The last few decades have seen a remarkable evolution in the technology landscape. Widespread growth has led to a spike in cybersecurity crime, translating into increased regulations globally. In 2016, the EU established the Network and Information Security (NIS) directive as its first comprehensive cybersecurity directive. Now, the EU is updating the directive in response to evolving cybersecurity challenges. The new NIS2 directive aims to accommodate rapidly changing cyber threats and address limitations identified within the original NIS framework. Let’s explore the new legislation.
Expanding the Scope of NIS2
NIS2 modernizes existing cybersecurity requirements under the original NIS directive. It aims to improve the resilience of both public and private companies around cybersecurity. This directive introduces several thresholds for companies, each with specific compliance obligations. Whether and how NIS2 applies to an organisation will depend on the sector that organisation operates in, as well as its size and where it offers its services. In particular, any medium or large organization in selected critical sectors providing an “essential function” will require the highest levels of NIS2 compliance. Other organizations with a high-security risk profile will also fall into the scope of NIS for the first time.
NIS2 Focus Areas
NIS2 aims to harmonize and enforce cybersecurity standards across the EU by addressing gaps in the original NIS framework. These updates aim to build on the requirements of the existing NIS framework, broadening the scope of the original cybersecurity directive and overlaying additional obligations. This includes increasing reporting requirements by 2024.
Let’s look at some of the measures NIS2 is implementing to improve cybersecurity network and information systems across EU organizations. Enterprises captured by NIS2 will need to review and address their compliance with the new law in the following key areas:
New Reporting Obligations
The NIS2 directive’s primary objective is to create a standard level of protection across EU member states by implementing the aforementioned cybersecurity measures. The new NIS2 directive expands the scope of the original NIS directive to new organizations. It boosts the overall cybersecurity standard and enforcement of those standards in the EU. As part of this enhancement, a three-stage mechanism for reporting security incidents to authorities will be introduced. Organizations must submit an initial “early warning” report within 24 hours of becoming aware of the cybersecurity issue, a further report within 72 hours, and a more detailed follow-up report within a month.
The NIS2 directive recognizes the significance of coordination and communication between EU member states. Each member state will now have a national authority dedicated to cybersecurity, but the European Cyber Crisis Liaison Organisation Network (CyCLONe) will also be established to manage EU-wide incidents. Non-reporting of cyber incidents can be penalized based on their criticality. Essential entities: €10 million or 2% of global turnover (whichever is higher) or Important entities: €7 million or 1.4% of global turnover (whichever is higher).
Enhance Your Organization’s Security Posture
SolarWinds continuously monitors new legislation, such as NIS2. We can help IT and security teams enhance their organization’s security posture with our affordable, user-friendly security tools. Our security solutions are built to improve the agility, flexibility, and effectiveness of security and compliance teams. From managing access rights and monitoring for suspicious activity to responding to real-time threats and compliance reporting, SolarWinds security solutions can help teams increase productivity while keeping security costs in check.
Contact SolarWinds today at +1-866-530.8100 or write to sales@solarwinds.com for more information.
