance lead told SiliconRepublic.com earlier this year.

Cybercrime is a continually rising threat to a society that is becoming more ingrained with technology. A recent International Monetary Fund report said that losses from ‘cyber incidents’ have more than quadrupled since 2017 to $2.5bn.

With the advent of AI and especially generative AI, the risk to cybersecurity has increased further.

A 2023 Grant Thornton report suggested that most Irish businesses faced a cyberattack during the year.

Big name companies, including Microsoft, Ubisoft and AT&T among many others, have all suffered data breaches in recent years, incurring huge losses and reputational damage.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Suhasini Srinivasaragavan is a sci-tech reporter for Silicon Republic

editorial@siliconrepublic.com