New requirements to Cybersecurity (NIS2) – who must comply with these?

Do you want to join the upcomming nis2 webinar?

Webinar in Cybersecurity:
NIS2, the importance of the directive for management, requirements, and opportunities for compliance
Date: Thursday, March 16
sign up here...

Do you not have the opportunity to participate in the NIS2 webinar on March 16, 2023, you have the opportunity to watch or re-watch the webinar from January 26, 2023.

what is the NIS2 directive?

During a time with an increasing number of cyber attacks and increased digitalisation in general, the original directive (NIS) has been updated and extended to NIS2. NIS2 thus sharpens the minimum requirements to an even higher IT security level including more sectors, companies, and public units.

The European Parliament has adopted a new version of the Network and Information Security directive (NIS2). A modernised framework based on EU's directive about network security and information security with the purpose of improving the member countries’ collective IT security. The directive sets up a completely functional EU cyber Security Operation Centre (SOC) in real time with reporting duties and exchange of information regarding the critical infrastructure of the EU member countries.

With this regulation, the parliament wishes to increase the awareness and sharpen obligations as well as establish stronger minimum obligations in connection with risk management, reporting obligations and exchange of information. Among other things the requirements cover incident response, security in the supply chain, encryption and sharing of vulnerabilities in the sector.

Ransomware and other cyber threats have been racking Europe far too long. We need to act to make our companies, governments and societies more resistant towards hostile cyber operations", said MEP Bart Groothuis (Renew, NL) who is also chairman of the committee preparing this directive. "This EU directive will help around 160,000 units tighten their security grip and make Europe a safe place to live and work. It will also facilitate information exchange between the private sector and partners around the world. If we are attacked on an industrial scale, we must react on an industrial scale." ¹

The vice president of the EU Commission, Magrethe Vestager, emphasises that "The adopted directive will strengthen existing security and incident report obligations for companies and at the same time extend the scope. I think it is very important that new sectors become a part of this and that new types of services ensure a coherent and harmonised intersectorial approach to cyber security " ¹

Who must comply with the requirements in nis2?

So far, companies with more than 50 employees and an annual revenue or a total annual balance of more than 10 mil. Euros will be subject to NIS2, however with some exemptions. If the authorities assess that a small company supplies a critical function or service like for instance providers of public electronic communication networks or trust service providers, this company must also comply with the requirements in NIS2.

It is important that your company already now acquaint yourself with the new directive as the new requirements must be implemented 27 months after the date of the NIS2 directive’s commencement. No later than this same date, the member countries are going to make a list of essential and important units as well as units subject to this regulation. Thus it must be assumed that Danish companies are notified by the Danish authority within this area before that date.

Would you like to hear more or are you wondering how your company must react in connection with the new NIS2 directive? Then please do not hesitate to contact Klaus Ahrensbach by phone (+45) 2145 1390 or email klaus.ahrensbach@bureauveritas.com.
 

Black = Excisting from NIS1 - GREEN = New in NIS2
Mark* (New entities types: Electricity marked, production, aggregation, demand response and energy storage)

¹European Union, 2016, European Parliament