| Cookie | Duration | Description |
|---|---|---|
| cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
| cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
| cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
| cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
| cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
| viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
EU NIS 2 - A Guide To Compliance With AI
-
-
-
-
-
5.0The NIS 2 Directive (Directive (EU) 2022/2555) significantly updates and expands the cybersecurity and risk management obligations across the European Union, repealing the original NIS Directive (Directive (EU) 2016/1148). It introduces comprehensive measures aimed at achieving a high common level of cybersecurity across all Member States, enhancing the internal market’s functioning through improved security protocols and incident response capabilities.
The NIS 2 Directive (Directive (EU) 2022/2555) came into force on January 16, 2023, 20 days following its publication in the Official Journal of the European Union on December 27, 2022. Member States are required to transpose the directive into their national law by October 17, 2024 .
Understanding the Application
The Directive applies to both public and private entities that are identified as either “essential” or “important” entities across various sectors such as energy, transport, health, and digital infrastructure. This includes providers of public electronic communications networks, trust service providers, and domain name system service providers, regardless of their size. Public administration entities, especially those at the central government level, are also covered under specific conditions. A list of essential and important entities is to be established and regularly updated by Member States.
Identifying the Obligated Parties
Under the NIS 2 Directive, companies are obliged to fulfill its requirements if they qualify as “medium-sized enterprises” or exceed the ceilings for medium-sized enterprises as defined by Article 2 of the Annex to Recommendation 2003/361/EC.
This generally includes companies with either more than 250 employees or an annual turnover exceeding EUR 50 million and/or an annual balance sheet total exceeding EUR 43 million.
Under the NIS 2 Directive, certain sectors are obliged to comply with its requirements regardless of the size of the entities within those sectors. These include:
This category broadly encompasses entities offering services and infrastructure essential for digital communications across the EU.
These entities offer services and digital tools for ensuring the security and authenticity of electronic transactions, including digital signatures, seals, time stamps, and related certificate services.
This includes organizations responsible for managing and operating top-level domains (e.g., .com, .eu) and those providing DNS services critical for the functioning of the internet.
These are entities deemed essential for maintaining vital societal functions or economic activities, encompassing a broader range of sectors and not limited by size.
Furthermore, the Directive applies to any entity, regardless of size, if:
1) The service provided by the entity is essential for the maintenance of critical societal or economic activities.
Understanding The Requirements
Entities under the Directive’s scope are obligated to adopt risk management measures and report significant cybersecurity incidents. These requirements are detailed in the NIS 2 Directive and include policies on risk analysis, incident handling, business continuity, and supply chain security. Additionally, entities must adhere to standards for network and information systems’ security, covering aspects from basic cyber hygiene to the use of cryptography and continuous authentication solutions.
Potential Sanctions for Non-Compliance
For non-compliance, the NIS 2 Directive empowers Member States to impose administrative fines on essential and important entities, which can be as high as EUR 10 million or 2% of the total worldwide annual turnover of the undertaking to which the entity belongs, whichever is higher. These sanctions are designed to be effective, proportionate, and dissuasive, considering the severity, duration, and intentional nature of the infringement, among other factors.
Implementation and Enforcement
Member States are responsible for designating competent authorities to oversee the implementation of the NIS 2 Directive. These authorities have powers to conduct inspections, order corrective measures, and impose fines. The Directive also establishes a Cooperation Group and a CSIRTs network to facilitate strategic cooperation and information exchange among Member States, enhancing the collective cybersecurity posture of the EU.
NIS 2 outlines a comprehensive set of cybersecurity measures that obliged companies need to implement. Here’s a breakdown of key areas and the corresponding articles:
1. Technical and Operational Measures
Take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems, which the company uses for its operations or for the provision of its services, and to prevent or minimise the impact of incidents on recipients of its services and on other services.
2. Risk Assessment
When assessing the proportionality of those measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.
3. ISMS Implementation
Ensure a level of security of network and information systems appropriate to the risks posed:
Establish policies on risk analysis and information system security and procedures to assess the effectiveness of cybersecurity risk-management measures; policies on the use of cryptography and, where appropriate, encryption.
Respond to incidents and mitigate the risks to avoid such incidents in the future; ensure reporting to relevant authorities within the legal deadlines in accordance with the GDPR
Develop a plan for backup management and disaster recovery, and crisis management.
Consider security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.
Ensure security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.
Cryptographic control refers to the use of cryptographic techniques and tools to protect the confidentiality, integrity, and authenticity of information. These controls are vital components of an entity’s cybersecurity and data protection measures, helping to safeguard sensitive data against unauthorized access, disclosure, alteration, and destruction.
Human resources security in cybersecurity refers to the policies, procedures, and measures implemented to manage and mitigate the risks that employees, contractors, and third-party service providers pose to an organization’s information security. It encompasses a range of activities aimed at ensuring that individuals who are hired, work with, or leave the organization do not adversely affect its cybersecurity posture. Key aspects of human resources security include:
Conducting background checks and verifying the credentials of potential employees to assess their reliability and integrity before hiring.
Ensuring that employees have access only to the information and resources necessary for their job roles. This involves implementing the principle of least privilege and regularly reviewing and adjusting access rights as job roles change or employees leave the organization. The use of multi-factor authentication or continuous authentication solutions must be considered.
Asset management is the systematic process of identifying, cataloging, managing, and protecting an organization’s digital and physical assets throughout their lifecycle.
When employees leave the organization, it’s crucial to securely terminate their access to all systems and retrieve any company-owned equipment or information. This process helps prevent former employees from accessing sensitive information or systems unauthorizedly.
Including confidentiality agreements and clauses related to information security in employment contracts. This ensures that employees are legally bound to protect the organization’s sensitive information.
Conducting regular assessments of human resources security processes and practices to identify and mitigate any new or evolving risks associated with personnel.
Providing regular training and awareness programs to educate employees about cybersecurity risks, policies, and procedures. This includes training on recognizing phishing attempts, securing sensitive information, using security tools, and reporting security incidents.
1. Leveraging the power of artificial intelligence, our platform offers a holistic solution for managing policies and procedures, orchestrating incident responses while simultaneously addressing data privacy risks.
2. It streamlines asset management, supplier and service provider onboarding and monitoring, and simplifies the management of risk mitigation tasks.
3. With AI at its core, our platform not only facilitates the creation of an intuitive management dashboard for comprehensive oversight but also provides intelligent budget control and approval processes for both one-time and recurring tasks.
Compliance with the NIS 2 Directive
Elevate your organization's compliance strategy with our AI-enhanced Smart Integrity Platform, ensuring a seamless, efficient, and effective approach to meeting NIS 2 Directive requirements!