The NIS2 Directive: Time for Proactive Cybersecurity

With the NIS2 Directive, mandatory security measures and reporting obligations will apply to many companies from October 2024 – even those not previously affected.

The NIS2 Directive (Network and Information Systems 2 Directive) is a comprehensive piece of EU legislation designed to enhance cybersecurity across member states. From October 2024, it will replace the original 2016 NIS Directive, extending the scope of application to more critical sectors and setting higher security requirements. In particular, digital service providers and platforms are now also included in the scope of NIS2, which significantly extends the reach of the directive.

Check whether you will be affected and which requirements you need to fulfil:

Topics the NIS2 Directive covers:

Risk analysis and security policies for information systems

Incident handling

Business continuity management

Backup management

Crisis management

Supply chain security 

Security measures for the acquisition, development,

and maintenance of network and information systems

Vulnerability management

Evaluation of the effectiveness of risk management measures

Security procedures for employees with access to sensitive or important data

Cybersecurity training and awareness

Concepts for the use of cryptography

Access control and asset management

Use of multi-factor authentication (MFA) or continuous authentication (SSO)

Secured voice, video, and text communication and, if necessary, secure emergency communication systems

Implementation of an information security management system

To get an overview of all topics, you can download our NIS2 checklist.

Reporting obligations for cyber incidents: What should you report?

It’s crucial to know which cyber incidents need to be reported, to whom, and in what timeframe. For example, an initial early warning must be sent to the country-specific security authority within 24 hours of a suspected incident. If the suspicion is substantiated or confirmed, a report on the security incident must follow within 72 hours. Lastly, a final report must be sent no later than one month after notification of the confirmed incident.

The final report must include the following:

  • Incident response report
  • Discussion of the exploited vulnerability
  • Remedial measures taken and ongoing
  • Area of impact

If the incident is not resolved within a month, organisations are required to deliver a progress report instead. In this case, the final report should follow no later than one month after the security incident has been dealt with.

As you can see, these deadlines are extremely tight. To save valuable time in the event of an incident, we recommend an annual ‘incident response emergency drill’ and a framework contract for incident response activities. This enables the response team to familiarise themselves with your systems in ‘peacetime’. It also allows you to define contact people, crisis teams and decision-makers in advance and familiarise them with important processes in the communication chain.

Not sure what to do next? Our experienced consultants can help you.

The directive is extensive, with many considerations and possible solutions. Airbus Protect has a team of experts who can support you to make NIS2 compliance less of a headache.

Our experts use purpose-built methodologies and frameworks and tailor our services to your needs. These include:

  • Inventory
  • NIS2 audit and gap analysis
  • Advice on cost-effective solutions
  • Planning and organisation of the next steps
  • Support with implementation
  • Ongoing support and optimisation

Do you need support in implementing the NIS2 directive? We’d be happy to help you.

Get in touch today to discover how we can support you