NIS2: Key changes in cyber security

The EU with its 27 member states is currently the global leader in digital security, i.e., the protection of digital structures and systems against hostile attacks. An increasing number of IT incidents are taking place, threatening society's essential and important operations. Such incidents may entirely disable IT systems, distort built-in functions without the knowledge of the system owners, or might otherwise seriously disrupt normal operations.

Consequently, the EU must protect the Common Market, which is increasingly dependent on a high level of digital maturity. By implementing NIS2 and a series of other directives, the capability of the member states to resist cyber threats is increased.

Sectors that are marked by a high degree of automation and digitization, particularly operational technology (OT) in the manufacturing industry, will be greatly affected by the NIS2 directive. Companies must start taking cyber security hygiene requirements into account throughout all product and service life cycles.

Companies must implement many new routines and processes to maintain a high level of security. AFRY has extensive experience with implementing a management system for systematic security procedures and can support all parts of the organizational change process.

How to prepare your business according to NIS2

Does NIS2 apply to your business? Assess according to directive entity rules
Identify and analyse cyber security threats and vulnerabilities
Map your business, supply chain and collaboration with others
Design a strategy to address discovered vulnerabilities and create a cyber hygiene management system
Train everyone in the business - create a culture of security

The NIS2 directive expands a list of industries and public services already cataloged in the first NIS directive appendices. These industries and services are divided into two classes - essential and important entities. The two classes demand essentially the same kind of cyber security, but they differ when it comes to supervision and sanctions. For important entities, any supervision must be justified in advance by an incident, suspicion of incident, deficiency, or non-conformity. For essential entities, however, regulators may conduct proactive unannounced ad-hoc inspections, regardless of any previous incidents or suspicions. Regulators also have a range of sanctions at their disposal.

The NIS2 Directive expands supervision

National cyber incident reporting to the European Commission and to the EU Cyber Security Agency ENISA will become more extensive after NIS2 than it was before. Supervisory possibilities will also be expanded. Supervision of the essential entities will, according to the NIS2, be proactive, which means that the supervisory authority can carry out supervisory inspections without any previous incident report or any suspicion of deviations. Supervision of important entities will be more reactive and will be based on a reason determined prior to inspection.