Currently, EU Member States are drafting their national legislation reflecting NIS2 and it is expected these legal texts shall come into force by the end of 2024. It is time to get familiar with NIS2 and start preparing. Are you ready?
The Network and Information System Directive 2 (NIS2) is a European directive setting out rules and requirements for cyber security and ICT systems and networks. It has been in force since the beginning of 2023 as a follow-up to the NIS directive, improving the existing cyber security status across EU via harmonization of security requirements and reporting obligations; introduction of new areas of interest, such as supply chain, vulnerability management, and cyber hygiene; and enhancement of collaboration and knowledge-sharing amongst the EU Member States. Thus, alongside the DORA (Digital Operational Resilience Act) regulation and CER directive, NIS2 is another European Union's legislative instrument aimed at enhancing the digital operational resilience and cyber security of all relevant actors operating in the EU.
The final form of NIS2 was published in the Official Journal of the EU on 27 December 2022 in all official languages. Since it is a directive, individual Member States are responsible for its transposition into their laws. The deadline for Member States to do so is 17 October 2024.
Although this deadline may not be fulfilled, it is crucial to start the compliance journey as soon as possible, keeping in mind that, compliance processes, including security assessments, auditing, consulting, and tool implementations take several months and are rather demanding.
The new rules formulated in the directive apply to any regulated service providers not only from the EU but also those operating in the EU. There are two entity categories that NIS2 distinguishes between – Essential entities operating in sectors such as public administration, digital infrastructure, energy, finance, transport; and Important entities providing services in e.g., waste management, research, manufacturing. In total, there are more than 18 sectors impacted by NIS2, as it adds additional rules and obligations for businesses in four primary areas, including risk management, corporate accountability, business continuity, and reporting.
Subjects to which NIS2 is applicable will be required to implement measures to address specific forms of cyberthreats and minimize their impact; to ensure the management body oversees, approves, and is properly trained in the area of cybersecurity; to set up processes for reporting of security incidents with significant impact on service provision or recipients; as well as to develop a comprehensive business continuity plans preparing the given entity for major cyber incidents.
Deloitte NIS2 Assessment
We offer both legal and consulting services related to NIS2, aiming to prepare all relevant entities for the requirements that they must fulfill. Apart from legal impact analyses and legal advisory services provided to our clients, we assist with the identification of gaps and alignment of the business processes, organizational structure, staffing and technology base with the requirements outlined by the directive.
The very first step to compliance lies in a comprehensive assessment, displaying weak points and areas of improvement. We use our own proven tools in such analyses, which enable us to effectively identify gaps and prioritize individual steps leading to compliance. Our NIS2 Maturity Assessment Tool is developed based on all key aspects of NIS2, providing a detailed overview of the current state at your organization. The resulting analysis includes an overview of identified deficiencies and recommendations on what remediation activities should be implemented to achieve a higher level of maturity.
Test your organization
If you are interested in seeing how your organization stands in the context of preparedness for NIS2, take a short pre-assessment test using the simplified version of the NIS2 Maturity Assessment Tool.
Our team of professionals will analyze your response and get back to you with a high-level overview of strength and weakness, indicating your organization's overall level of maturity with the aim to help you gaining clarity on the NIS2-related gaps and develop tailored strategies to address them.
In case you would like to know more about our NIS2-related services, please do not hesitate to visit our website dedicated to NIS2 or contact us directly.