What is NIS2

Last updated: 2024-10-31
Was this article helpful?
80 of total 82 found this helpful.

NIS2 (Network and Information Security 2) is an EU-wide directive on cybersecurity, it encompasses the security of networks, information systems, applications, software and information. NIS2 goal is to increase the resilience of organizations against cyber attacksIt provides legal measures to boost the overall level of cybersecurity in the EU. It establishes common rules for the states of the European Union and the organizations to which these rules will compulsorily apply. These entities must comply with a number of regulations on network and information security established by the NIS Directive. What they need to do in order to comply with the NIS2 obligations can be summarised in the following ten points:

  1. know what data you have and where and what other assets it depends on (see assets
  2. know what your weaknesses and risks are, i.e. put in place risk assessment and management
  3. ensure the security and protection of, and access to, data and information
  4. train staff, particularly in cyber security
  5. ensure the security of your IT and information systems - applications, software, hardware and other IT equipment
  6. manage the IT services you buy and the suppliers you use, including cloud services
  7. protect against attacks and know how to respond to attacks and incidents
  8. ensure the recovery of your business and processes in the event of an attack or disaster
  9. implement information security guidelines
  10. ensure the ongoing operation and improvement of the above

   It is up to individual countries to decide how to implement the Directive.

The different parts of NIS2 can be visualized in the fish diagram. People and training as the back fin set everything in motion. The policies as the dorsal fin together with the processes fin stabilize the whole system. Data, information, information technology and services are the innards. The risk management system is the brain. Audits and control as the watchful eye. Measures are the head behind which the whole system moves forward.

What is NIS2

Who is responsible for NIS2 and what are the risks to organizations if they fail to comply with the law?

  • The law establishes the direct responsibility of statutory bodies
  • Failure to comply could result in a fine of up to €10 million or 2% of annual turnover

What organizations must comply with NIS2

The obligations arising from the NIS2 directive apply to operators of essential services in the energy, transport, banking, financial market, infrastructure, healthcare and digital infrastructure sectors. Entities are divided into two basic groups: essential entities and important entities.

Essential entities are all organizations from the following sectors

  • energy (electricity, district heating and cooling, oil, gas and hydrogen)
  • transport (air, rail, water and road)
  • banking and financial market infrastructure
  • healthcare and production of pharmaceutical and medical devices
  • drinking water and waste water
  • digital infrastructure, Internet exchange nodes, DNS service providers, Internet Top Level Domain (TLD) registries
  • cloud computing service providers, data center service providers, content delivery networks
  • providers of trust-building services and public electronic communications networks and electronic communications services
  • public administration
  • universities

Important entities include those that fall into these industries

  • postal and courier services
  • waste management
  • chemical manufacturing
  • foodstuffs
  • production of other medical devices, computers and electronics, machinery and motor vehicles
  • digital providers (internet marketplaces, internet search engines and social network service platforms)

Basic NIS2 obligations for companies and organizations

Businesses and organizations under NIS2 are obligated to implement, secure and document their information security management processes, technical, and organizational measures. This means implementing appropriate technical, organizational, and educational measures and document it.

Technical measures for NIS2

  • secure your information systems, applications, software
  • ensure network security and the security of other technical IT infrastructure
  • physically secure the technical IT infrastructure
  • ensure the resilience of the internal network and information systems
  • introduce detection and evaluation of cyber threats
  • implement data protection such as backup, encryption or other measures
  • ensure technical measures to increase network and information security

Process, management and organizational measures for NIS2

  • implement internal information security processes
  • to ensure the continuity of services and operation of its information system and applications
  • record and report every security incident that has a significant impact on the functioning of the organization
  • carry out a cyber security risk assessment and implement a risk management system
  • implement appropriate and adequate organizational security measures to increase network and information security

Measures in documentation and training of workers

  • have security documentation such as a Security Policy
  • ensure the training of users and employees in the field of information security
  • provide documentation to demonstrate compliance with NIS2

NIS2 compliance documentation

Therefore, each organization must implement measures and maintain adequate documentation about it so that it can demonstrate compliance with NIS2. As an integrated risk management and compliance management system with NIS2, Aptien will help with complete compliance documentation management, incident information management, and managing your measures that follow audit findings, risk analysis, or arise from specific incidents.

  • management of security guidelines
  • documentation of information security management processes
  • awareness and training of employees and other workers with security guidelines
  • maintaining a register of information assets and IT infrastructure
  • IT infrastructure documentation
  • security documentation of the applications and software used
  • documentation of technical and organizational measures to increase network and information security
  • maintaining a register of cyber security risks, threats and vulnerabilities
  • registration and management of incidents
  • management of audits
  • management of measures and continuous improvement

Keeping records of your assets - information and IT equipment

  • maintaining information about your primary assets and their dependencies on supporting assets
  • maintaining information and documentation on your supporting assets, IT equipment and infrastructure
  • documentation security of applications and software used
  • maintaining information about IT services and their suppliers
  • keeping documentation of stored backups, test plans and maintenance 
Management of primary and supporting assets for NIS2

Introducing a risk management system into the organization

  • maintaining a risk register in accordance with the requirements of the Cyber Security Act
  • maintaining an overview of threats and vulnerabilities 
  • maintaining an overview of primary and supporting assets and their context
Risk catalogue management for nis2

Process support

Popdora processes for NIS2

Security Incident Logging

Security Incident Management for NIS2

Managing your suppliers

  • maintaining information on service providers 
  • maintaining information on suppliers' methodology
  • maintaining information about your employees' access to services (e.g. cloud services)
  • maintaining information on the security of purchased services
Supplier and IT service management support for NIS2

Staff training 

Managing staff training for NIS2

Business continuity management and continuous improvement system

  • documentation of technical and organizational measures to increase network and information security
action and improvement management for NIS2

Maintaining directives and other internal regulations

    Maintaining security directives for NIS2

    Managing your internal audits

    • maintaining information on audits and their findings
    • management of follow-up to findings
    • planning regular testing, updating and maintenance management
    Audit and control management support for NIS2

    Directive NIS 2 to download