NIS2 (Network and Information Security 2) is an EU-wide directive on cybersecurity, it means security of networks, information systems, applications, software and information. It provides legal measures to boost the overall level of cybersecurity in the EU. It establishes common rules for the states of the European Union and the organizations to which these rules will compulsorily apply. These entities must comply with a number of regulations on network and information security established by the NIS Directive.
What organizations must comply with NIS2
The obligations arising from the NIS2 directive apply to operators of essential services in the energy, transport, banking, financial market infrastructure, healthcare and digital infrastructure sectors. Entities are divided into two basic groups: essential entities and important entities.
Essential entities are all organizations from the following sectors
- energy (electricity, district heating and cooling, oil, gas and hydrogen)
- transport (air, rail, water and road)
- banking and financial market infrastructures
- healthcare and production of pharmaceutical and medical devices
- drinking water and waste water
- digital infrastructure, Internet exchange nodes, DNS service providers, Internet Top Level Domain (TLD) registries
- cloud computing service providers, data center service providers, content delivery networks
- providers of trust-building services and public electronic communications networks and electronic communications services
- public administration
- universities
Important entities include those that fall into these industries
- postal and courier services
- waste management, chemical substances
- foodstuffs
- production of other medical devices, computers and electronics, machinery and motor vehicles
- digital providers (internet marketplaces, internet search engines and social network service platforms)
Basic NIS2 obligations for companies and organizations
Businesses and organizations under NIS2 are obligated to implement, secure and document their information security management processes, technical and organizational measures. This means implementing appropriate technical, organizational and educational measures and document it.
Technical measures for NIS2
- secure your information systems, applications, software
- ensure network security and the security of other technical IT infrastructure
- physically secure the technical IT infrastructure
- ensure the resilience of the internal network and information systems
- introduce detection and evaluation of cyber threats
- implement data protection such as backup, encryption or other measures
- ensure technical measures to increase network and information security
Process, management and organizational measures for NIS2
- implement internal information security processes
- to ensure the continuity of services and operation of its information system and applications
- record and report every security incident that has a significant impact on the functioning of the organization
- carry out a cyber security risk assessment and implement a risk management system
- implement appropriate and adequate organizational security measures to increase network and information security
Measures in documentation and training of workers
- have security documentation such as a Security Policy
- ensure the education of users and employees in the field of information security
- provide documentation to demonstrate compliance with NIS2
NIS2 compliance documentation
Therefore, each organization must implement measures and maintain adequate documentation about it so that it can demonstrate compliance with NIS2. As an integrated risk management and compliance management system with NIS2, Aptien will help with complete compliance documentation management, incident information management, and managing your measures that follow audit findings, risk analysis, or arise from specific incidents.
- management of security guidelines
- documentation of information security management processes
- awareness and training of employees and other workers with security guidelines
- maintaining a register of information assets and IT infrastructure
- IT infrastructure documentation
- security documentation of the applications and software used
- documentation of technical and organizational measures to increase network and information security
- maintaining a register of cyber security risks, threats and vulnerabilities
- registration and management of incidents
- management of audits
- management measures and continuous improvement