In January of this year the EU Directive 2022/2555 was passed, and it will come into effect in October of 2024. It sets out measures that aim to achieve a high common level of cybersecurity across the Union.

• It is a new version of the NIS directive, hence is commonly refered to as
• This directive has a wider application – to mid-sized and large companies, ones that have more than 50 employees and whose yearly turnover exceeds 10 million euros.
• EU states, while ratifying this directive into national law, could decide to extend its application in some instances to small companies.
• Entities are sorted into essential and important ones, depending on how strongly a cyber incident within the entity would affect society and the economy of the country.

Essential entities

• Energy
• Transportation
• Finance
• Health and pharmaceuticals
• Digital infrastructure
• Information and communication technologies
• Public administration
• Space sector

Important entities

• Waste management
• Chemical processing
• Food and appliance manufacturing sectors
• Digital service providers
• Scientific research organizations
• Legal entities operating in the postal and courier services

Businesses should ensure compliance with the NIS2 Directive. Here’s how:

1. Analise your sector and business to zero-in on risks, and have IT safety policies in place.
2. Manage cyber incidents well – detect, react, and prevent
3. Ensure business continuity and be ready for crisis control.
4. Monitor your service providers, ensuring security of the supply chain.
5. Continuously conduct cyber security tests.
6. Use encryption.

Fines for non-compliance have also been raised:

• Essential entities: 10 mln. euro or 2% of their yearly revenue.
• Important entities: 7 mln. euro or 1.4% of their yearly revenue.
• The entity’s management will be held personally liable for non-compliance.

The requirements set out in NIS2 are going to come into effect on October 18th, 2024, so we still have 14 months to prepare you for them.