NIS2 Compliance

The Directive on Measures for a High Common Level of Cybersecurity across the Union (aka NIS 2 Directive) was published on 27 December 2022. The NIS2 Directive is a significant extension of the initial, NIS Directive of 2016. A core difference between these 2 directives is the wider industries scope, required to comply with the Directive.

As with all European directives, it will be transposed into national legislation by all Member States, with the deadline set to October 2024. Thereafter, the National Competent Authorities of Member States will need to ensure compliance at the national level and enforcement of the national law, with the power to impose penalties and conformance measures.

For an overview on the differences between the 2 directives, consult our article EU NIS Directive Receives Update Proposal.

Scope

NIS 2 defines 2 categories of entities within EU, based on their criticality to EU economy and society: essential and important:

Essential Entities (EEs)	Important Entities (IEs)
>250 employees, >50 M€ turnover, >43 M€ balance	50-250 employees, turnover between 10 and 50 M€, balance < 43 M€
Energy: supply, distribution, transmission and sale of electricity, gas, oil, heating/cooling, hydrogen, EV charging point operators	Postal and courier services providers
Air, rail, road and water transport	Waste management
Banking & finance: credit, trade, market and infrastructure	Chemical products: production and distribution
Health: healthcare providers, research laboratories, pharmaceuticals, medical device manufacturing	Food: distribution and production
Water: drinking water suppliers and wastewater operators	Manufacturers: medical/diagnostic devices, computers, electronics, optics, machinery, motor vehicles, trailers, semi-trailers, other transport equipment
Digital infrastructure and IT services: DNS, name registries, trust services, data centres, cloud computing, electronic communication services, managed services and managed security services	Digital providers: online marketplaces, search engines, social platforms
Public administration	Research organisations
Space: ground-based infrastructure operators

Therefore, in case your organization falls under one of the above categories, compliance with NIS2 Directive will be required. Depending on your organization's readiness level, further developments and implementation steps may be required, in one or more cyber security domains, such as: risk analysis, business continuity, supply chain security, incident handling, information systems development practices, cryptography, multi-factor authentication, etc.

SpearIT can support and guide your organisation throughout the journey towards compliance with NIS2 Directive, with a full-fledged NIS2 compliance and consulting service bundle:

Readiness Assessment

The current state of your organization's readiness against NIS2 Directive is assessed and compliance gaps are identified. The readiness assessment acts as the primary road map towards your organization's NIS2 compliance, based on the category of entity it belongs.

Proactive Cybersecurity Management Framework

One of the core, high-level requirements of NIS2 Directive is the formal approval of the cybersecurity risk-management measures and the oversight of their implementation by the management structures of essential and important entities.

To faciliate this requirement and to proactively manage cybersecurity risks, SpearIT can assist in crafting a complete cybersecurity management framework, ultimately helping your organization's management board to have risk visibility and take informed decisions.

In this context and according to the principle of proportionality, policies related to incident prevention, detection and response, business continuity, third party risk management (TPM) are designed and documented.

Regular training sessions to key stakeholders are also provided, to ensure adequate skills of the board and personnel

Implementation of Technical & Organizational Measures

Following policy definition, the implementation of cybersecurity policies is faciliated with SpearIT's team of cybersecurity and complience experts, helping you to design and properly implement the needed organizational and technical measures, aligned with your organization's policies and the requirements of NIS2 Directive.

Continuous Monitoring

SpearIT can assist with the continuous monitoring and validation of your NIS2 compliance state, as well as the effectivenes of your applied measures. Trusted advisors stay by your management's and cybersecurity department's side, ensuring proactive response to threats and potential regulatory changes.

Intersection with other EU Regulations

An overlap of NIS2 Directive with requirements set by other, sector-specific regulations is observed. As a general rule, NIS2 shall not apply to entities regulated by sector-specific legislation, if the requirements set by the latter are at least equivalent in effect to those of NIS2 Directive.

Clarification guidelines for the overlap between NIS2 and sector-specific cybersecurity are expected to be published by European Commission within 2023.

eIDAS 2.0

Trust Service Providers are established in eIDAS and eIDAS 2 Regulations. Per NIS2 Directive, such providers are considered essential entities and therefore, are required to comply with NIS2 Directive.

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) targets businesses and organisations operating in the financial sector, as well as critical related third parties.

Act ahead of time. Connect with a NIS2 compliance expert.

START HERE

NIS2 Compliance

Scope

Readiness Assessment

Proactive Cybersecurity Management Framework

Implementation of Technical & Organizational Measures

Continuous Monitoring

Intersection with other EU Regulations

eIDAS 2.0

Digital Operational Resilience Act (DORA)

Latest News

Ukrainian NBU BankID System preparing for EU recognition

Cypriot National eID becomes notified

Cypriot National eID becomes pre-notified