Congrats, Europe!

The NIS2 Directive has arrived, making business in Europe more cyber resilient.

 

LI_NIS2_concept2_1920x1080

Let’s get secure. Take action. Now.

NIS2 – The new Network and Information Security directive – is here, paving the way for stronger digital trust, confidence, and equity in Europe. 

From continuous monitoring and pre-emptive protection to detection and response capabilities, NIS2 guides and directs organizations to stay digitally safer, competitive, and ahead of cyber threats.

WithSecure is your European partner for NIS2 compliance. Our technologies and co-security expertise are compliant with NIS2 by design.  

Everyone has procrastinated when it comes to NIS2 – we get it, you’ve had more important things on your mind.

But, we need to get you compliant. Now. 

So, here’s what do to:

  1. Get in touch
  2. Get compliant
  3. Get back to business

It’s top management’s responsibility

As of October 18, 2024, it’s up to you to make sure their organization puts the appropriate NIS2 measures in place. This includes monitoring and mitigating cyber security risks, as well as the implementation of security solutions.

Who is impacted?

Important entities

These are typically organizations employing between 50 and 250 people, operating in important but non-critical sectors like:

  • Postal services
  • Waste management
  • Chemicals
  • Research
  • Foods Manufacturing
  • Digital Providers

Essential entities

The most critical companies in the EU. They typically employ more than 250 people and operate in the following sectors:

  • Energy
  • Transport
  • Finance
  • Public Administration
  • Health
  • Space
  • Water Supply
  • Digital infrastructure

NIS2’s minimum security requirements

A summary

Organizations should set up and maintain an information security management system that enables a systematic, proactive approach to risk management.

Organizations are required to establish appropriate capabilities to prevent and deter cyber attacks. To do this effectively, organizations must identify:

  • their most significant vulnerabilities
  • the cyber security measures necessary to minimize the risk of vulnerability exploitation
  • how the organization will detect and respond to any incidents.

The directive explicitly requires that “essential and important entities take appropriate and proportionate technical, operational and organizational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimize the impact of incidents on recipients of their services and on other services.”

Organizations should plan how they will react to an attack. Relevant stakeholders need to be trained and plans made for tackling incidents impacting business continuity and recovering from disruption and potential downtime.

Organizations are required to evaluate and manage the risks posed by vulnerabilities within their supply chain. This requirement encourages organizations to cooperate with their suppliers and ensure that all parties understand the risks associated with being part of the supply chain, regardless of what is being supplied.

Vulnerabilities within organizations’ networks must be disclosed. Organizations need to be transparent around vulnerability management, provide the means for the public to report vulnerabilities, and ensure that the relevant departments can act on the information.

This transparency means other organizations can act on the information and ensure they are not exploited using known vulnerabilities.

NIS2 requires an initial report within 24 hours of an organization becoming aware of any ‘significant’ incident, a full incident report within 72 hours, and a final report not later than one month after the submission of the incident notification, including:

  • a detailed description of the incident, including its severity and impact
  • the type of threat or root cause that is likely to have triggered the incident
  • applied and ongoing mitigation measures
  • where applicable, the cross-border impact of the incident.

A ‘significant’ incident is any incident that has caused or is capable of causing severe operational disruption of the service or financial loss to the entity concerned, or one that has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

NIS2 encourages close cooperation and sharing of EU-level data between Member States. This enables efficient and coordinated responses to cyber incidents on both a national and EU level. NIS2 also encourages the use of European and international standards and technical specifications relevant to the security of network and information systems by member states, thus harmonizing the ways good security practices are being built.

Get NIS2 compliant with us

Fill in your details and we’ll get in touch.

Our services

WithSecure offers award-winning cyber security solutions. Our cloud-based security platform, Elements, includes solutions for:

Identify

W/ Elements™

Endpoint Protection

W/ Elements™

Exposure Management

W/ Attack Surface Management™

.

W/ Countercept™

.

Protect

W/ Elements™

Endpoint Protection

W/ Elements™

Collaboration Protection for M365

W/ Cloud Protection for Salesforce™

.

Detect

W/ Elements™

Endpoint Detection and Response

W/ Managed Detection and Response™

.

W/ Elevate™

W/ Co-Monitoring™

.

W/ Countercept™

.

Respond

W/ Elements™

Endpoint Detection and Response™

W/ Managed Detection and Response™

.

W/ Incident Response Retainer™

.

W/ Countercept™

.

Recover

W/ Incident Response Retainer™

.

W/ Countercept™

.

Related content

Practical tips for midsized companies around NIS2 Compliance

Discover practical steps for midsized companies to achieve NIS2 compliance by the October 2024 deadline. Learn about the NIS2 Directive, its impact on essential and important organizations, and how to navigate the challenges. Explore minimum requirements, cybersecurity mindset shifts, and the value of external solutions.

Read more

NIS2 compliance - A practical guide without the fluff

In January 2023, the NIS2 Directive—a revision of the 2016 NIS Directive—came into force. Our webinar outlines the practical ways our technology and services can help you achieve compliance.

Read more

Twelve questions to understand if NIS2 affects your organization

Bureaucratic excitement aside, laws and regulations are often written in blood; NIS2 is no exception.

Read more

Disclamer: The content presented in this website is designed for educational and informational purposes exclusively. It is not meant to replace professional advice or any other legal services. WithSecure and its affiliates do not provide any guarantees or warranties regarding the accuracy or completeness of the information provided in the website. Any reliance you place on such information is therefore strictly at your own risk