What is the NIS2 Directive and when does it come into effect?
The Network and Information Systems 2 (NIS2) Directive is a new European cybersecurity law that will start on the 17th October 2024. If you currently trade with EU business you need to comply. The directive aims to make cybersecurity rules the same across all EU countries by setting basic standards.
Key Cybersecurity Requirements Under NIS2
This October the NIS2 Directive sets important cybersecurity standards that UK businesses need to follow.
- Zero Trust framework – Risk Assessments: Regularly checking for potential security threats.
- Policies and Procedures for Cryptography: Ensuring data is encrypted and secure.
- Security Procedures for Employees: Making sure employees who handle sensitive data follow strict security guidelines.
- Multifactor Authentication: Using more than one method to verify a user’s identity.
- Cybersecurity Training: Educating employees about cybersecurity best practices.
By meeting these requirements, businesses can protect themselves from cyber threats, comply with the new regulations and avoid penalties.
Which Sectors And Types Of Entities Does NIS2 Cover?
Specifically, the NIS2 Directive covers mid-size and large EU companies in sectors such as:
- Energy
- Transport
- Banking
- Financial market infrastructures
- Health
- Drinking water
- Wastewater
- Digital infrastructure
- ICT service management (business-to-business)
- Public administration
- Space
- Postal and courier services
- Waste management
- Manufacturing, production, and distribution of chemicals
- Production, processing, and distribution of food,
- Manufacturing in general
- Digital providers
- Research
This means that if your business operates in any of these sectors within the EU (like trading with EU businesses) and meets the size criteria. You must comply with the NIS2 Directive to do business in the EU. This requirement applies to a large number of businesses in the UK.
A Good example for UK Businesses who Trade in the EU, Who would need to comply to the NIS2 Directive:
Hospitality businesses that trade with EU suppliers, such as those importing wine or olive oil, must comply with the NIS2 Directive.
Similarly, any business that sends UK products to any part of the EU via postal or courier services must also comply. This means that if your business operates in any of these sectors within the EU, like trading with EU businesses, and meets the size criteria, you must comply with the NIS2 Directive to do business in the EU.
How Will The New NIS2 Rules Be Supervised And Enforced?
The new NIS2 rules will be supervised and enforced by authorities across EU member states. These rules include stricter measures and penalties to ensure businesses comply with cybersecurity standards. There are two types of supervision:
Before an Incident (Ex-Ante): All businesses will be regularly checked to make sure they are following the rules. This includes
- Conducting regular cyber security risk assessments
- Implementing policies and procedures for data encryption
- Checking and ensuring employees follow strict security guidelines
- Checking businesses are using multifactor authentication
- Providing regular cybersecurity training for employees
After an Incident (Ex-Post): Businesses will be audited after an incident to ensure they followed the rules. This involves
- Delivering a preliminary report to the corresponding Computer Security Incident Response Team (CSIRT) within 24 hours of the incident
- Followed by a full notification report within 72 hours
- Completing a final report after the incident, to show the incident is contained and remediated
- Ensure business continuity by actively managing system and information recovery
- Implementing fall over systems access
- Show you have Multiple data backup options
- Emergency procedures in place
- Incident handling and crisis response
How Does NIS2 Interact With Other GDPR Policies?
The NIS2 Directive and GDPR both aim to enhance cybersecurity and data protection, but they focus on different aspects.
NIS2 sets cybersecurity standards for essential and important entities, including risk assessments, data encryption, and incident reporting. GDPR, on the other hand, focuses on protecting personal data and privacy.
For UK businesses trading with the EU, compliance with both NIS2 and GDPR is crucial.
NIS2 ensures that businesses have robust cybersecurity measures in place, while GDPR ensures that personal data is handled with care and transparency. By aligning your business cybersecurity practices with NIS2 and your data protection practices with GDPR, UK businesses can ensure comprehensive compliance and protect themselves from potential penalties.
How Can My Business Prepare For NIS2 Compliance?
To prepare for NIS2 compliance, UK businesses that are not already compliant need to take several key steps. Speedster IT can assist UK businesses in meeting these requirements by leveraging Zero Trust cyber security frameworks, Watchguard, Microsoft Security and other providers.
How Speedster IT Can Help with NIS2 Compliance and GDPR
Speedster IT offers a range of security solutions to help UK businesses comply with both the NIS2 Directive and GDPR. These solutions include:
- Risk Assessments: Speedster IT provides tools to regularly check for potential security threats, ensuring your business stays ahead of any risks.
- Data Encryption: Ensuring your data is encrypted and secure is crucial, and Speedster IT offers robust encryption solutions to protect your sensitive information.
- Employee Security Procedures: Speedster IT helps establish guidelines and tools to ensure employees follow strict security measures, reducing the risk of internal threats.
- Multifactor Authentication: To enhance security, Speedster IT implements solutions that verify user identities with more than one method, making it harder for unauthorized users to gain access.
- Cybersecurity Training: Speedster IT offers programs to educate your employees about cybersecurity best practices, ensuring they are aware of potential threats and how to handle them.
- Handling and Reporting Security Incidents: Speedster IT assists in creating comprehensive plans for managing and reporting security incidents, ensuring your business can quickly respond to and recover from any breaches.
- Strengthening IT Security: With ICT risk management and third-party risk management, Speedster IT helps fortify your IT infrastructure against various threats.
- Ensuring Digital Operational Resilience: Through testing and incident reporting, Speedster IT ensures your business can maintain operations even during and after a security incident.
By leveraging our expertise and Microsoft Security, UK businesses can enhance their cybersecurity posture and ensure compliance with both the NIS2 Directive and GDPR. This comprehensive approach helps protect your business from cyber threats and ensures you meet all regulatory requirements.
Get in Touch – 0204 511 9111