The issue is particularly topical as cyber-attacks by cybercriminals have become more frequent, sophisticated and lucrative, most strikingly in the wake of the recent widespread and successful ransomware attacks that have affected several of our own clients. In addition, the coronavirus pandemic has accelerated digitalisation in almost all sectors, but simultaneously, this has brought new threats, more security incidents and new dependencies. In addition, the Russia-Ukraine conflict is also taking place in cyberspace, which has also highlighted many vulnerabilities within the EU.
If a company fails to comply with the directive, the maximum fine that can be imposed is EUR 10,000,000 or up to 2% of the company’s global annual turnover, whichever is higher. It is important to underline that under the directive, even the management can be held liable and, in serious cases, managers can be temporarily prohibited from future management activities if the organisation concerned does not comply with the cybersecurity requirements of NIS2.
Who is concerned by NIS2?
Primarily, medium and large enterprises are affected, more specifically organisations with at least 50 employees or an annual net turnover of 10 million euros.
Regardless of their size, businesses in the following priority sectors in particular must comply with NIS2 requirements:
- energy (electricity, district heating and cooling, oil, gas, hydrogen)
- banking and financial services and the infrastructure providers for these services
- health care
- drinking water services
- Wastewater management
- digital infrastructure providers (e.g., internet service providers, DNS providers, cloud providers)
What to do?
Compliance with NIS2 can be certified and audited by organisations accredited by the competent authority and verified by said authority. However, whether for certification or for an audit, it is advisable to prepare in-house, in particular by:
- Implementing an information security management system (ISMS) or reviewing the existing system based on a risk analysis.
- Implementing proactive security measures (incident prevention, incident management).
- Implementing an incident management protocol to mitigate the impact of an incident should it occur.
- Introduction of business continuity management (BCM) or review of existing systems (e.g., management of backup systems and disaster recovery and crisis management).
- Appointing an Information Technology Security Officer (ITPO).
- Identification of possible GDPR interfaces in the event of an incident involving personal data and completion of data management documentation (e.g., processes) as necessary.
- Implementing measures to ensure supply chain security (including aspects related to the security of relationships between individual organizations and their direct suppliers or service providers).