NIS2
The NIS2 Directive provides EU-wide legislation on cybersecurity. NIS2 is an update to the previous Network and Information Security (NIS) Directive. Its objective is to create a common level of cybersecurity across the European Union’s Member States. Like the General Data Protection Regulation (GDPR), NIS2 aims to harmonize measures and approaches across the EU Member States to secure digital infrastructure — in this case, best practices in tackling the growing onslaught of cyberattacks.
target industry
- essential sectors (e.g., energy, transport, banking) and important sectors (e.g., postal services, waste management, digital services).
- Generally applies to medium and large companies in these sectors
minimum measures
- Risk assessments and security policies for information systems
- Policies and procedures for evaluating the effectiveness of security measures.
- Policies and procedures for the use of cryptography and, when relevant, encryption.
- A plan for handling security incidents
- Security around the procurement of systems and the development and operation of systems. This means having policies for handling and reporting vulnerabilities.
- Cybersecurity training and a practice for basic computer hygiene.
- Security procedures for employees with access to sensitive or important data, including policies for data access. Affected organizations must also have an overview of all relevant assets and ensure that they are properly utilized and handled.
- A plan for managing business operations during and after a security incident. This means that backups must be up to date. There must also be a plan for ensuring access to IT systems and their operating functions during and after a security incident.
- The use of multi-factor authentication, continuous authentication solutions, voice, video, and text encryption, and encrypted internal emergency communication, when appropriate.
- Security around supply chains and the relationship between the company and direct supplier. Companies must choose security measures that fit the vulnerabilities of each direct supplier. And then companies must assess the overall security level for all suppliers.