NIS2: a new era of cyber security – are you compliance confident?

The Network and Information Systems Directive 2 (NIS2), sets new standards for EU companies, mandating stringent cyber-security measures. It compels firms to bolster their defences, report incidents promptly and collaborate on threat intelligence. By prioritising resilience and continuity planning, businesses can mitigate risks and minimise disruptions. Embracing NIS2 is not simply about following regulations, it is also about fortifying businesses against evolving cyber threats for a more secure digital future. 

From a legal standpoint, it is mandatory for companies to adhere to NIS2 standards, with non-compliance leading to significant penalties, including top-level managers being held liable for violations of the directive. Therefore, management must prioritise compliance, ensuring that robust cyber-security measures are not just in place but are actively maintained and updated to mitigate risks effectively.

Impact on business – what obligations does your company face?

The NIS2 requirements will bring new standards that companies must adhere to. It is important to understand how these changes will impact business. 

• Increased security standards: NIS2 compels companies to implement robust security measures. This includes practices such as risk management, incident response plans and the reporting of security incidents.
• Enhanced collaboration: The directive encourages collaboration between EU member states and essential services operators. Companies must closely work with national authorities to ensure a coordinated approach to cyber security.
• Penalties for non-compliance: NIS2 stipulates that companies failing to meet security requirements may face sanctions. This could result in significant financial implications and reputational damage.
• Technological innovation: To meet security requirements, companies are likely to invest more in innovative technologies such as AI-driven security solutions.

Overall, NIS2 aims to strengthen the digital resilience of businesses, as well as critical infrastructures, in Europe. Companies should take proactive measures to meet the directive’s requirements and protect themselves against increasing threats in the digital realm. 

Figure 1: The NIS2 directive introduces new requirements and obligations for organisations to implement baseline security measures in various focus areas

Is your company affected by the directive?

NIS2 represents a critical step forward in addressing the evolving cyber threats faced by organisations within the EU. Its key focus lies in ensuring the resilience of essential services and digital infrastructures, covering a broad spectrum of sectors such as energy, healthcare, finance, transportation and digital service providers. 

NIS2 sets uniform standards for cyber security within the EU with uniform threshold values. A company is classified as an ‘essential’ or ‘important’ entity based on the size of the company, its market share and its operating sector. This categorisation determines how and to what extent the requirements of the new directive are to be implemented.

Figure 2: Definition of NIS2 company categories based on size, market share and industry sector

Our approach – how can we support you?

Our approach is highly interactive and tailored to your individual needs, and involves a detailed understanding of the implications of NIS2. 

We begin by identifying the extent of which you are impacted by the NIS2 directive and by evaluating your readiness to meet its requirements. We collaborate with you to determine your organisation’s category under NIS2, forming the basis for the assessment framework. This interactive process includes a multi-week preparation phase where impacted areas are appraised before a formal on-site assessment to ensure all relevant areas receive comprehensive evaluations.

Post-assessment, you will receive a final report detailing your degree of fulfilment of the requirements, as well as our tailored recommendations for closing any compliance gaps. This customer-centric approach can be adapted based on previous assessments and the scope of the content for the assessment.

Figure 3: Analysys Mason’s approach to assessing a company’s NIS2 readiness