NIS2: The New European Cybersecurity Directive

The recent NIS2 regulation (Network and Information Security Directive) will represent a radical change in the administration of cybersecurity in Europe. As of October 18, 2024, this regulation will be fully implemented in all member countries of the European Union, including its sanctions system, which includes significant fines for entities that do not adjust in a timely manner.

NIS2 replaces the current NIS directive (from 2016) with the purpose of strengthening the resilience of vital infrastructures to cyberattacks, in a global environment of increasingly sophisticated and common threats.

Below, we detail the fundamental aspects that all companies impacted by this new regulation must take into account.

‍

Key Aspects of the NIS2 Directive

Expanding the Reach

One of the most significant changes is that NIS2 significantly increases the number of sectors and entities that must comply with the regulation. It will no longer only be extended to users of fundamental services such as energy, transport or water, but also to:

• Online services (cloud platforms, data centers, marketplaces)

• Designers of essential goods for the economy or society

• Key public institutions

• Managed ICT Service Providers

In conclusion, thousands of European companies that previously had no regulations will now have to meet much more stringent cybersecurity requirements.

‍

Reinforced Security Obligations

NIS2 establishes more stringent requirements when it comes to risk management and cybersecurity governance. Entities will have to:

1. Establish policies and processes to assess and reduce risks.

2. Safeguard networks, data systems and sensitive data.

3. Establish security officers

4. Ensure the uninterrupted operation of the service in the face of incidents

This proactive approach aims to ensure that companies not only respond to attacks, but are ready to prevent them and react efficiently.

Mandatory Incident Notification

The regulations require mandatory reporting of relevant cybersecurity incidents and in a very short time. In particular:

• Initial alert: within 24 hours of identifying the incident.

• Comprehensive report: within 72 hours

• Final report: with evaluation, impact and corrective measures.

This responsibility aims to optimize the coordinated response at European level to large threats and attacks, reducing response periods and exposure.

Strict Sanctioning Regime

One of the most stimulating components of NIS2 is its sanctions system, which is also launched on October 18, 2024. This system includes:

• Penalties can reach 10 million euros or 2% of the company's global turnover, or even a higher amount, if higher.

• Direct duty of management teams

• Additional penalties for non-compliance with cooperation or possible recidivism

This highlights the importance of entities implementing a solid and organized approach to cybersecurity before that time.

Is your company ready for NIS2?

The NIS2 directive will mean a structural change in how digital security is managed in Europe. Complying with it is not only a legal obligation, but a opportunity to strengthen cyber resilience and build trust between customers, partners and investors.

At Apolo Cybersecurity, we help you:

• Assess your current level of compliance

• Implement technical and organizational measures required by NIS2

• Design incident reporting protocols

• Prepare your team through specialized training

Don't wait for the last moment. Cybersecurity isn't just a technical need, it's a strategic requirement.

Request a free NIS2 compliance assessment or visit apolocybersecurity.com/ciso for more information.

‍