“The State can whack your fingers, now.” – Senior Security Advisor Thomas on NIS2
The new Network and Information Systems EU directive, also known as NIS2 is under way. It is expected to be adopted into Danish law by the end of 2022, from which point the affected sectors and companies will have 21 months to comply with it. The initial NIS came into being in 2018. The intention: strengthen the protection of a country’s most crucial companies – like the infrastructure or energy sectors, among others. NIS2 has the same goal but requires more sectors to join in on the festivities.
Long story short: We think NIS2 is great! Come on, who does not like a good party.
1 Who is affected now?
More sectors have been included than in the 2018 version of the directive. The original focus was on overtly critical infrastructure like the healthcare sector, water supply and digital infrastructure.
NIS2, on the other hand, expands on this list with a roster of related industries, which are now included in the scope of the directive.
Another notable change is this: Before, EU countries could decide themselves which companies and organizations were deemed critical enough to be required to follow NIS. NIS2 still gives countries the freedom to define who should follow NIS2 – to an extent. Now, if an organization is part of one of these industries and has a certain size, by number of employee and yearly revenue, it is automatically required to abide by NIS2 directive. And even if an organization is smaller in size, it may still be required to follow NIS2, if the Danish authorities decide on its criticality.
2 What is NIS2 about, then?
In somewhat technical terms, NIS2 outlines minimum requirements that companies must put in place to strengthen their cyber security – or risk a fine.
For example, companies must demonstrate a risk-based approach to cyber security. They need to have security policies for their information systems in place and establish incident- and crisis management capabilities, including reporting. Also, they must prove a strong focus on the value chain for sub-contractors of the companies – especially in areas like data storage, processing and security services – to ensure that they do not become a weak link and put their critical deliveries at risk. Also, under NIS2, top management of companies must take more direct responsibility of cyber security – which we think is long overdue and are excited to see develop in practice.
Lastly, the frame for authorities to audit companies will be expanded. It will be possible to be fined or otherwise be administratively sanctioned for not living up to the NIS2 obligations. So basically: If you do not ‘cyber security’ well enough, the state can whack your fingers from 2023 and onwards.
NIS2 might hit companies who have some catching-up to do on the cyber security and risk management side. But if we are honest, cyber-attacks can hurt quite a bit too. We believe that putting an initiative like NIS2 into law is a long overdue and necessary step that will help kickstart fundamental cyber security efforts across many organizations that will ultimately benefit us all as citizens in the EU.
3 Now what?
Companies should always ensure that they have a sufficient level of cyber security. NIS2 or not. However, with the upcoming focus on NIS2, many companies will need to make sure that they are on top of their cyber security situation.
We know that it is very tempting to decide that NIS2 will not be relevant for your organization. In fact, we already see this from our customers who, by the new standards, might easily fall within the standard NIS2 criteria. If you suspect that NIS2 might become relevant for you, we suggest that you:
- Stay informed about how NIS2 directive are being implemented into Danish law.
- Find out how your company might concretely be impacted.
- Plan and prioritize your efforts before you rush into a NIS2 initiative.
- Don’t panic.
- Call or email us for a coffee if you need a friend to talk about NIS2 with.