It came into force on January 16, 2023, but it is this Thursday, October 17, 2024, when the deadline for large companies in the Member States of the European Union to introduce and apply the new regulatory package ends. The NIS 2 Directive is a set of EU rules aimed at improving cybersecurity in key sectors.
All cybersecurity professionals who are working, either in the public sphere or in the private sphere of medium/large companies, have necessarily had to be working on this Directive to ensure that their respective organizations or institutions comply with what is required in this Directive. this set of measurements.
As explained by the cybersecurity company Kaspersky, this directive applies only to certain entities in specific sectors, classifying them as essential or important entities, and forcing them to comply with a series of requirements with differences in supervision measures and sanctions, according to Which of the two aforementioned categories do they subscribe to?
Over the past few years, we have seen the number of cyberattacks targeting businesses increase without passing through. In fact, Spain is one of the countries most affected by this type of attacks. In the first half of 2024, we were the fifth country that received the most cyber attacks on companies worldwide, hence data leaks have been a topic in the headlines in recent months.
These cyberattacks normally consist of ransomware, that is, data hijacking that forces companies to pay a sum of money to recover files and information. But they not only entail an economic risk, but also an institutional or geopolitical risk, in case they affect sensitive infrastructures such as the banking, energy or medical system. It is in this context that the European Union seeks to strengthen as much as possible the integrity of the computer systems of large companies.
What measures does NIS 2 include?
The NIS Directive 2 formalizes a series of requirements that relevant companies in each economy must meet to ensure that the integrity of their data and that of their clients or users is safe.
These include requirements related to risk analysis, information systems security, incident management, business continuity, supply chain security, network and information systems acquisition, business practices. basic digital hygiene, cybersecurity training, the use of cryptography, human resources security, access control policies and asset management, as indicated by Kaspersky.
For example, it establishes the obligation for companies to notify and collaborate with governments and authorities when they are aware of suffering a cyber attack, as well as urging them to evaluate and monitor risks to have an active attitude against possible threats.
Failure to comply with these standards and protocols will result in fines for companies that, due to their size, fall into the given classifications. Specifically, sanctions can be up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% for important entities.
What sectors does it affect?
As we said, this directive is aimed at companies that are part of “highly critical sectors.” The sectors considered “essential” are:
- Energy
- Drinking water
- Transport companies
- Digital infrastructure
- Banks
- Sewage
- Financial market infrastructure
- ICT service management (B2B)
- Health
- Public administration
- Space
On the other hand, the sectors considered “important” or “other critical sectors” are:
- Postal and courier services
- Food production and distribution
- Waste, operations and maintenance
- Industry
- Manufacturing and distribution of chemical products
- Investigation
- Digital providers
However, any SME or startup, especially those that collect personal information from their clients, should constantly work on cybersecurity to avoid data leaks.
