The NIS2 directive (Network and Information Security 2) is the European Union's updated cyber security legislation that entered into force in 2023 and aims to strengthen the protection of critical functions from disruptions in network and information systems. The transition period to establish the directive in national legislation ended on October 17, 2024, but the final government bill still awaits approval in parliament (November 5, 2024). The directive updates and expands the previous NIS directive, now covering more industries and companies and setting stricter requirements for cyber security and risk management of information systems.

The aim of the directive is to strengthen the cyber resilience of the entire EU and protect critical services.

Key points in the NIS2 Directive:

• Expanded target group: The NIS2 directive extends its requirements to more industries, such as the energy, transport, healthcare, financial and water supply sectors. Digital services, such as cloud services and search engines, are now also covered by the directive.
• Stricter obligations: The directive requires companies and organizations to proactively manage risks and combat threats. This includes cyber security audits, regular risk analysis and effective reporting systems for potential threats.
• Reporting obligation: The directive sets rapid reporting obligations in case of cyber-attacks and significant data security breaches. Companies must report detected threats to national cybersecurity authorities, usually within 24 hours of detection, and a comprehensive report must be submitted within five days.
• Sanctions: In case of negligence, companies can face significant sanctions, which vary between EU countries. These sanctions can be fines or other restrictive measures, especially if the negligence causes serious safety risks.
• Cooperation and information exchange: The directive aims to increase cooperation and information exchange between member countries on cyber threats and security risks, so that information security can be strengthened throughout the EU.

Meaning for organizations: The NIS2 directive requires organizations to update their cyber security strategy, prepare for new threats and train personnel appropriately. This poses challenges for companies, but at the same time offers an opportunity to improve security standards and resilience against digital threats. If the company already has, for example, an information security management system according to ISO27001, it will be easier to meet the new requirements brought by the NIS2 directive. On the other hand, by creating the necessary processes and management systems to meet the requirements of the NIS2 directive, it is quite easy for a company to meet the requirements of ISO27001 certification. A well-executed and cost-effective cyber security strategy is also a competitive advantage today. Have you ever calculated what a production stoppage of a day or even days costs your company?

If you need help with the challenges and requirements brought by the NIS2 directive, please contact:

mikko.uronen@unax.fi / 040 770 1453

Also read: CER Directive