The NIS2 directive aims to ensure that all organizations that fulfil an important function in society have a high level of cybersecurity. This means that companies in the affected sectors must comply with the new NIS2 directive, which entails stricter requirements for cybersecurity.
In order to fulfil NIS2, working systematically with cybersecurity and having the required work methods and tools is imperative. We at Taipuva have extensive experience in setting up required and efficient processes for managing cybersecurity. Our focus is to support product and software development, ensuring product security from the ground up. We are happy to help you implement solutions to manage the complexity that comes with NIS2.
Which sectors are covered by NIS2?
In the current NIS directive, there are seven affected sectors: energy, transport, banking, financial market infrastructure, health, water supply, and digital infrastructure. In addition to these newly added sectors there are manufacturing of pharmaceutical products and critical medical devices, public administration, and space & aeronautics.
Key sectors that will also be affected are postal and courier services, waste management, the chemical industry, food, manufacturing of other types of medical devices, computers and electronics, machinery, motor vehicles, and digital suppliers.
More rigorous cybersecurity requirements
Every business affected will need to have a well-organised incident management, a structured approach to risk management and a cybersecurity officer in the management. This means that working systematically and being structured with information security is a necessity.
The NIS2 directive was created for organisations to maintain a high level of security; therefore, NIS2 will require organisations to meet strict requirements for:
- The completion of risk assessment and the possession of adequate IT security policies
- To appropriately detect, prevent, and react to IT security incidents
- Crisis management and operational continuity in the event of a major cyber incident
- Ensuring the security of supply chains, including providers of data processing and storage services
- Ensuring the security of networks and information systems, from procurement to maintenance
- Guidelines that assess the effectiveness of cybersecurity risk management practices
- Use of cryptography and encryption
When will NIS2 come into effect?
The directive was adopted by the European Parliament on 10th November 2022 and is now awaiting final approval by the EU Council. Subsequently, member states will have 21 months to implement the directive in their legislation. This means NIS2 will likely come into force as national laws in autumn 2024. If you operate in the affected sectors, it is time to start preparing to meet the requirements of a high level of security.
What happens if NIS2 is not followed?
Non-compliance with NIS2 can lead to hefty fines. The size of the fine would depend on the size of the organisation; for example, a company that violates any of the directives of NIS2 can be fined 10 million euros, or 2 percent of the organisation’s total annual gross revenue. In addition, people within the organisation’s management can be held personally liable for the violation.
How can I prepare?
To fulfil the EU directive NIS2, effective processes and tools are needed to manage, comply and work systematically with all the requirements and regulatory frameworks existing within each sector. We at Taipuva would be happy to help you comply with all the requirements and rules that come with NIS2. We can, for example, help you implement TARA (Threat Assessment and Risk Analysis), a method that allows to identify and assess cyber vulnerabilities quickly and take the necessary action to mitigate against such vulnerabilities. This is best done with the help of the Siemens Polarion tool. Taipuva provides knowledge how to structure cybersecurity work, easing the complexity that comes with various process demands and implementing effective risk and requirements management.
Cybersecurity in product development
Cybersecurity legislation affects many industries. Ola Larses, Lead Consultant at Taipuva spoke during Polarion Days about how important it is to understand risks by anticipating scenarios to protect product safety. TARA (threat analysis and risk assessment) is a tool for this, and a key factor when analyzing risks of cyberattacks.
Siemens Polarion® ALM – take control
Get a holistic view, traceability and transparency for all product development and project management information. Everyone is aligned around what is being built while protecting integrity and compliance.
Let us help you!
Contact us and get free consultation