Cybersecurity is a crucial challenge for all companies in an increasingly global and digitalised environment. The NIS2 Directive takes over from the NIS1 Directive (2016) and has as its main objective to define a European legal framework and minimise the impact of cyberattacks on users and organisations. To this end, it includes a series of procedures for cybersecurity authorship that include prevention, monitoring and notification of attacks , accompanied by high penalties for strategic sectors and digital providers .
Article content
What is the NIS2 Directive?
The NIS2 Directive (Directive (EU) 2022/2555) is an evolution of the NIS1 Directive (EU 2016/1148), introduced in 2016 as a regulatory framework for the security of networks and information systems within the European Union. However, the increasing sophistication of cyberattacks and the need for greater digital protection has prompted an update of this legislation.
Adopted in November 2022 and in force since 16 January 2023, the NIS2 Directive responds to new cyber threats, such as the rise of attacks seeking to extort companies and access confidential information for illicit profit. EU Member States must transpose the provisions of the NIS2 Directive into their national legislation by 17 October 2024.
Among the new features of NIS2, the expansion of the regulation to more strategic sectors considered essential, as well as to digital service providers , stands out . In addition, it reinforces the security requirements that affected companies must comply with, with measures that include:
Implementation of cyber incident reporting processes .
Improving collaboration and information sharing on security breaches .
The creation of a European support network to manage crises generated by cyberattacks or vulnerabilities ( EU-CYCLONe )
To whom does the NIS2 directive apply?
The NIS2 Directive applies to public and private companies in a wide range of sectors considered critical to the economic and social stability of the European Union. These sectors fall into two broad categories:
NIS2 High Criticality Essential Sectors:
Energy
Banking and financial market infrastructure
Health
Transport
Digital infrastructure
Drinking water and waste water
Public Administration (excluding bodies such as the Judiciary, Parliaments and Central Banks)
ICT service providers
Non-core sectors NIS2:
Investigation
Chemistry
Feeding
Postal services
Digital Suppliers
Manufacturing
Waste management
Companies within these sectors will have to comply with strict cybersecurity criteria set out by the NIS2 Directive . Penalties for non-compliance can amount to €10 million or 2% of annual turnover in essential sectors, and up to €2 million in the case of non-essential sectors.
The Email data helps in marking those customers that can be retained and those who email data will churn. By identifying the behavior of the customers, the business can thus carry out retention methods such as sending them re-engagement emails or special offers to retain them.
What requirements does the NIS2 Directive require?
The NIS2 Directive sets out a number of mandatory measures that affected companies must implement to effectively manage cybersecurity risks and how to conduct a swot analysis for a marketing paper comply with incident reporting obligations. These measures seek to minimise the impact of incidents on users and protect strategic supplies and services . These include:
Security policies for information systems and risk analysis.
Cyber incident management .
Business continuity plans , including backup management and disaster recovery .
Supply chain security , ensuring that suppliers comply with cybersecurity standards.
Policies for the secure acquisition, development and maintenance of network and information systems.
Procedures for evaluating the effectiveness of risk management measures.
Training in cybersecurity and basic cyber hygiene practices .
Use of cryptography and, where appropriate, encryption.
Human resources security policies, access control and asset management.
Implementation of multi-factor authentication or continuous authentication and secure communications within the entity.
These measures will be mandatory from 27 October 2024 and must be proportional to the size and activity of the organisation. In addition, it will be mandatory to report any incident that may affect third parties within a maximum period of 24 hours.
NIS2 Directive in Spain: Impact and adaptation
The NIS2 Directive in Spain establishes new responsibilities for companies within critical and strategic sectors. The country must implement this European regulation before October 17, 2024 , adapting its legislation to comply with cybersecurity requirements . The BOE will be the official medium where the incorporation of this directive is published, and companies must be vigilant to avoid incurring sanctions that could reach 10 million euros . The implementation of the measures included in the NIS2 Directive represents a considerable challenge, since they involve the review of the technological and security infrastructure.
European NIS2 Directive: New cybersecurity measures
The European NIS2 Directive not only strengthens protection mechanisms for companies, but also seeks to unify cybersecurity criteria among the Member States of the European Union . Organizations must implement stricter controls, such as multifactor authentication and incident notification within 24 hours . In turn, the creation of a collaborative framework between European countries is planned to manage threats and share information efficiently. This comprehensive approach will improve the resilience of networks and information systems at a continental level .
How can Edorteam help you?
If you suspect that your company may be affected by the NIS2 Directive or you wish to assess the cybersecurity level of your organization, at Edorteam adb directory we have more than 30 years of experience protecting our clients’ data. Our team of experts in legal regulations, cybersecurity and data protection can advise you to ensure compliance with the legislation and protect your company’s critical information.
For more information, please consult INCIBE (Spanish Institute of Cybersecurity) or contact us . Our expert cybersecurity consultants will advise you without obligation.