Test if you need to adhere to the NIS2 directive
Published: September 24, 2024
As a continuation of the security requirements established in the NIS Directive, the follow-up NIS2 is now being introduced. In the new directive, the requirements are stricter, but most notably, supervisory authorities will be able to impose concrete sanctions on organizations that fail to comply. The directive will be implemented into national legislation during the fall.
The main purpose is to raise the level of security within critical sectors of society. However, companies and organizations with an indirect connection to these sectors may also fall under the scope of affected activities.
Lantero has developed some questions to help you determine if you need to comply with the regulations. If the answer to any of these questions is yes, you should take a closer look at the regulations and establish a plan or approach to the new rules.
-
Do we provide services or infrastructure in sectors such as energy, transport, banking, healthcare, water supply, or digital services?
-
Do we have customers in essential societal operations? (Even suppliers and third-party vendors may fall under NIS2.)
-
Do we manage critical infrastructure or digital services that impact national security or economic stability? (Organizations that affect national or societal security are generally included.)
-
Does our organization have more than 50 employees or an annual turnover exceeding 10 million euros?
-
Are we dependent on networks and information systems to provide our products or services? (NIS2 targets organizations whose operations rely on digital systems.)
-
Have we previously been subjected to cyberattacks or other security incidents that may have affected our operations or our customers' data integrity? (Companies that handle sensitive data and have been targeted by cyber threats may fall under NIS2.)
Given that the directive also affects many subcontractors to the primarily affected organizations, it becomes a concern for many. It is still unclear how thoroughly the follow-up of subcontractors' NIS2 compliance will be conducted, but it is likely that it will be an advantage to demonstrate a structured approach and awareness of where one stands in relation to the framework.
"We encounter many who feel that the regulations are too far-reaching and impose requirements on more organizations than necessary. At the same time, there is an opposing view among those who work closely with security issues or have been exposed to various types of attacks. They often feel that the framework is wise for most to adhere to," says Petter Tiger at Lantero.