Contact
Search
Close this search box.

The Network and Information Security Directive (NIS2) will be in full force in all EU states by October 2024

Are you READY?

Contact Cristie to discuss your NIS2 Cybersecurity objectives
Contact
Discover how the NIS2 Directive, set to be enforced across all EU states by October 2024, affects your organization’s cybersecurity responsibilities, from sector-specific obligations to reporting standards and compliance monitoring.

What is the NIS2 directive?

The Network and Information Security Directive (EU) 2022/2555, commonly known as NIS2, is the most recent version of the Network and Information Security Directive, succeeding the initial Directive (EU) 2016/1148. It is a European Union (EU) directive aiming at boosting cybersecurity within the region. The purpose of the Directive is to make the EU’s cyber infrastructure more resilient and safer while also assisting enterprises in defending themselves against online attacks.

When does NIS2 come into full force?

NIS2 came into effect on January 16, 2023, with all EU member states having until October 17, 2024, to incorporate the directive’s provisions into their respective local legislation.
Content:

How can Cristie Data help you with NIS2?

With over 5 decades of experience, we are uniquely positioned to help you with any data and cybersecurity issues you have regarding the NIS2 directive or its implementation.
Our possible engagements in the field of NIS2 include:
  • Provision of data and cybersecurity solutions that contribute to compliance, underpinned by class-leading cybersecurity vendors.
  • Outsourced Security Operations Center (SOC) solutions.
  • Guaranteed EU/German data sovereignty for backup and archive operations.
  • Comprehensive data and cybersecurity solutions including professional services and support, delivered through a true OPEX Pay-per-Use model within the Cristie READY initiative.
  • Interactive cybersecurity sessions such as workshops in conjunction with our technology partners.
  • Our data and cybersecurity specialists are always available to answer your questions.

Will NIS2 apply to your organization?

The NIS2 Directive has a broader scope than its predecessor. While the NIS Directive specifically identified sectors like Healthcare, Transport, Banking, Financial Market Infrastructure, Digital Infrastructure, Water Supply, Energy, and Digital Service Providers, allowing Member States to define which organizations were considered essential, the NIS2 Directive introduces standardized regulations for medium and large organizations operating in critical sectors.
These critical sectors include energy, transport, health, and digital infrastructure. Furthermore, the scope now encompasses ‘very critical sectors’ such as energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT (B2B) management, government, space, as well as ‘critical sectors’ such as postal and courier services, waste management, chemicals, food, manufacturing, digital providers, and research. As a result, all medium and large enterprises within these sectors will be subject to this legislation.

Does your organisation operate in one of the industry sectors designated “critical” or “very critical”?

The method of enforcement varies based on the classification of an organization. The NIS2 Directive introduces two categories for organizations: essential and important. This categorization is determined by whether the organization operates within a critical or very critical sector, as well as the company’s size.
Very critical
Critical
Energy
Transport
Banking
Financial markets infrastructure
Health Care
Drinking Water
Wastewater
Digital Infrastructure
ICT services (B2B)
Government
Space Travel
Postal & courier services
Waste Management
Manufacture & distribution of chemicals
Production & distribution of food
Manufacture
Digital Providers
Research

Does your organization fit into the size definitions of “Medium-sized” or “Large” within the NIS2 directives?

Large companies are categorized by the following characteristics: More than 250 staff and a minimum yearly turnover of 50 million euros (or a balance sheet total of 43 million euros). Medium-sized companies fall within the following parameters: Between 50 and 250 staff and an annual turnover not exceeding 50 million euros (or a balance sheet total not exceeding 43 million euros). There are a few exceptions to the rule, where organizations of any size can be recognized as critical, including qualified trust service providers, top-level domain name registries, and DNS service providers.
The NIS2 Directive does not specifically address small and micro-enterprises characterized by fewer than 50 employees and an annual turnover below 7 million euros (or a balance sheet total less than 5 million euros). However, in cases where these enterprises play a significant role in society, the economy, specific sectors, or services, Member States are obligated to ensure their inclusion under this directive.

What are the obligations and implications of NIS2 for your organization?

NIS2 mandates that specific sectors implement heightened cybersecurity standards, while important and essential organizations must engage in actions to control security risks. This includes responsibilities such as conducting backups, conducting risk assessments, and the mandatory reporting of incidents that have a substantial impact on services. To maintain efficiency and reduce administrative complexities, an organization’s leadership is accountable for ensuring compliance with the regulations outlined in the NIS2 Directive.

What will be expected of organizations that fall under NIS2 with respect to Duty of Care and Reporting?

Every organization categorized under NIS2, whether they are deemed essential or important, is obligated to adhere to their duty of care. The Directive includes a catalogue of required measures that service providers must meet as a minimum standard. These measures encompass areas such as:
  • Formulating policies related to risk analysis and information system security.
  • Focusing on crisis management and the continuity of operations in the event of a significant cyber incident.
  • Ensuring the security of the supply chain.
  • Exercising due care to guarantee the security of network and information systems.
  • Employing cryptography and encryption.
  • Establishing policies and procedures for evaluating the effectiveness of risk management measures.

How will NIS2 compliance be monitored?

The primary distinction between essential and important entities lies in the approach to rule compliance monitoring. Essential entities, primarily those operating within critical sectors, will undergo proactive oversight. This entails ongoing active monitoring to ensure compliance with the legislation. In the case of important entities, monitoring occurs after an incident is suspected. If, following an incident, it becomes evident that the organization has not taken the necessary actions, these entities may also face potential repercussions for non-compliance with the legislation.

What are the NIS2 reporting obligations during and following an incident?

The NIS2 directive outlines a ‘three-stage approach’ for incident reporting. The ‘early warning’ phase, which must be completed within 24 hours, is designed to swiftly contain potential incident spread and enable entities to seek assistance. The ‘incident notification’ stage, which must be carried out within 72 hours, entails providing an initial assessment of the significant incident, including details about its severity, impact, and signs of compromise. The final report, to be submitted after one month, must ensure that lessons can be learnt from prior incidents. This approach is structured to progressively enhance the resilience of individual entities and entire sectors against cyber threats. In addition to the obligation to issue an early warning, the emphasis in the incident notification phase lies in incident management.

Contact Cristie to discuss your NIS2 Cybersecurity objectives

Contact

In 1969, Cristie was founded in Stroud, England. In 1994 Cristie Electronics GmbH was founded in Germany. Since then, we’ve been working on storage, backup and disaster recovery solutions.

Solutions

Services

Contact Info

Cristie Data GmbH © 2023 All Right Reserved. IMPRINTPRIVACY

T&C’s
SiteLock

Watch the NIS2 Directive Video

Thank you for submiting your email address. Press the button below to download the pdf.

Download

Schauen Sie sich das DORA Video an

Thank you for submiting your email address. Press the button below to download the pdf.

Download

Watch the Spectra Tape Video

Thank you for submiting your email address. Press the button below to download the pdf.

Download

Schauen Sie sich das NIS2 Directive Video an

Thank you for submiting your email address. Press the button below to download the pdf.

Download

Save the Data - Event Registrierung

Thank you for your registration!






Participation subject to availability.

Arctic Wolf - Security Breakfast

Thank you for your registration!





Teilnahme nach Verfügbarkeit.

Arctic Wolf - Security Breakfast Event

Thank you for your registration!





Participation subject to availability.

eBook: Transform Your Business with Mature Data Management

Thank you for submiting your email address. Press the button below to download the pdf.

Download

Understanding LTO-9 Tape Technology – Whitepaper

Thank you for submiting your email address. Press the button below to download the pdf.

Download

Understanding LTO-9 Tape Technology – Whitepaper

Thank you for submiting your email address. Press the button below to download the pdf.

Download

Contact Info

Nordring 53-55, 63843 Niedernberg,
An der Burg 6, 33154 Salzkotten,
Germany
[email protected]
+49 (0) 6028 97950

Monatliches Angebot für Cloud-Schutz anfordern

Thank you for your registration!

Wählen Sie mehrere aus, indem Sie beim Auswählen die Taste strg oder cmd drücken.

*Sie können die Anzahl der zugewiesenen Lizenzen in Microsoft 365 ermitteln, indem Sie zur Seite Microsoft 365 Admin center > Billing > Licenses navigieren.

** Die folgenden Abonnements werden von Cristie Cloud Backup für Google Workspace nicht berechnet:
Google Voice Starter (SKU ID: 1010330003)
Google Voice Standard (SKU ID: 1010330004)
Google Voice Premier (SKU ID: 1010330002)

Auf dem Weg zur intelligenten Welt – Whitepaper

Da neue Technologien wie 5G, IoT, Cloud Computing und Big Data in der digitalen Transformation eingesetzt werden, bewegt sich die IT-Architektur von Unternehmen in Richtung eines hybriden Frameworks aus „traditioneller IT + privater Cloud + öffentlicher Cloud + Edge“.

Thank you for submiting your email address. Press the button below to download the pdf.

Download

Striding Towards the Intelligent World – White Paper

As new technologies, such as 5G, IoT, cloud computing, and big data, are being applied in digital transformation, enterprise IT architecture is moving towards a hybrid framework of “traditional IT + private cloud + public cloud + edge”. This report provides an in-depth outlook on the development of the data storage industry.

Thank you for submiting your email address. Press the button below to download the pdf.

Download

Zero Trust Data Security for Dummies

Thank you for submiting your email address. Press the button below to download the pdf.

Download