In 2016, the European Union (EU) established the Network and Information Security (NIS) directive as its first comprehensive cybersecurity directive. Now, the EU is updating the directive in response to evolving cybersecurity challenges. Let’s break down NIS2 and discuss how SolarWinds® solutions can help your organization improve its security incident-handling capabilities.
The Legislation in Context
The NIS2 Directive aims to harmonize cybersecurity standards across the European Union by addressing gaps in the original NIS framework. These updates aim to build on the requirements of the existing NIS framework, broadening the scope of the original cybersecurity directive and overlaying additional obligations. NIS2, officially known as Directive (EU) 2022/2555, was published in the Official Journal of the European Union on December 14, 2022, and was required to be implemented by EU member states into national law by October 18, 2024 (although most EU member states did not meet the transposition deadline). The legislation dictates that member states must adopt national cybersecurity strategies described in the directive and designate competent cybersecurity authorities. The directive also includes cybersecurity risk-management measures and reporting obligations for selected entities.
Criteria and Requirements of the NIS2 Directive
NIS2 introduces several thresholds for companies, each with specific compliance obligations. Whether and how NIS2 applies to an organization will depend on the sector in which the organization operates, its size, and where it offers its services. In particular, any medium or large organization in selected critical sectors providing an “essential function” will require the highest levels of NIS2 compliance. Other organizations with a high-security risk profile will also fall into the scope of NIS for the first time. Entities subject to NIS2 must review and ensure compliance in various areas, including risk analysis and information management, cybersecurity training, security in network and infrastructure, access control and asset management, supply chain security, vulnerability management, incident handling, reporting, and business continuity. A three-stage mechanism for reporting security incidents to authorities will be introduced. Organizations must submit an initial “early warning” report within 24 hours of becoming aware of a significant cybersecurity incident, a further report within 72 hours, and a more detailed follow-up report within a month. The NIS2 directive recognizes the significance of coordination and communication between EU member states. Each member state will now have a national authority dedicated to cybersecurity, and the European Cyber Crisis Liaison Organisation Network (CyCLONe) will also be established to manage EU-wide incidents. Non-reporting of cyber incidents can be penalized based on their criticality: €10 million or 2% of global turnover (whichever is higher) for essential entities and €7 million or 1.4% of global turnover (whichever is higher) for important entities.
How SolarWinds Can Help
SolarWinds offers a suite of products that can help your organization’s security posture, which in turn can assist with NIS2 compliance in areas of risk management, incident management, reporting obligations, and access control and authentication requirements.
Solutions Built to Enhance Security Posture
The NIS2 Directive represents a significant update to the EU’s approach to cybersecurity. While it presents new challenges for organizations, solutions like SolarWinds SEM, ARM, and Patch Manager can be extremely useful in improving an organization’s security strength levels. With these tools, you can enhance your organization's cybersecurity measures, offering an effective approach to help meet the evolving demands of regulations such as the NIS2 Directive while improving the agility and flexibility of your security and compliance teams.
Looking for the right tools to transform your security posture? Find the SolarWinds suite of cybersecurity solutions here.
