In January of this year the EU Directive 2022/2555 was passed, and it will come into effect in October of 2024. It sets out measures that aim to achieve a high common level of cybersecurity across the Union.
- It is a new version of the NIS directive, hence is commonly refered to as
- This directive has a wider application – to mid-sized and large companies, ones that have more than 50 employees and whose yearly turnover exceeds 10 million euros.
- EU states, while ratifying this directive into national law, could decide to extend its application in some instances to small companies.
- Entities are sorted into essential and important ones, depending on how strongly a cyber incident within the entity would affect society and the economy of the country.
Essential entities
- Energy
- Transportation
- Finance
- Health and pharmaceuticals
- Digital infrastructure
- Information and communication technologies
- Public administration
- Space sector
Important entities
- Waste management
- Chemical processing
- Food and appliance manufacturing sectors
- Digital service providers
- Scientific research organizations
- Legal entities operating in the postal and courier services
Businesses should ensure compliance with the NIS2 Directive. Here’s how:
- Analise your sector and business to zero-in on risks, and have IT safety policies in place.
- Manage cyber incidents well – detect, react, and prevent
- Ensure business continuity and be ready for crisis control.
- Monitor your service providers, ensuring security of the supply chain.
- Continuously conduct cyber security tests.
- Use encryption.
Fines for non-compliance have also been raised:
- Essential entities: 10 mln. euro or 2% of their yearly revenue.
- Important entities: 7 mln. euro or 1.4% of their yearly revenue.
- The entity’s management will be held personally liable for non-compliance.
The requirements set out in NIS2 are going to come into effect on October 18th, 2024, so we still have 14 months to prepare you for them.