The NIS2 deadline—October 17 2024—is approaching.
Organizations need to act now to comply with new cyber security requirements. At WithSecure we envision a future where no one should experience the devastating impacts of cyber threats. We want to help you to achieve true security.
The NIS2 Directive made cyber security best practices mandatory
NIS2’s central aim is to secure the society as a whole and to increase the cyber resilience of EU Member States by identifying essential service operators and enforce cyber security measures. Therefore, it is crucial that the entities covered by the directive are ready for the requirements and can defend themselves from cyber threats.
It’s top management’s responsibility
From 17 October, it’s up to top management to make sure their organizations implement appropriate and proportionate technological, operational and organizational measures, including monitoring and mitigating cyber security risks and implementing security solutions.
Important entities
These are typically organizations employing between 50 and 250 people, operating in important but non-critical sectors like:
- Postal services
- Waste management
- Chemicals
- Research
- Foods Manufacturing
- Digital Providers
Essential entities
These are the most critical companies in the EU. They typically employ more than 250 people and operate in the following sectors:
- Energy
- Transport
- Finance
- Public Administration
- Health
- Space
- Water Supply
- Digital infrastructure
WithSecure can help you through your compliance journey
Effective cyber security is built on the continuous revision and improvement of security practices. Processes and tools must evolve with the organization to ensure security standards are maintained. At WithSecure, we envision a future where no one is at risk of serious loss because of cyber crime. At least no one who puts their trust in us. We believe WithSecure can play an important role in guiding and supporting our customers in their NIS2 compliance journey.
Our services
WithSecure offers award-winning cyber security solutions. Our cloud-based security platform, Elements, includes solutions for:
NIS2’s minimum security requirements
A summary
Organizations should set up and maintain an information security management system that enables a systematic, proactive approach to risk management.
Organizations are required to establish appropriate capabilities to prevent and deter cyber attacks. To do this effectively, organizations must identify:
- their most significant vulnerabilities
- the cyber security measures necessary to minimize the risk of vulnerability exploitation
- how the organization will detect and respond to any incidents.
The directive explicitly requires that “essential and important entities take appropriate and proportionate technical, operational and organizational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimize the impact of incidents on recipients of their services and on other services.”
Organizations should plan how they will react to an attack. Relevant stakeholders need to be trained and plans made for tackling incidents impacting business continuity and recovering from disruption and potential downtime.
Organizations are required to evaluate and manage the risks posed by vulnerabilities within their supply chain. This requirement encourages organizations to cooperate with their suppliers and ensure that all parties understand the risks associated with being part of the supply chain, regardless of what is being supplied.
Vulnerabilities within organizations’ networks must be disclosed. Organizations need to be transparent around vulnerability management, provide the means for the public to report vulnerabilities, and ensure that the relevant departments can act on the information.
This transparency means other organizations can act on the information and ensure they are not exploited using known vulnerabilities.
NIS2 requires an initial report within 24 hours of an organization becoming aware of any ‘significant’ incident, a full incident report within 72 hours, and a final report not later than one month after the submission of the incident notification, including:
- a detailed description of the incident, including its severity and impact
- the type of threat or root cause that is likely to have triggered the incident
- applied and ongoing mitigation measures
- where applicable, the cross-border impact of the incident.
A ‘significant’ incident is any incident that has caused or is capable of causing severe operational disruption of the service or financial loss to the entity concerned, or one that has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
NIS2 encourages close cooperation and sharing of EU-level data between Member States. This enables efficient and coordinated responses to cyber incidents on both a national and EU level. NIS2 also encourages the use of European and international standards and technical specifications relevant to the security of network and information systems by member states, thus harmonizing the ways good security practices are being built.
Interested in learning more?
You can fill out the form with your contact details and interests, and we will get back to you as soon as possible.
What to expect?
After filling in the form
- Give us a couple of days to match our expert to your request.
Invite your colleagues
- Bring along anyone you feel could benefit from our meeting
Related content
Disclamer: The content presented in this website is designed for educational and informational purposes exclusively. It is not meant to replace professional advice or any other legal services. WithSecure and its affiliates do not provide any guarantees or warranties regarding the accuracy or completeness of the information provided in the website. Any reliance you place on such information is therefore strictly at your own risk