The Evolving Landscape of EU Cybersecurity
2024 is expected to be a challenging year for Supplier Assurance, but also a year of legislative change in cybersecurity. This series of blogs will walk you through the major changes coming this year, including the EU NIS2 Cybersecurity compliance changes and their impact on your business. Change can be difficult to adapt to, but hopefully, the information here will make things easier.
What is NIS2? A Look at the Updated Directive
NIS, in its current form, is aimed to establish a standardised level of cybersecurity across EU member states, including the United Kingdom. Since the UK is no longer bound by EU legislation, NIS2 does not directly apply to UK businesses. However, if you conduct any business within the EU, you need to pay attention. NIS2 represents an evolution of the initial framework by expanding its scope to include additional sectors and, most importantly, mandating its implementation into national law across all EU member states.
Who Needs to Comply with NIS2? (Including Businesses Outside the EU)
NIS2 now encompasses 16 sectors considered vital for ensuring a safe and efficient society. These sectors include energy, transport, health, drinking water, financial market infrastructure, banking, digital infrastructure, space, wastewater, ICT service management, postal services, food, waste management, digital services providers, manufacturing, and chemical manufacturing. Additionally, companies located outside the EU that provide critical services within the EU are also subject to the directive’s provisions. This is especially important for UK businesses to note.
NIS2 entered the EU legislative framework on January 16, 2023, with Member States having until October 17, 2024, to transpose these measures into national law. However, as with most legislative changes, there are some implementation hurdles. Firstly, EU Member States will incorporate NIS2 into national law in their own way, so what looks like NIS2 in France may differ slightly from Ireland, although the core framework will be the same. Secondly, the detailed requirements of NIS2 are due to be released in October 2024, and implementing something without all the information can be challenging. So far, we know that NIS2 requires organisations to implement cyber governance and risk management while understanding the reporting obligations. Articles 20[1], 21[2] and 23[3] outline these requirements.
Key Deadlines and Implementation Challenges of NIS2:
- October 17, 2024: Deadline for EU Member States to transpose NIS2 into national law.
- October 2024 (expected): Release of detailed NIS2 requirements.
Challenges:
- Variations in implementation across EU member states.
- Lack of complete information on detailed requirements until October 2024.
Preparing for NIS2 Compliance: Steps Your Business Can Take Now
EU businesses that provide services to the 16 critical sectors outlined above will almost certainly need to comply with the regulation. This may mean improving your cybersecurity posture to maintain these European links.
While there is no current certification specifically for NIS2 compliance, putting yourself in the best possible position by implementing other frameworks like ISO 27001 is a perfect first step to demonstrate compliance. ISO 27001 is an internationally recognised standard for information security management that helps organizations implement best practices for protecting their data. Governance under NIS2 looks very similar to Clauses 5 and 6 of ISO 27001:2022, along with some of the Annex A controls you might already be familiar with.
Once the full NIS2 requirements are released, expect an update from us here at Team Risk Evolves.
Stay Informed and Secure with Team Risk Evolves
We hope this information helps you understand the impact of NIS2 on your business. Stay tuned for further updates as the details of NIS2 become clearer. In the meantime, if your business operates within the EU or provides critical services there, proactive steps towards improved cybersecurity are highly recommended.
Contact Team Risk Evolves today
If you need any assistance with any of the new legislations coming into force in 2024, help with ISO27001 or anything else Information Security related, be sure toy reach out.
Get in Touch01926 800710[2] Article 21 stipulates that Member States must guarantee that essential and significant entities implement suitable and proportional technical, operational, and organizational measures to mitigate the security risks associated with network and information systems. The level of proportionality is determined by factors such as the organization’s exposure to risk, its scale, and the probability and potential severity of potential incidents, including their economic and societal ramifications.
[3] Article 23 requires that Member States ensure organisations notify the CSIRT or competent authority in case of a significant impact on the provision of services.
