- Disable User
- Posts
- đ§ NIS2 special: what you REALLY need to know
Sponsored by
Awww yeah baby, itâs time for the NIS2 speciaaaaal!
Whoâs ready? Show me those hands!
In this week's edition:
đ§ NIS2 special: what you REALLY need to know
â Disable User explains: Governance
Reading time: 03:34
đ§NIS2 special: what you REALLY need to know
Alright. Itâs time to spill the cake.
You know what really grinds my gears?
All these companies doing NIS2 webinars for the past couple of months.
Little facts, no clarity, just adding to the confusion.
âWe think itâs going to plot out like thisâŠâ
âItâs probably going to ask you toâŠâ
âUnsure which companies are going to need to comply, butâŠâ
Horrible.
With the itâs-on-now date drawing near, the time is finally right for me to dedicate an entire edition to the NIS2.
Are you ready for⊠THE NIS2 SPECIAL?
Welcome to the World of NIS2
The EU is upping its cybersecurity ante with the NIS2 Directive.
This isn't just a tweak or a minor update; it's a comprehensive revamp of itâs predecessor, NIS.
Just like with the GDPR predecessor, nobody cared about it.
Now thereâs a 2nd version. Bigger, better, stronger
Your SOC 2 Compliance Checklist from Vanta
Are you building a business? Achieving SOC 2 compliance can help you win bigger deals, enter new markets and deepen trust with your customers â but it can also cost you real time and money.
Vanta automates up to 90% of the work for SOC 2 (along with other in-demand frameworks), getting you audit-ready in weeks instead of months. Save up to 400 hours and 85% of associated costs.
Download the free checklist to learn more about the SOC 2 compliance process and the road ahead.
So, what are the key features of NIS2?
Wider Scope - NIS2 isn't just for the 'cool kids' club of critical infrastructures anymore. It expands to cover a wider range of sectors, including digital platforms, energy, transport, banking, health, and even public administration.
Stricter Security and Incident Response - Organizations need to have solid risk management practices and report significant cyber incidents.
Higher Fines for Non-Compliance - Just like in the '90s when you'd get fined for not rewinding your video rental, NIS2 slaps heftier fines on organizations that don't comply.
Mandatory Reporting - Companies must report serious cyber incidents.
Enhanced Cooperation - NIS2 encourages EU countries to play nice together in the digital sandbox. It's about sharing information, capabilities, and best practices to create a stronger, united front against cyber threats.
National Supervisory Authorities - Each EU country needs to have these cyber sheriffs to oversee the implementation of NIS2. They're the ones ensuring everyone sticks to the rules.
Focus on Supply Chain Security - NIS2 recognizes that in our interconnected world, your security is only as strong as your weakest link. It emphasizes the need to secure the entire supply chain.
So for those wondering if they have to comply, hereâs a list of all the sectorâs that need to comply, split up by category:
Essential Entities
Energy: This includes electricity, oil, and gas
Transport: Air, rail, water, and road transport. Think of everything from your local bus to those huge cargo ships.
Banking: Your local and not-so-local banks
Financial Market Infrastructures: This is the high-level finance stuff, like stock exchanges and clearinghouses.
Health Sector: Hospitals, labs, and manufacturers of critical medical devices â basically, the folks who keep us healthy and gaming.
Drinking Water Supply and Distribution: Because staying hydrated while binge-playing Mario Kart is important.
Digital Infrastructure: This covers ISPs, DNS service providers, and, crucially, TLD name registries. Essentially, the backbone of the internet.
Managed Service Providers: all companies who provide IT-services.
Public Administration: Government bodies, from local councils to national departments.
Space: Yes, space! This includes entities involved in activities related to outer space.
Waste Water Treatment: Ensuring our waste water is treated and managed properly.
Important Entities
Food: Including production, processing, distribution, and storage â basically, everything that keeps your fridge stocked.
Manufacturing: Specific types of manufacturers, especially those producing critical products.
Digital Providers: Online marketplaces, online search engines, and cloud computing services.
Postal and Courier Services: Think of the folks delivering your Amazon packages.
Waste Management: The management and handling of waste.
Research and Development: Because, well, recent events have shown how vital this is.
Chemical: Companies dealing with chemicals â not the kind in your high school science lab, but the big players.
Quite the lists.
But thatâs not all!
Essential Entities need to comply if;
They are directly appointed by the CER guideline
Theyâve either 250 employees, or an anual revenue of 50 mil.
Important Entities need to comply if;
Theyâve either 50 employees or an anual revenue of 10 mil.
So youâve made it this far. Your company needs to comply. How do you do it?
If you have something like an ISO27001 youâve got most parts cover. Be sure to add the NIS2 as a relevant law & regulation and add the governing body in your incident response plans and youâre a-ok.
If you donât, itâs time to roll up those sleeves. Get an ISO27001-light and seek some professional help.
The reason I like this directive, is because I think this should have been mandatory for years.
Forcing companies to perform a decent risk analysis on more than the coffee machine breaking down (arguably the most important thing, I know) is a major step in the right direction.
My 2 cents? I think this will expand further and further, until every company needs to comply before 2030.
Even your local bakery.
While some will find this worrisome, youâll reap the rewards if you get hit by a security incident and actually know what to do.
Governance
Governance is the process of making and enforcing decisions within an organization or society.
Governance is like herding cats, but with more paperwork and less purring.
