NIS2 Is Now Law in the EU: Are You Ready to Comply?
Author: Sarah Kolberg
Increasing dependency on digital infrastructure is happening in almost every critical industry: healthcare, manufacturing, transportation, power transmission and distribution, etc. Due to the increased attack surface created by IT-OT convergence, many of these industries are increasingly becoming targets of cyberattacks.
As a result, cybersecurity regulations are often given more consideration in legislation. Intensifying cybercrime threats require an update to and redesign of legal framework to meet the current security requirements. To achieve comprehensive cyber resilience within the European Union (EU), for example, Europe is working on numerous directives to mitigate the situation through regulations.
The EU’s first Network and Information Security Directive (NIS1) took effect in 2016, with NIS2 extending the minimum requirements for network and information security of the first version of the NIS Directive in 2023. On Oct. 17, 2024, NIS2 reached its full enforcement deadline, meaning that it now must be shifted into national law in EU member states.
The NIS2 Directive contains the key risk mitigation measures that organizations in critical sectors need to consider so they can survive in the evolving threat landscape. It aims to strengthen the cyber resilience of companies within the EU and create a standardized level of cybersecurity.
The Scope of NIS2
The scope of NIS2 is significantly bigger than NIS1: Approximately 10 times more companies from a total of 18 sectors must implement the measures in comparison to the previous NIS Directive.
Smaller companies (less than 50 employees) are also now subject to NIS2. The requirements obviously apply to companies from European member states, but they also apply to supplier companies that work with EU businesses. It sets a new standard in network and information security with international implications.
EU companies that fail to implement these risk management measures will face GDPR-level fines:
The Biggest Challenge of Implementing NIS2
Besides other obligations, the risk management measures from NIS2 Article 21 for companies within critical sectors are the core content of the new edition of the NIS Directive.
The main challenge is this: Obligations arising from NIS2 are not specific enough to directly derive implementation strategies, architectures or the selection of suitable technologies. Neither the NIS2 Directive nor the legal implementations of the EU member states are sufficient to define suitable cybersecurity solutions.
Risk Management Measures from NIS2 Directive Article 21
Below is a list of the risk management measures listed as part of the NIS2 Directive:
Companies must work together with their manufacturers and suppliers to implement these requirements.
How Belden Can Help with NIS2
Belden can help you find your way through NIS2 and comply with requirements. We work with companies to develop customized solutions for their environments. For example, a good first step on your journey to compliance can be Belden’s Network Assessment Service.
In our whitepaper, you’ll find a comprehensive overview of the European cybersecurity standard and all the obligations of NIS2, along with an explanation of how Belden and its solutions can help you fulfill requirements.
In addition, our experts explain everything you need to know about the NIS2 Directive in a webinar.
Ready to take the first step to enhance your network infrastructure?