Navigating NIS2 Compliance: Is Your Organization Prepared?
By 17th October 2024 relevant EU organizations must have complied with the NIS2 directive and published the measures they have taken to fulfil its obligations.
The Network and Information Systems Directive (NIS2)[1] is an update on the NIS directive of 2018 that responds to the growing threats associated with digitalisation and the surge in cyber-attacks. It aims to bring an enhanced common level of cybersecurity to Europe by protecting critical infrastructure and ensuring digital service providers have effective security measures in place.
It does this by increasing the number of entities that must comply, including all regulated services such as healthcare, utilities, space, and public administration, plus ICT system operators and financial services. Moreover, a crucial part of this directive is that it holds top management liable for failing to comply with its obligations; and is perhaps one of the reasons why the vast majority of organizations responding to the BCI Cyber Series Update 2024 report[2] indicated satisfactory levels of top management commitment when implementing effective solutions to cyber threats.
Relevant organizations must comply with NIS2 by promptly reporting cyber incidents, creating incident reporting mechanisms that include causes, mitigation and impacts, and establish organizational measures that cover operational, technical, and organizational approaches to managing cyber risks. EU member states must have adopted and published measures they are taking to comply by the October deadline, and whilst some resilience and BC practitioners plans already meet this directive, or had little improvements to implement to achieve the new obligations, some organizations have struggled with resources to comply.
Closely following the NIS2 directive implementation is the Digital Operational Resilience Act (DORA) whose deadline is 17th January 2025. Both NIS2 and DORA’s obligations enhance the way in which EU organizations approach cybersecurity and digitisation, but they differ in significant ways. Whilst NIS2 sets obligations to a wide range of key sectors, DORA aims to strengthen digital operational resilience in the EU’s financial sector. It includes such mandatory rules as classification and reporting of ICT related incidents, third party risk management, and resilience testing of ICT tools and systems.
Who does NIS2 affect?
Although NIS2 applies to EU member states, global organizations may feel it’s indirect effects if they have partners or third-party suppliers there. For example, an EU partner may require an organization to adhere to NIS2 in order to collaborate safely, or even consider their compliance with the directive when tendering new contracts.
It also offers a set of practical guidelines for organizations seeking to improve their own cybersecurity practices. As BCI research indicates, aligning with best practice is a popular route to enhancing resilience. Practitioners all over the world should be considering the elements required by NIS2 and embedding best practices in organization’s cyber-security postures.
With cyber-attacks rated the top risk to organizations’ resilience in the short and long term[3], NIS2 is a step towards driving higher standards for cybersecurity in Europe. Although it has created pressures and challenges to those responsible for implementing the requirements, overall, the improvement in cybersecurity legislation is viewed as a proactive step towards securing organizations, and society, against increasingly sophisticated and damaging levels of cyber-crime.
More on
