EU NIS 2 – Why All Industries Should Take Action Now
EU NIS 2 - What's Changing and Why Should All Industries Take Action Now?
7. February 2023
_ The EU NIS 2 Directive (Network and Information Systems) of the European Union has been in effect since January 16th and responds to the increasing cyberattacks during geopolitical crises, particularly threatening socially relevant institutions and organizations. This new directive demands enhanced technical and organizational information security for the 18 expanded industries classified as "critical infrastructure," including sectors such as healthcare, energy, information technology & telecommunications, finance & insurance, as well as transportation and traffic. Recently, even companies with 50 or more employees or an annual turnover of 10 million euros are required to fulfill specific obligations regarding cybersecurity, as are providers of digital services and parts of the public administration, regardless of their size, being regulated._
Measures to be implemented include the establishment of an ISMS, such as ISO 27001 or IT basic protection, as well as specific technical measures. Specific technical requirements include stringent multi-factor authentication and technical-organizational access controls like SSO. At the same time, the competencies of the European Cybersecurity Agency ENISA are strengthened, as it serves as the central reporting and registration point for all companies subject to the regulation.
The expansion of industries classified as critical infrastructure is one thing and initially applies only to the mentioned sectors, while other companies outside these sectors may not perceive an immediate need for action. However, Article 21 of the new regulation includes a directive that also applies to sectors beyond the extended areas. Besides the necessary internal cybersecurity measures, NIS 2 also requires security within the supply chain of critical infrastructure. This implies that all IT service providers, hardware suppliers, and systems integrators responsible for core processes fall under NIS 2 guidelines to remain operational. Thus, the new NIS 2 guidelines have significantly more impact on market participants outside the regulated sector than initially expected, at least once these participants have customers within the extended CRITIS sector.
Why You Should Act Now
The increased requirements must be transposed into national law by October 2024 at the latest. Reliable implementation of necessary measures through appropriate solutions takes time, especially if the demand for cybersecurity solutions and service providers suddenly surges.
Whether you are part of the expanded critical infrastructure or a service provider, a certain lead time is necessary for sufficient testing, closing potential gaps, and being well-prepared for the effective date, as the fines and liability for violations should not be underestimated. The range of fines is tied to revenues, much like with the GDPR. In addition to the risk of a successful cyberattack, even a minor security gap can result in expensive penalties, regardless of whether an attack is successful or not.
As a Cloud IAM provider with integrated multi-factor authentication and experts in the field of cybersecurity, we are here to assist you in implementing the required security measures and ensuring that you can confidently face the effective date in October 2024. Regardless of whether it's mandated or not, at Bare.ID, we already adhere to the highest security and compliance standards to meet the needs of heavily regulated industries.
Multi-use passwords as a risk factor
Password vulnerability: According to a survey, 64% of employees use their passwords more than once
People as a vulnerability: Why social engineering is so successful
The danger of social engineering - Why is this form of attack so successful and how can companies protect themselves?
Password manager vs. single sign-on: finding the right solution
The advantages and disadvantages of the two tools in terms of secure login processes and user-friendliness.
Get in touch
Request a non-binding consultation now and discover how Bare.ID can be integrated into your IT environment.
Sign up for our newsletter to stay updated.
Bare.ID represents user-friendly Identity & Access Management in the cloud. With Bare.ID, digital business processes and applications can be connected to a local user directory, benefiting from centralized security and Single Sign-On. Whether On-Premise, Hybrid, or Cloud, Bare.ID offers a multitude of pre-configured integrations. 100% security, Made in Germany.
Bare.ID's offerings are exclusively intended for business customers in accordance with §14 BGB. All prices are to be understood as net prices, plus applicable VAT at the time of billing.
Bare.ID is a product and registered trademark of Bare.ID GmbH - an AOE Group company © 2023 - All rights reserved.