Network and Information Security Directive v2 (NIS2)
The objective of the revised Network and Information Security Directive v2 (NIS2) is to achieve a high level of network and information system security within the EU through the following means:
Improved cybersecurity capabilities at national level
What will member states do to increase their national cybersecurity capabilities? Each member state will adopt a national strategy for the security of network and information systems, which will define the strategic objectives and appropriate policy and regulatory measures.
Increased EU-level cooperation
How will member states cooperate? The NIS2 Directive will establish a ‘cooperation group’ to support and facilitate strategic cooperation and the exchange of information among member states, and to develop trust and confidence. It will also establish a network of national cybersecurity incident response teams (CSIRTs) to promote swift and effective operational cooperation between member states.
Risk management and incident reporting obligations for operators of essential services and digital service providers
What are “operators of essential services” and what will they be required to do? Operators of essential services are private businesses or public entities with an important role for society and the economy. Under the NIS2 Directive, identified operators of essential services will have to take appropriate security measures and notify the relevant national authority of all serious incidents. Security measures include:
Preventing risks: technical and organisational measures that are appropriate and proportionate to the risk.
Ensuring the security of network and information systems: the measures should ensure a level of network and information system security appropriate to the risks.
Handling incidents: the measures should prevent and minimise the impact of incidents on the IT systems used to provide the services.
There are actions that an organisation can take to prepare for NIS2, including
Centralise cybersecurity Governance
To prepare for the NIS2 Directive, a singular, centralised governance structure should be established for your firm’s security. This will enable quick responses to compliance requests. Defined ownership of security controls is also important in understanding governance.
Perform a security health check
A cybersecurity health check will provide an up-to-date picture of where your organisation stands. An audit can be the first step on the road to compliance, highlighting potential gaps and creating plans to remediate them.
Contact your security partners
Contact your trusted cybersecurity advisers for the most up-to-date advice and guidance. Also, leverage what you already have by integrating the NIS2 Directive with existing compliance efforts or initiatives. And finally, build IT and cybersecurity international standards and frameworks into your regulatory compliance framework for easy implementation, testing and monitoring, and to ensure that maximum benefit is derived from existing IT and cybersecurity control programmes.
The NIS2 Directive will affect organisations designated as operators of essential services and digital service providers within the European Union. As a result, it will directly impact the cybersecurity space in Ireland. Now is the time to prepare before the end of implementation period.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.