What is NIS2?
NIS2 (Network and Information Security Directive 2) is a European Union directive that sets a high common level of cyber security for EU Member States and the critical and important entities/companies operating within them.
It aims to improve the cyber security of Member States by setting a common minimum standard for the security of information systems and networks.
NIS2 is based on NIS1, but applies to more sectors and entities and introduces new obligations for both companies and Member States.
NIS2 harmonises cybersecurity measures for businesses, focusing on risk management and supply chain security, and sets harmonised penalties for non-compliance.
Why is NIS2 important?
NIS2 is a response to the growing number of cyber threats and helps to ensure the protection of organisations that are critical for the economy and society. Puts the personal responsibility for cyber security in the hands of the top management of organisations, thus ensuring that real action is taken to ensure cyber security.
Who is NIS2 for?
In short – indirectly for all companies operating in the EU.
As NIS2 places a responsibility on companies to which the Directive applies to ensure the cybersecurity of their supply chain, most companies not directly covered by the Directive will also have to address their cybersecurity systematically.
Directly applicable to NIS2:
- Critical Service Providers
Significant entities/companies operating in high-criticality sectors: energy; transport; banking; financial market infrastructures; healthcare; drinking water; waste water; digital infrastructure; ICT service management (business-to-business); public administration; space. - Key service providers
Significant entities operating in other critical sectors: postal and courier services; waste management; production, manufacturing and distribution of chemicals; food production, processing and distribution; manufacturing; digital services; research. - All companies,
with more than 50 employees and more than 10 MEUR annual turnover or balance sheet total.
When will the Directive apply?
October 2024 or act now!
The regulation entered into force in 2023.
It is due to be transposed into national law by 17 January.
October 2024.
What are the sanctions for non-compliance?
- For a company
Up to 10 MEUR or 2% of global annual turnover (higher of two). - For top executives
Significant fines for private individuals. Possible criminal liability in more serious cases.
How to be compliant with the NIS2 Directive?
- Carry out NIS2 compliance assessment
- Make a risk assessment
- Conduct a thorough cyber security and infrastructure audit
- Draw up a plan to implement a cybersecurity framework (e.g. ISO27001).
- Add to the plan the steps from the NIS2 Directive that are not covered by ISO 27001.
- Implement the plan step by step (demonstrate progress)
- Implement an incident detection and reporting process according to NIS2.
- Regularly train staff and management
- Ensure the cyber security level of your supply chain partners is up to scratch – assess, monitor regularly.
- Conduct regular cyber security audits and penetration tests.
- Document everything and keep documentation up to date
If a company is ISO 27001 certified, does it automatically comply with NIS2?
Not automatically, but most likely. In addition, the NIS2 Directive sets additional or stricter requirements for ISO 27001:
- More detailed risk management requirements, in particular risk management throughout the supply chain.
- Notification requirements – ISO 27001 does not include specific requirements for incident notification, but NIS2 requires notification to competent authorities and sometimes to the public.
How can OIXIO Cyber help?
- NIS2 conformity assessment service
- Cybersecurity audit service and development plan preparation
- Cyber risk assessment
- Cybersecurity consultancy and CISOaaS
- Cyber hygiene training
- Cyber Security Centre as a service SOCaaS – Incident detection, response, resolution and notification.
- Selection, architecture, sale, deployment and management of cybersecurity technologies.
OIXIO Cyber is the #1 cyber security implementer with a strong team and a lot of experience; the highest NPS in Estonia; ISO 27001 certification; 24/7 SOC; the highest level partner of cyber security vendors.
Why OIXIO as your cyber security partner?
- Experience from Estonia
- Estonia is the first country in the world to fall under the Russian national cyber attack, which created a strong foundation and the need for the highest level of cyber security.
- The NATO Cyber Defense Cooperation Center is located in Estonia, which is an international center of excellence, think tank and training institution accredited by NATO. Link ENG: https://mil.ee/en/landforces/ccdcoe/
- Estonia has been a pioneer in the development of innovative and adaptable cyber security legislation, which includes cyber crime prevention and response, as well as data protection.
- Estonia is known for its advanced and secure e-state infrastructure, which is built on strong cyber security standards.
- Estonia’s success story as an e-state is directly related to the high level of cyber security. From digital elections to the e-residency program.
- In addition to the requirements of the NIS2 Directive, we also rely on the CIS (Center for Internet Security), ISO27001 and Australian ASD frameworks and standards.
- A strong and certified team.
Our auditors hold a total of more than 70 technical certifications (e.g. CISSP, CEH, SC-200, CSA, CCNP, NSE8, MS-500, AZ-500 CHFI, etc.), proving that they are the best in their field. - Numerous cybersecurity audits, risk and compliance assessments carried out
- OIXIO is ISO 27001 certified
- 24×7 manned cybersecurity centre SOC
- A long-standing top tier partner to the world’s leading cyber security technology manufacturers
- Theory and practice go hand in hand – we have the capacity to assess the situation, to develop a development plan, and to put all development activities into practice.