The EU's Network and Information Security (NIS) Directive was the first EU-wide legislation on cybersecurity, brought in to address increasing cyberthreats facing European organizations.
However, fragmentation at different levels resulted in difficulties responding to growing threats posed by digitalisation and cyber-attacks.
To address this, the Commission has proposed NIS2 to replace the NIS Directive. NIS2 seeks to strengthen security requirements and streamline reporting obligations. The new legislation introduces more stringent supervisory measures and stricter enforcement requirements. NIS2 also places greater emphasis on the responsibility of executives, and obliges more entities and sectors to take measures to increase cybersecurity.
Adopted in November 2022, Member States have until October 2024 to transpose its measures into national law.
NIS2 requires organizations to implement secure communications solutions
NIS2 applies not only to operators of essential services (OES) and digital service providers (DSPs), but to any entities that provide services essential for the maintenance of critical societal and economic activities.
NIS2 requires medium to large sized entities within the relevant sectors to take appropriate technical and organisational measures to manage risks posed to their network security and information systems.
One of the key requirements of the NIS2 directives, outlined in article 21, is the use of secure communications platforms. Specifically, operators of essential services and digital service providers will be required to use multi-factor authentication or continuous authentication solutions to ensure the protection of data, as well as secured voice, video, text communications, and emergency communication systems where appropriate.
In addition, article 24 of the directive allows Member States to require essential and important entities to use specific ICT products, services, and processes that are certified under European cybersecurity certification schemes to demonstrate compliance with the requirements of article 21.
Why compliance is vital for your organization
The importance of compliance with these directives cannot be overstated. Organisations that fail to take adequate measures to protect their networks and information systems risk not only financial losses but huge reputational damage and legal liabilities. Fines for non-compliance can reach up to 2% of an organization’s total annual turnover or €10 million, whichever is greater.
Executives and directors face severe consequences for non compliance. Under the new regulations, Member States are required to establish legal penalties which can include substantial fines and even criminal charges in some cases. Additionally, executives and directors also face personal liability for any breaches that occur as a result of their failure to implement adequate cybersecurity measures.
In short, the stakes are high. Steps must be taken to comply with the NIS2 directives in order to protect not only their operations and organizational reputation but also the personal liability of leadership teams.
NIS2 and organizations outside of the EU
While NIS2 does not directly apply for organizations based outside of the EU, many companies operate within the EU, and are therefore still required to adhere to NIS2 standards in order to maintain the same level of security as other member states.
It is also likely that regulators will introduce similar requirements to NIS2 in an effort to counter global cybersecurity risks. For example, the UK government's proposal to enhance cyber resilience already indicates that many of the changes proposed will be similar to those in NIS2, such as expanding the regulatory scope and increasing reporting requirements.
Therefore, taking a proactive approach to cybersecurity will be essential for businesses to stay competitive and adequately safeguard against cyber threats.
How to comply with NIS2
Zivver Secure Email and Secure File Transfer integrate seamlessly with Outlook, M365 and Gmail to apply multi-factor authentication, zero-access encryption, and other security features to protect the confidentiality, integrity, and availability of communications.
Zivver supports organizations to take significant steps in complying with the NIS2 directive whilst improving the overall security of their operations. Through smart machine learning powered business rules, Zivver notifies users to the presence of sensitive data, potential misuse of Bcc/Cc and incorrect recipients, and enables users to encrypt messages with one click - or no click at all.
The value of Zivver goes beyond compliance with regulatory requirements. It can also help organisations improve efficiency by enabling secure and seamless communication and collaboration among employees, partners, and customers.
Time is ticking - start preparing for NIS2 now
The NIS2 Directive will require many larger European organisations to use secure communication platforms to protect their networks and information systems from cyber threats. Failure to comply may result in significant financial penalties and potential legal liabilities for executives.
NIS2 takes effect in October 2024. However, some member states will have translated the directives into national legislations and activated them before that.
To find out how Zivver can support your organization to meet data protection legislation, get in touch.
Last updated - 24/05/23