DriveLock Blog | IT Sicherheit und Cyber Security

What you can expect from NIS2

Written by DriveLock | Jan 3, 2024 9:15:38 AM

Do you have more than 50 employees or more than 10 million euros in turnover? Or are you classified as a critical organization by the government? Then you probably know that NIS2 is coming your way.  

TABLE OF CONTENT
  1. WHAT IS NIS2 DIRECTIVE?
  2. WHO IS AFFECTED BY NIS2?
  3. REPORTING OBLIGATIONS IN THE EVENT OF SECURITY INCIDENTS
  4. SUCCESSFULLY IMPLEMENTING SAFETY MEASURES WITH DRIVELOCK

 

What is NIS2 directive?


The NIS2 Directive extends and builds upon the prior EU cybersecurity directive, NIS. Put forth by the European Commission, its purpose is to address and rectify the shortcomings identified in the original NIS directive.

The primary objective of NIS2 is to bolster the security of network and information systems across the European Union. It achieves this goal by mandating that operators of critical infrastructure and essential services adopt suitable security measures and promptly report any incidents to the appropriate authorities.

Who is affected by NIS2?


The growing threat situation from cyberspace and geopolitical developments are increasing the risk of critical infrastructure facilities being compromised by cyberattacks. That sounds like a challenging task.

The NIS2 Directive (EU) 2022/2555 therefore came into force on 13 January 2023.

The aim of this directive is to achieve a high standardized level of cybersecurity, particularly for critical facilities, service providers and authorities in the EU. Member states are required to transpose the requirements into national law by October 2024.

A total of 18 sectors are affected and therefore a significantly expanded target group of companies with at least 50 employees and a minimum annual turnover of 10 million euros. National legislators can name additional specific entities that they categorize as "essential" or "important" entities and should be regulated as such.

High criticality sectors Other critical sectors
Energy Post and courier services
Transport Waste management
Banking Production, processing and distribution of food
Financial market infrastructure Manufacturing/Production of goods
Health sector Digital service provider
Potable water Research
Sewage  
Digital infrastructure  
Management of ITC services (B2B)  
Public administration  
Space  


Reporting obligations in the event of security incidents


In addition to expanding the sectors of affected companies, NIS2 sets out specific requirements for the implementation of a minimum consensus on risk management measures, increased management responsibility combined with time-defined reporting deadlines and sanctions in the event of violations.

NIS2 emphasizes the responsibility of management. Legislators are serious about cyber security and are introducing stricter penalties for breaches. Companies must comply with three-stage reporting obligations in the event of serious security incidents (line 462ff. §31 reporting obligations), which apply in the event of operational disruptions or financial losses.

Late submissions can lead to penalties. It is therefore advisable to establish a reporting concept. This ensures that, in the event of a security incident, companies know which authorities need to be notified in order to meet the tight deadlines.  

The aim of the NIS2 risk measures is to prevent security incidents or minimise their impact

To this end, institutions must take appropriate technical, operational and organizational measures to control and minimise the risks to their network and information systems.

Overall, comprehensive security controls help to ensure the integrity, availability and confidentiality of systems and data. DriveLock solutions and their combination of prevention, detection and response mechanisms form a robust line of defence against a wide range of cyber threats.

Successfully implementing safety measures with DriveLock


Organizations
and companies that address the following security measures are best prepared for a successful NIS2 transformation:

 

Security Control 

DriveLock Modul 

 

Inventory 

Discovery 
Hardware & Software Inventory 

 

Media Protection 

Device Control 

 

Malware Defense

Application Control 
Defender Antivirus 

 

Secure Configuration 

Security Configuration Management 

 

Data Protection 

Encryption 
BitLocker Management 

 

Security Awareness 

Security Awareness Campaigns 

 

Vulnerability Management 

Vulnerability Management 

 

Privilege Control 

User & Groups Management / SSO 

 

Incident Response 

Threat Detection & Response 
MITRE ATT&CK® 5 Framework 

 


DriveLock helps you avoid cyberattacks and security incidents right from the start. Our technology helps to prevent security breaches,
recognise potential threats early and take effective security measures before they become problems. Focus on proactivity and prevention instead of reactive measures.

Protect your end devices in just a few minutes at the touch of a button. Does DriveLock meet your requirements? Test our solutions easily and free of charge for 30 days.