Twelve questions to understand if NIS2 affects your organization

ws_colleagues_in_office_discussing_hero
Reading time: 15 min

    Published

  • 04/2023
Albert Koubov Gonzalez

Security & Risk Management Consultant, WithSecure

Bureaucratic excitement aside, laws and regulations are often written in blood; NIS2 is no exception.

The original Network and Information Security Directive was penned from the fallout of a hundred data breaches, and aimed to enforce a common level of cyber security capability across organizations within EU member states. 

Key changes that caught our eye were around reporting on incidents, and risk assessments. Meeting the new requirements for NIS2 is a great way to start on the path to compliance: 

  1. Do you have incident management procedures for reporting an early warning within 24h to the responsible authority, followed by 72h Incident Notification, followed by Status Updates on demand, and a final report within one month?

  2. Do you regularly perform risk assessments in your organization with established risk owners and business functions that covers information security risks, not limited to physical and environmental security, as well as supply chain risk?

The key question you’ll probably want the answer to is this: Does NIS2 apply to my organization? 

Take our quiz to find out – firstly if NIS2 applies to you, and secondly to find out what has changed since the original Directive. You can jump to the requirements for NIS2 by clicking on the ‘yes’ links to the answers below: 

Does NIS2 apply to my organization?

You can jump to the requirements for NIS2 by clicking on the ‘yes’ links to the answers below:

  1. Have you previously been part of the NIS directive as operator of an essential service?

    If yes, then NIS2 applies to you.

  2. Are you part of the manufacturing industry and manufacture goods such as medical devices, machinery and motor vehicles?

    If yes, then NIS2 does apply to you. Annex II of the directive specifies what sub-sectors in manufacturing are covered. 

  3. Are you considered to be a medium to large enterprise according to the definition Commission Recommendation 2003/361/EC (for example, employ more than 50 people, enjoy a turnover and/or annual balance sheet total of more than 10 million Euros)? 

    If no, then most likely NIS2 does not apply to you, since this size cap rule has been introduced. There are several exceptions detailed in Article (2(2))of the Directive. 

  4. Are you currently defined as a critical entity, based on the EU Directive on the resilience of critical entities (CER)? For the sake of this Directive, a critical entity is considered of particular European significance if it provides an essential service to six or more member states. 

    If yes, then NIS2 applies to you. Again – check the actual CER Directive to be sure. We can probably also help. 

  5. Do you provide trust services covered by Regulation (EU) No 910/2014 ("eIDAS Regulation")? 

    If yes, then NIS2 applies to you unless these services are used exclusively within closed systems resulting from national law or from agreements between a defined set of participants.  

  6. Are you part of the aviation sector? 

    If yes, then NIS2 applies to you.

  7. Are you a healthcare provider, manufacturer of basic pharmaceutical products and pharmaceutical preparations? 

    If yes, then NIS2 applies to you. Annex I of the directive specifies what sub-sectors in health are covered.

  8. Do you provide data center services such as storage, processing, transportation, operate IT and network equipment (for example as a Managed Services Provider), with facilities and infrastructure for power distribution and environmental control?  

    If this is the case, but you are not classified as per the cloud service definition according to ISO/IEC 17788:2014, then yes, NIS2 applies to you.

  9. Do you provide top-level-domain (TLD) name servers, publicly available recursive domain name resolution services for internet end-users and authoritative domain name resolution services (DNS)?  

    If yes, then NIS2 applies to you.

  10. Do you provide services in one of the steps of the postal delivery chain; clearance, sorting or distribution, and pick-up service?  

    If yes, then NIS2 applies to you.

  11. Are you an ISP providing public electronic communications networks or publicly available electronic communications services? 

    If yes, then NIS2 does apply to you.

  12. Are you part of the financial sector (bank, insurance, investment)? 

    If yes, then NIS2 does apply to you – but the EU Digital Operational Resilience Act (DORA) requirements takes precedence over NIS 2 (lex specialis).

NIS2 Requirement Questions

Questions Four and Five are emphasized and/or specified in NIS2, but all of these questions are worth considering:

  1. Is your management body involved in information security governance, such as decision-making for security investments, measuring implementation of security measures? 

  2. Do you provide security awareness training for all your employees, including management body such as C-suite/management and members of the board? 

  3. Do you conduct Human Resources Security practices such as screening and onboarding/offboarding of access and assets?  

  4. Do you have incident management procedures for reporting an early warning within 24h to the responsible authority, followed by 72h Incident Notification, followed by Status Updates on demand, and a final report within 1 month? 

  5. Do you regularly perform risk assessments in your organization with established risk owners and business functions that covers information security risks, not limited to physical and environmental security, as well as supply chain risk? 

  6. Do you have a business continuity plan, disaster recovery plans and crisis management procedures in place and regularly exercised? 

  7. Do you have documented information security policies and procedures in place for steering information security and to state what information security commitments the organization expects? 

  8. Do you incorporate information security measures into contractual arrangements with your direct suppliers and service providers? 

  9. Are you aware that these information security requirements apply to both your internal IT functions, but also to your outsourced IT functions? 

  10. Do you think you are NIS2-ready, at the latest, within 21 months?  

  11. Do you have secure development practices in place, and procedures for vulnerability disclosure? 

  12. Do you regularly perform internal audits and penetration testing to gauge you security posture, and to identify vulnerabilities? 

What to do next if NIS2 applies to you

WithSecure's Security & Risk Management Services

More often known as Governance, Risk and Compliance (GRC), can assist with risk modeling, assessments and workshops, incident readiness including business continuity and disaster recovery planning, supplier audits, maturity assessments, awareness trainings and information security strategy & governance. 

ISO27001

If you also want tackle these requirements with ISO27001, or are already aiming to implement ISO27001 as a way of working, then WithSecure’s Security and Risk Management services can help you. WithSecure is experienced in both ISO 27001 implementation and ISO 27001 internal audit work. Contact us to find out more and to get our expert guidance.

Complimentary 60-Minute Cybersecurity Clinic with our frontline experts

Book your session

Related resources

NIS2 – are you affected and how to comply

Organizations have until October 2024 to comply with NIS2. This document explains what organizations need to do now and how we can help. 

Download brochure

Digital Operational Resilience Act

Assess and implement what you need. Comply with EU regulation

Download brochure

Countercept MDR can help you to fulfil the requirements for ISO 27001 accreditation

This article explains how the WithSecure Countercept managed detection and response service can help to support and provide evidence of ISO27001 security controls.

Read more

Countercept MDR Europe-only

With Europe-only Countercept MDR, your data stays in Europe. Simple as that.

Read more

Want to talk in more detail?

Complete the form, and we'll be in touch as soon as possible.