The main objective of the NIS 2 Directive is to increase the level of cyber resilience across the European Union by requiring all entities providing critical services to the economy and society at large to take appropriate cybersecurity measures.
The revised EU Directive on the Security of Network and Information Systems (NIS 2) will repeal and replace the existing NIS Directive.
The Directive, adopted in 2016, was the first pan-European cybersecurity law.
It is important to note that NIS 2 also addresses the shortcomings of the current NIS framework, as well as responding to the changing cybersecurity threat landscape.
What will change in terms of third-party risk management with NIS 2?
The aim of the NIS 2 Directive is to be broader and more comprehensive. Looking specifically at third-party risk management, NIS 2 includes three key changes that you should consider:
Specific requirements for third-party risk management
NIS 2 emphasizes that organizations must proactively manage risks introduced by third parties. This includes all suppliers of products and services. The directive states that organizations must at least:
Assess and take into account the overall quality of the products and cybersecurity practices of their suppliers of goods and services, including their security procedures (Article 43)
Exercise due care when selecting security services from a managed service provider (Article 44)
Pay attention to cybersecurity risks arising from their interactions with other stakeholders (Article 45)
Participate in supplier risk assessments (Article 46)
Which organizations must comply with the requirements of the NIS 2 Directive?
The expanded scope includes more sectors, which are divided into “core” and “important” entities based on how critical they are to the economy and society. This includes organisations in the following sectors:
Energy (electricity, oil, gas, district heating)
Transport (air, rail, water and road)
Banking, financial market infrastructures,
Healthcare (including laboratories and research on pharmaceuticals and medical devices)
Drinking water, Wastewater (but only if this is a core activity)
Digital infrastructures (telecommunications, DNS, TLD, data centres, trust services, cloud services)
Digital services (search engines, online marketplaces, social networks)
Postal and courier services
Waste management
Chemicals (production and distribution)
Food (production, processing and distribution)
Manufacturing (in particular, but not limited to, medical, computer and transport equipment)
Public administrations
3. Non-compliance with the NIS 2 Directive is punishable by fines
Sector-specific supervisory authorities will be given the power to impose sanctions and fines on organizations that do not comply with the NIS 2 Directive. Administrative fines can be up to 7 million euros or 1.4% of annual worldwide turnover for important industries and up to 10 million euros or 2% of turnover for major entities.
How can NewData help you comply with the requirements of the NIS 2 Directive?
Our software modules are fully compliant with the requirements of the NIS 2 Directive. We can determine the level of compliance of your business and help you implement the necessary measures in response to the changes.
Working with NewData will improve your cybersecurity and ensure compliance with the NIS 2 Directive.
Source: https://cypro.bg/