Prepare your NIS2 compliance

The NIS2 Directive has come into force. Don’t let the new cybersecurity requirements catch you off guard. Discover how to strengthen your resilience against cyber threats and ensure your organization’s compliance today.

1. Origin of the NIS Directive  

The NIS (Network and Information Systems) Directive, introduced in 2016, was the European Union's first legislation dedicated to cybersecurity. It aimed to enhance the security of critical infrastructures, such as energy, transportation, and finance, following increased awareness of the cyber threats affecting these sectors. However, with the continuous rise in cyberattacks, particularly ransomware, and the evolution of technologies, an update was needed to address the shortcomings of NIS1.  

It's in this context that NIS2 was developed. This directive is a major update designed to better protect critical infrastructures through stricter requirements and an expansion of the covered sectors. 

2. Growth in attacks 

This increase reflects the growing threat of cyberattacks, particularly ransomware and attacks targeting critical infrastructures, public bodies and small/medium businesses (SMB), justifying stricter measures such as those introduced by NIS2. 

Cybersecurity has become a major concern, especially with the rise of ransomware. According to reports, cyberattacks have intensified both in frequency and sophistication, affecting essential infrastructures. For example, a major attack targeted the British laboratory Synnovis in June 2024, with a ransom demand of £40 million. The attack is emblematic of the vulnerability of essential services to cyber threats. 

3. NIS2 – What's new ? 

NIS2 was introduced to address the shortcomings of the first directive. Its objective is to ensure a more uniform and strengthened level of security across the EU. 

Here are some of the most notable updates: 

• Expanded Scope: NIS2 includes new sectors such as postal services, waste management, food production, and social networks. 
• Supply Chain Risk Management: Companies are now required to assess and secure their entire supply chain, including critical service providers. 
• Stricter Penalties: Non-compliance penalties are more severe, with fines reaching up to €10 million or 2% of global turnover. 
• Management Responsibility: Executives of covered companies are directly responsible for managing cybersecurity and may be held personally accountable in the event of non-compliance. 

4. Scope – Who is affected ? 

The scope of NIS2 has been significantly expanded. In addition to medium and large companies in critical sectors, the directive imposes strict cybersecurity obligations on subcontractors, suppliers, and employees of critical organizations. This means that protection is no longer limited to the main company but extends to the entire ecosystem of involved actors, ensuring end-to-end resilience. 

Comparison of the scope of covered sectors 

NIS2 adds sectors such as waste management, food production, chemical manufacturing, as well as social media and digital services. 

Comparison of the number of covered entities 

5. What are the specific obligations for affected companies?  

Companies covered by NIS2 must comply with several specific obligations to strengthen their cybersecurity. Here are the main requirements:

1.      Cybersecurity Risk Management

Companies must implement robust policies to assess, prevent, and manage cybersecurity risks, including:

o   Risk and vulnerability analysis

o   Security incident management

o   Implementation of organizational and technical controls such as encryption, access control, and asset management.

2.      Supply Chain Management

NIS2 requires companies to secure their supply chains. They must assess and manage risks related to their suppliers and contractors, ensuring they also comply with cybersecurity standards.

3.      Business Continuity Measures

Companies must adopt business continuity and disaster recovery plans, ensuring the ability to maintain or quickly restore essential services in case of a major incident.

4.      Incident Reporting

Companies must report significant cybersecurity incidents to the relevant authorities within a defined timeframe. NIS2 introduces stricter requirements regarding the speed and content of incident reports.

5.      Management Accountability

Company executives must approve risk management measures and ensure their effective implementation. Leaders may be personally liable for non-compliance.

These obligations aim to strengthen companies' resilience to cyber threats and ensure more uniform cybersecurity across the EU.

6. Stricter penalties 

The sanctions provided for under the NIS2 directive are strict: essential entities risk fines of up to €10 million or 2% of annual global turnover, while important entities may face penalties of up to €7 million or 1.4% of turnover. Additionally, company management can be held personally liable for non-compliance, adding further pressure on cybersecurity risk management.

7. Prepare now with SEC-IT 

SEC-IT, the cybersecurity subsidiary of the MCA Group, is there to support you.

It is crucial for companies to start preparing now for NIS2 compliance. The directive must be transposed into the national laws of EU member states by October 17, 2024, with implementation starting on October 18, 2024. Given the scope of the new obligations, such as cybersecurity risk management, supply chain security, and increased management responsibility, it is recommended to take a proactive posture as soon as possible.

At SEC IT, we leverage our expertise to address risks pragmatically and in line with real-world demands. We offer a sustainable operational organization perfectly aligned with the means and needs of each organization.

In accordance with NIS2 requirements, our comprehensive range of services helps companies comply with the new directive obligations:

·         NIS2 Assessment: Evaluation of current compliance and development of a compliance roadmap.

·         Security Framework Implementation: Development of a robust security architecture.

·         Operational Management: Daily risk and incident management.

·         Strategic Oversight: Cybersecurity monitoring and management at a decision-making level.

This approach ensures a smooth transition to full compliance for our clients while enhancing their resilience against cyber threats.

Why Choose SEC IT ?

·         Recognized Experience: We have successfully supported SMEs, mid-sized companies, and public organizations in their transition to NIS2 compliance.

·         Proven Methodologies: Our systems have been validated through programs like France Relance Cyber and Diag Cyber PME, ensuring a solid and reliable approach.

·         Sustainable Support: We provide skill transfer and continuous support to assist your teams in the long term.

·         Cyber Commitment Promotion: Our specific expertise helps our clients promote their cybersecurity commitment to their own customers (B2B), strengthening their brand image.

·         Objectivity and Independence: We operate independently from publishers, manufacturers, and integrators, ensuring objective and tailored advice for your needs.

·         Recognized Audit Skills (PASSI): We are certified by the French government.

By choosing SEC-IT, you benefit from a trusted partner to navigate the complex world of cybersecurity and ensure NIS2 compliance.