Menu Example

NIS2

Everything IT needs to know

NIS2 is certainly receiving a lot of attention these days. The new directive has been mentioned in a great many studies, articles and speeches recently. Are you wondering how to get caught up with it, and how you can easily and quickly find out what is important from an IT perspective? Here you will find everything you need to plan and implement the new regulations in your organisation.

Find out more

What is NIS2?

The NIS2 Directive (Network and Information Systems Directive 2) is the EU-wide legislation that sets general standards for cyber security. The directive covers institutions and companies that are essential to society’s functioning.

NIS2 is an update of the 2016 NIS Directive. The directive was enacted as a response to changes in the digital landscape and increasingly sophisticated cyber-attacks. All European Union countries must transpose the new directive into their national law, and the law interpretation must be published in each member state by October 2024.

NIS2 sets out new security rules for providers of essential services in key sectors. The NIS2 provisions cover both public institutions and private companies. Examples of their business areas include energy, banking, and healthcare.

What key changes are included in NIS2?

NIS2 expands the scope of entities and covers more sectors of the economy.
The directive imposes new obligations on entities, such as:
- implementation of risk analysis and management solutions,
- introduction of a systems security policy,
- securing supply chains,
- developing a Business Continuity Plan.

The NIS2 Directive tightens incident reporting requirements and increases sanctions for non-compliance.
It places responsibility on those in leadership positions, so that managers are also liable for failure to meet NIS2 guidelines.
NIS2 eliminates the distinction between operators of essential services and digital service providers, instead making a distinction between critical and important entities.
The new directive takes into account medium and large companies in selected industries and may also cover entities that are subcontractors or suppliers to these companies.

Who is covered by NIS2?

Predictions indicate that NIS2 will cover some tens of thousands of organisations than its predecessor. The new directive expands the catalogue to include the following entities, which are categorised as medium and large companies*:

Essential Entities

Energy

Transport

Financial Market Infrastructures

Health

Drinking Water

Waste Water

Digital Infrastructure

ICT Service Management (business-to-business)

Space

Important Entities

Postal and courier services

Waste management

Digital providers

Research

Importantly, NIS2 makes risk assessments mandatory

for all direct suppliers and subcontractors.

NIS2 also imposes obligations related to monitoring and checking supply chain security. This category includes:

the process of detecting and responding to security incidents, and supporting technologies
cyclic pentesting and security audits
vulnerability management
security control of the supplier's software development process
vendor risk analysis

Therefore, a company that isn’t directly covered by NIS2, but provides services to an organisation that is covered, may still have to comply with the directive.

Time to prepare

Each UE membered country’s entity shall adopt and publish measures necessary to comply with this directive by 17 October 2024. They shall apply those measures from 18 October 2024.

However, all regulations should be based on the general provisions od the NIS2 Directive and achieve its goals and requirements.

UE countries have some leeway in interpreting the provisions - some countries' proposals include a change in the amount of penalties or even a change in the entities covered.

What penalties are in place for non compliance with NIS2?

NIS2 also contains sanctions that will be imposed on entities that do not comply with the directive.

The directive mentions the heavy financial penalties that can be imposed not only on organisations, but also on managers.

Essential Entities:

The maximum penalty can be EUR 10 million or 2% of the company's total annual worldwide turnover from the previous financial year, whichever is higher.

Important Entities:

The maximum penalty can be EUR 7 million or 1.4% of the company's total annual worldwide turnover from the previous financial year, whichever is higher.

How to prepare for NIS2?

Meet a tool that addresses many of the key challenges of the new directive - the IT management software Axence nVision^®. Find out how we can support you in preparing for the entry into force of the new regulations and learn more about areas in which we are happy to help you.

Rozwijana Lista

☐ CHALLENGE
Risk analysis: A properly conducted risk analysis is fundamental to ensuring NIS2 compliance. One of the key steps is to identify your company's core and supporting assets. ▼

☑ SOLUTION of Axence

Get to know the Inventory module in Axence nVision^®. It allows you to carry out an inventory control easily and quickly. With its help, you can classify both physical resources, such as hardware or network infrastructure elements, and intangible resources, such as information collections. The inventory of resources is crucial in the risk analysis process. It allows you to properly identify key assets, such as IT infrastructure elements and the threats that affect them. This is the basis for implementing an integrated information security system.
☐ CHALLENGE
Incident management: NIS2 places great emphasis on this aspect of cyber security. Attacks by cybercriminals and data leaks are occurring with increasing frequency, so incident management is prioritised in the new law. ▼
☑ SOLUTION of Axence

The HelpDesk module in Axence nVision^® allows you to:
- ✓ Record events and incidents
- ✓ Respond and solve problems quickly
- ✓ Classify and evaluate incidents
- ✓Assign tasks and evaluate incident escalation
- ✓ Track progress and make reports
- ✓ Keep records and learn lessons for the future

☐ CHALLENGE
Business continuity, e.g. backup, disaster recovery management, and crisis management. ▶

☑ SOLUTION of Axence

The Network module - as one component of Axence nVision® software, prevents costly downtime. It detects anomalies in device operation and monitors key device parameters. With us, your server room is also fully secure - you can monitor room temperature and humidity in real time.
☐ CHALLENGE
Supply chain security, including the security aspects of the relationship between each entity and its direct suppliers or service providers ▶

☑ SOLUTION of Axence

In the The Inventory module, part of Axence nVision^®,you can create a register of hardware and software suppliers. This improves supply chain security. A proper inventory of assets with information on the solution manufacturer facilitates supplier records and supply chain risk assessment.
☐ CHALLENGE
Securing the acquisition, development and maintenance of networks and information systems, including handling and disclosing vulnerabilities. ▶

☑ SOLUTION of Axence

Axence nVision^® allows you to analyse operative assets in the Inventory module, which is a prerequisite for effective technical vulnerability management.
☐ CHALLENGE
Policies and procedures for the use of cryptography and, where applicable, encryption ▶

☑ SOLUTION of Axence

The Dataguard module in Axence nVision^® allows remote encryption of drives and other connected storage media using BitLocker.
☐ CHALLENGE
User security, access control policy and asset management ▶

☑ SOLUTION of Axence

The Inventory module in Axence nVision^® allows you to record access to information systems and manage core and supporting assets.

Watch the webinar

Fill out the form to receive a recording of the webinar, during which the presenters will talk in detail and demonstrate in practice how to prepare for the new directive.

Information on data processing

Supplying data is voluntary, but it is required by Axence in for contact purposes by. The personal data of the website users are administered by the service provider, within the scope of email address or phone number and other submitted information so that Axence may perform direct marketing Sp. by email or over the phone. The consent is voluntary and may be withdrawn at any moment, which shall not affect the legal compliance of the processing that has taken place on the basis of the consent prior to its withdrawal. The consent may be withdrawn by sending a relevant request to the following email address: dane.osobowe@axence.net. See more
Axence shall be understood as Axence INC (Tax Id. No. 30-0859649) for United States of America and Canada - and Axence Sp. z o.o. Sp. j. (Tax ID PL 6751399589) for the European Union and other countries. More:Privacy Policy. See more: Privacy Policyi.

Piotr Adamczyk

Technical Account Manager w Axence

Iva Tasheva

Co-founder and cybersecurity lead at CYEN