EU NIS 2 – Why All Industries Should Take Action Now

_ The EU NIS 2 Directive (Network and Information Systems) of the European Union has been in effect since January 16th and responds to the increasing cyberattacks during geopolitical crises, particularly threatening socially relevant institutions and organizations. This new directive demands enhanced technical and organizational information security for the 18 expanded industries classified as "critical infrastructure," including sectors such as healthcare, energy, information technology & telecommunications, finance & insurance, as well as transportation and traffic. Recently, even companies with 50 or more employees or an annual turnover of 10 million euros are required to fulfill specific obligations regarding cybersecurity, as are providers of digital services and parts of the public administration, regardless of their size, being regulated._

Measures to be implemented include the establishment of an ISMS, such as ISO 27001 or IT basic protection, as well as specific technical measures. Specific technical requirements include stringent multi-factor authentication and technical-organizational access controls like SSO. At the same time, the competencies of the European Cybersecurity Agency ENISA are strengthened, as it serves as the central reporting and registration point for all companies subject to the regulation.

The expansion of industries classified as critical infrastructure is one thing and initially applies only to the mentioned sectors, while other companies outside these sectors may not perceive an immediate need for action. However, Article 21 of the new regulation includes a directive that also applies to sectors beyond the extended areas. Besides the necessary internal cybersecurity measures, NIS 2 also requires security within the supply chain of critical infrastructure. This implies that all IT service providers, hardware suppliers, and systems integrators responsible for core processes fall under NIS 2 guidelines to remain operational. Thus, the new NIS 2 guidelines have significantly more impact on market participants outside the regulated sector than initially expected, at least once these participants have customers within the extended CRITIS sector.

Why You Should Act Now

The increased requirements must be transposed into national law by October 2024 at the latest. Reliable implementation of necessary measures through appropriate solutions takes time, especially if the demand for cybersecurity solutions and service providers suddenly surges.

Whether you are part of the expanded critical infrastructure or a service provider, a certain lead time is necessary for sufficient testing, closing potential gaps, and being well-prepared for the effective date, as the fines and liability for violations should not be underestimated. The range of fines is tied to revenues, much like with the GDPR. In addition to the risk of a successful cyberattack, even a minor security gap can result in expensive penalties, regardless of whether an attack is successful or not.

Need support?

As a Cloud IAM provider with integrated multi-factor authentication and experts in the field of cybersecurity, we are here to assist you in implementing the required security measures and ensuring that you can confidently face the effective date in October 2024. Regardless of whether it's mandated or not, at Bare.ID, we already adhere to the highest security and compliance standards to meet the needs of heavily regulated industries.