NIS 2 Directive

The NIS 2 Directive (Network and Information Security 2) is the new European directive that updates and strengthens the previous NIS Directive, established in 2016, with the aim of improving the level of cybersecurity and resilience of networks and information systems across the European Union. This new regulatory framework applies to a larger number of sectors, companies, and organizations, and introduces more stringent requirements for information risk management.

What is the NIS 2 Directive?

The NIS 2 Directive, which came into effect in 2022, expands the scope of the original directive and establishes new mandatory security measures for companies operating in critical sectors such as energy, transport, healthcare, digital services, and financial infrastructure. The primary objective is to address emerging cybersecurity challenges, enhance cooperation between Member States, and make companies more resilient to cyberattacks, thereby contributing to collective security in Europe.”

Sectors and Involved Companies

NIS 2 expands its scope to include new categories of companies and introduces the distinction between Essential Entities and Important Entities, encompassing both public and private organizations that provide essential services for society and the economy. The affected sectors include:

• Energy infrastructure (electricity, gas, and oil suppliers)
• Transportation services (aviation, rail, road, and maritime transport)
• Healthcare sector (hospitals, research laboratories, and pharmaceutical industries)
• Digital infrastructure (cloud providers, online service providers, data centers)
• Financial and banking services
• Digital service providers (search engines, e-commerce platforms, social media)

NIS 2 Security Requirements

La direttiva NIS 2 impone alle aziende specifici obblighi per migliorare la loro sicurezza informatica e prevenire minacce legate agli attacchi cibernetici. Tra i requisiti principali vi sono:

1. Gestione dei Rischi Cyber: Le aziende devono implementare misure preventive per identificare e mitigare i rischi informatici. Questi includono la sicurezza delle reti e dei sistemi informativi, la protezione da malware, la gestione delle vulnerabilità e il monitoraggio continuo delle minacce.
2. Piani di Continuità Operativa: La NIS 2 richiede alle organizzazioni di predisporre piani per garantire la continuità operativa in caso di incidenti informatici, riducendo al minimo l’interruzione dei servizi essenziali.
3. Segnalazione di Incidenti: Le aziende sono obbligate a segnalare tempestivamente qualsiasi incidente di sicurezza significativo alle autorità competenti entro un periodo di tempo stabilito (generalmente entro 24-72 ore). Le segnalazioni devono includere dettagli sugli impatti e sulle misure correttive adottate.
4. Audit e Verifiche Periodiche: La conformità alla NIS 2 implica audit periodici sui sistemi di sicurezza per verificare l’efficacia delle misure adottate e garantire che siano sempre aggiornate alle minacce emergenti.
5. Responsabilità della Leadership Aziendale: La direttiva introduce l’obbligo per i dirigenti aziendali di essere direttamente responsabili delle decisioni relative alla cybersecurity, includendo la supervisione e la rendicontazione di tutti gli aspetti legati alla sicurezza informatica.

Sanzioni per il Mancato Adeguamento

Una delle novità introdotte dalla NIS 2 riguarda l’inasprimento delle sanzioni per le organizzazioni che non rispettano i requisiti della direttiva. Le multe possono raggiungere cifre significative, fino al 2% del fatturato globale annuo dell’azienda o fino a 10 milioni di euro, a seconda di quale cifra sia maggiore. Questo incentivo economico è progettato per assicurare che tutte le aziende adottino le misure necessarie per proteggere i propri sistemi e infrastrutture.

I Vantaggi della Conformità alla NIS 2

1. Enhanced Protection: NIS 2 provides organizations with a clear framework for implementing a robust security management system, thereby reducing the risk of cyberattacks and data breaches.
2. Enhanced Reputation: Compliance with NIS 2 demonstrates a commitment to data protection and information security, increasing trust among customers, partners, and investors.
3. Increased Resilience: By mandating business continuity and incident response plans, NIS 2 enables organizations to react swiftly and limit the impact of cyberattacks.
4. Competitive Advantage: Organizations complying with NIS 2 will be better positioned to participate in tenders and collaborations with public and private entities, which will increasingly demand high security standards.

How ITAKA SA Can Help Your Company with NIS 2

Certifying your organization to the ISO 27001 standard covers a significant portion of the requirements necessary to comply with the NIS 2 Directive. ISO 27001, focused on information security management, shares many elements with NIS 2, including the management of cyber risks, the protection of networks and systems, and the timely reporting of incidents. However, to fully comply with NIS 2, it is necessary to address additional specific aspects of the directive.

ITAKA SA can guide you through this process, offering tailored consulting services to achieve full NIS 2 compliance. Here’s how we can help:

• NIS 2 Gap Analysis: We conduct a detailed assessment of your ISO 27001-based Information Security Management System (ISMS), identifying areas requiring additional actions to achieve NIS 2 compliance.
• NIS 2 Requirements Integration: We implement the additional measures required by NIS 2, such as strengthening governance and assigning responsibilities to company leadership, as well as improving monitoring and incident response capabilities.
• Strategic Planning: We develop customized cybersecurity plans to integrate NIS 2 requirements with your existing business processes, improving resilience and protection against cyber threats.
• Training and Support: We offer targeted training programs for your staff to ensure proper incident management and adoption of NIS 2 practices.
• Internal Audits and Monitoring: We support the execution of internal audits and provide monitoring tools to verify ongoing compliance, ensuring your organization maintains the required standards.
• Certification Assistance: If your organization is not yet ISO 27001 certified, we accompany you throughout the entire certification process, ensuring that all requirements are met to complete NIS 2 compliance.

With ITAKA SA, you can strengthen your cybersecurity and ensure full compliance with the NIS 2 Directive, reducing risks and enhancing your competitiveness in the European market.

Conclusion

NIS 2 compliance is essential for organizations operating in critical sectors and for anyone looking to protect their data and infrastructure from growing cyber threats. ITAKA SA is the ideal partner to guide your company on the path to compliance, ensuring security, efficiency, and protection against cyber risks.”