Artikkeli

The NIS 2 Directive

Are you ready to raise your level of cybersecurity?

What is the NIS 2 Directive about?

NIS 2 is an EU directive which aims to achieve a high common level of cybersecurity across EU Member States by setting the baseline for cybersecurity risk management measures and reporting obligations across all important and essential sectors. In addition, it aims to remove divergences in cybersecurity requirements and in the implementation of cybersecurity measures. Organisations in the scope of NIS 2 should start preparations early as some of the key requirements may take time to implement.
EU Member States must adopt and publish the necessary measures in order to comply with the NIS 2 Directive by 17 October 2024.

What sectors does the NIS 2 Directive apply to?

The directive applies to the organisations that fall within the sectors listed below and have a minimum of 50 employees and/or at least an annual turnover (and/or an annual balance sheet total) of EUR 10 million. However, there are some specific cases in which the size of the organisation is irrelevant. Also, if the organisation falls under the CER Directive, then NIS 2 automatically applies to the organisation. The entities that fall within the directive’s scope are divided into the following two categories:

Critical Sectors: Entities related to financial market Infrastructures, water supply, energy, digital infrastructure, transport (air, rail, water, road), health, public administration, space, drinking and wastewater, banking and ICT-service management (managed service providers and managed security service providers).
Other Critical Sectors Entities related to postal and courier services, waste management, chemicals, food, the manufacturing of medical devices, computers and electronics, machinery and equipment, motor vehicles, trailers, semi-trailers and other transport equipment, digital providers and research organisations.

Organisations that fall within the scope of the NIS 2 Directive will be at least regarded as important entities. As a general rule, organizations with at least 250 employees or an annual turnover exceeding EUR 50 million and a balance sheet total exceeding EUR 43 million are considered to be essential entities. Essential entities will face stricter supervision and enforcement than important entities.

The key requirements of the NIS 2 Directive

Risk ownership: Management must have a crucial and active role in ensuring compliancy with risk management obligations. Management must also follow training to gain sufficient knowledge and skills to perform their responsibilities.
Supply chain security: Entities must perform due diligence in regard to their supply chain. As part of this measure, your organisation must address the security-related aspects of its relationship with its suppliers or service providers. This includes the task of identifying vulnerabilities related to each of the suppliers and service providers. Another aspect to investigate is their quality of products and cybersecurity practices, such as having secure development procedures.
Incident reporting: Entities must submit an initial notification within 24 hours after the occurrence of significant incidents, threats and near misses.
Compliance: If required by Member States, essential and important entities must use particular ICT products, ICT services and ICT processes. In situations of non-compliance, competent authorities may impose administrative fines up to EUR 10 million or 2% of the global annual turnover of the company.

Steps to take in order to fulfil the requirements

The first step is to understand where your organisation currently stands. Then, your organisation can move on to prepare to fulfil the regulatory needs. The organisations that fall within NIS 2’s scope should prepare for the directive immediately, and Deloitte can help your organisation to address the regulatory needs in an integral manner. Our approach is to utilise the existing capabilities within your organisation as the basis for working towards NIS 2 compliance. We can help you to identify the action points that are necessary in order to help your organisation take the first steps towards compliance.

An example approach includes the following steps:

Health check: Gain a high-level overview of your organisation’s key attention points for NIS 2.
Readiness assessment: Identify the next steps and the roadmap for your organisation.
Implement security capabilities: Implement incident responses, third-party risk management and training according to the needs of the organisation and the requirements of the Directive.

We at Deloitte, are happy to discuss more and provide further information on this matter.

Contact us!

Kari Mikkola

Cyber & Strategic Risk

kari.mikkola@deloitte.fi

+358 (0)40 823 8369

Kari vastaa Suomessa Deloitten kyberturvallisuuden johtamiseen ja riskienhallintaan sekä niiden kehittämiseen liittyvistä palveluista. Hänellä on yli 20 vuoden monipuolinen kokemus kyberturvallisuuden... Lisää

Anu Laitila

Cyber Risk

anu.laitila@deloitte.fi

+358 40 845 5021

Anu työskentelee Deloitten riskienhallintayksikössä ja vastaa liiketoiminnan jatkuvuuteen, kyberharjoituksiin ja turvallisuuskulttuurin rakentamiseen liittyvistä palveluista Suomessa. Hänellä on kokem... Lisää

Audit & Assurance

Consulting

Risk Advisory

Yritysjärjestelyt

Legal

Veropalvelut

Deloitte Private

Kuluttajatuotteet

Teollisuus ja energia

Finanssitoimiala

Julkinen sektori

Terveydenhuolto

Kokeneet asiantuntijat

Opiskelijat ja vastavalmistuneet

Elämää Deloittella

Avoimet työpaikat

Mergers and Acquisitions

Cyber

SAP S/4HANA

Digital Transformation

Technology Fast 50

CFO Programme

Board Program

About Us

Sustainability & Climate