What Is NIS2?
The Network Information Systems Directive (NIS2) enhances and broadens the scope of the original NIS Directive, increasing sector coverage and strengthening requirements for cybersecurity across various industries. Effective from January 2023, member states have until October 2024 for full implementation.
NIS2 introduces stricter oversight, higher penalties for essential entities, and mandatory incident reporting.
What’s The Impact For Business
Challenges & Financial Impact
Mandatory incident reporting to regulators, with a focus on root cause analysis and incident containment, with requirements for up to 24 and 72 hours, and final report within 30 days.
Noncompliance can lead to significant penalties, including:
€10,000,000 or 2% of global annual turnover for essential entities
€7,000,000 or 1.4% of global turnover for important entities
Increased Supervisory requirements – including on-site inspections and the need to show compliance on request, as well as Supply Chain Security.
Top Management may face personal liability
NIS2’s Enhanced Framework Revolutionizes Cybersecurity Approaches for Organizations
How Stefanini Can Support Compliance Areas For NIS2
IT Risk Management
Entities must assess risk, build and implement risk management measures, in a proactive approach, including policies and training.
Managed Security Services:
- Security Monitoring (NSOC)
- Penetration testing
- Threat Intelligence (TI)
- Vulnerability Management Detection and Response (VMDR)
Advisory Services:
- Governance, Risk, Compliance & Privacy (GRC-P)
- Regulatory Compliance
- Consultancy & Assessment Services
- Security Awareness & Training
Incident Prevention, Detection, Response And Reporting
Entities need to have Incident Management Frameworks in place, including, including reporting requirements.
Managed Security Services:
- Security Monitoring (NSOC)
- Detection & Response (MDR)
- Phishing Detection & Response (MPDR)
- Vulnerability Operation Center (VOC)
Cyber Resilience Services:
- CSIRT (Cyber Security Incident Response Team
Business Continuity
Entities must ensure that they can recover their operations, during and after a cybersecurity incident.
Cyber Resilience Services:
- Penetration Testing
- Threat Hunting
- CSIRT (Cyber Security Incident Response Team)
Managed Security Services:
- Security Platforms Support & Management
- Identity Access Management
Advisory Services:
- Consultancy & Assessment Services
- Technology Implementation Services
Supply Chain Security
Supply Chain Security is being added as an additional scope from NIS1.
- It requires that Security of Supply Chain vendors to be considered and monitored during contract lifecycles.
Advisory Services:
- Regulatory Compliance
- Consultancy & Assessment Services (third-party risk assessments)
Cyber Resilience Services:
- Penetration Testing
- Vulnerability Operations Center (VOC)
Compliance, Liability And Training
Entities will need to be able to demonstrate compliance upon supervisory requests.
Management will also be required to follow regular trainings.
Advisory Services:
- Governance, Risk, Compliance & Privacy (GRC-P)
- Security Awareness & Training
Download The Network Information Systems Directive (NIS2) Brochure
Discover how the Network Information Systems Directive (NIS2) will enhance cybersecurity and protect critical infrastructure across the EU. With stricter oversight, expanded sector coverage, and rigorous incident reporting requirements, NIS2 will significantly impact essential and important entities. Effective from January 2023, member states must fully implement these new regulations by October 17, 2024.