The European Cyber Security Directive NIS2 and the new national legislation on cyber security risk management enacted for its enforcement pose new obligations for a large number of companies and organizations that require them to prepare for cyber threats. The objective of NIS2 is to raise the level of cyber security in Europe and to reduce the losses caused by cyber crime. The directive covers actors whose operations are considered to be critical for society. Such actors must comply with the requirements of NIS2 as of October 2024.
Who does the new NIS2 Directive apply to?The number of companies included in the scope of the directive will be many times higher compared to the previous NIS1 Directive. It includes two categories of sectors: “sectors of high criticality” and “other critical sectors”. In addition to the previous NIS1 sectors, such as energy, transport, health and drinking water distributors, the scope of the directive extends to new sectors and public sector entities. The new sectors covered by the directive include the food sector and the chemicals industry. The starting point is for companies that operate in critical sectors and employ more than 50 people to be included in the scope of the directive.
– The NIS2 directive will greatly impact sectors that are characterized by a high degree of automation and digitalization, including the operational technology (OT) employed in manufacturing. In the future, food producers, chemical plants, and providers of certain digital services that are classified as critical must comply with the NIS2 Directive, says technology company Insta’s head of cyber security consulting Jyrki Nivala.
The directive will make cyber security requirements a more important part of contractual negotiations.
– The directive obliges companies to ensure the security of their supply chain. Therefore, the directive’s requirements will also affect companies to which the legislation does not directly apply, Nivala explains.
If a company conducts business in more than one EU member state, the NIS2 Directive considers the company to be subject to these member states’ separate and parallel legislation.
– It is noteworthy that other member states can nationally enact obligations that are stricter compared to Finnish legislation. Therefore, if an organization is located in another EU country in addition to Finland, compliance with the Finnish national legislation alone does not automatically mean that the obligations of all the member state are met, Nivala says.
What are the obligations of the new directive?NIS2 establishes the basic level of cyber security risk-management measures and reporting obligations across the different sectors. According to cyber security expert Nivala, the goal is specifically to promote and develop the risk management culture. He points out that risk management measures must also target the organization’s suppliers in order to manage the cyber security risks across the entire supply chain.
– Companies must take responsibility for their subcontracting chain’s cyber security and impact on the company operations. Here, having a comprehensive understanding of the operating environment is crucial for the organization’s cyber security. The majority of companies is more or less dependent on outsourced digital services, for example, Nivala says.
Where to begin?The organization must have a comprehensive policy and procedures in place for evaluating and processing cyber security risks. These policies and procedures must also be kept up to date through regular reviews.
– A good way to start is to examine the current risk management policy and compare it with the management measures in the NIS2 Directive. An agile way to get started with NIS2 compliance is Insta’s NIS2 assessment service, in which Insta provides an assessment of the current status of the risk management measures and a prioritized list of areas for improvement, Nivala suggests.
1. Map out the current status
The organization’s current status and readiness to meet the obligations of the NIS2 Directive.
Determine at least the following:
• Does the management meet with the training obligations?
• How are cyber risks managed?
• Does the management monitor that the cyber security risk-management measures are implemented?
• Does your organization have the readiness to meet the reporting obligation as well as employ ex ante and ex post supervision?
2. Begin the risk management
Verify that the level of administrative measures is appropriate considering the risks. Assess the following:
• Risk level of the organization’s operations
• Current status of the cyber security risk-management measures in relation to the risks
3. Document the outcome
Describe the current status, areas for improvement and a roadmap:
• Description of the organization’s current status in relation to compliance with the NIS2 obligations
• Prioritized list of areas for improvement
• Roadmap for compliance with the statutory obligations.
Insta is one of Finland’s most significant cyber security service providers. We offer a wide range of cyber security services from consulting to cyberattack prevention and from network security to the secure digital identity of persons and devices. Our services and products are trusted by corporations and public sector organizations in Finland and abroad.