As cyber threats become more complex and frequent, the European Union is taking important measures to strengthen the continent's digital defenses. Since October 17, 2024, the new NIS-2 Directive has been in force, which provides for stricter regulations to strengthen cybersecurity in a wide range of industries.
Building on the original NIS Directive (Network and Information Security Directive), which was introduced in 2016, NIS-2 closes the gaps identified in its predecessor and extends its scope to more sectors by introducing stricter rules and increased cooperation between EU Member States. Here's what companies need to know about this new regulation and how it affects different sectors.
The most important changes to NIS-2
The NIS-2 aims to improve the cybersecurity framework across the EU:
- Expanded scope: The new regulations apply to more industries and organizations.
- Improved risk management: Companies must take more comprehensive cybersecurity measures and be more transparent when reporting incidents.
- Introduction of stricter penalties: Companies that do not comply with the regulations will be subject to harmonized penalties in all member states.
- Promoting cooperation: NIS-2 promotes better information sharing and cooperation between the public and private sectors and between EU Member States.
Industries affected by NIS-2
NIS-2 significantly expands the range of sectors and services that must implement enhanced cybersecurity measures. Some of the most important sectors affected are listed below:
- Energy: The energy sector, which includes electricity, oil, gas and renewable energy companies, is critical to the functioning of a modern society. Under NIS-2, energy companies must strengthen their cybersecurity protocols to protect their systems from disruptions caused by cyberattacks. This includes increased monitoring of systems and risk management in supply chains, as attacks on power grids, pipelines or oil refineries can have far-reaching effects.
- Healthcare: The healthcare sector has increasingly become a prime target for cybercriminals as sensitive patient data and critical medical services are at risk. Hospitals, healthcare providers, medical device manufacturers and even pharmaceutical companies must now comply with stricter cybersecurity measures under NIS-2. This means that critical systems must be secured and patient data protected, especially as healthcare providers increasingly rely on digital records and telemedicine services.
- Transportation: NIS-2 also includes the transportation sector, i.e. air, rail, sea and road networks, under its umbrella. Disruptions to transportation services can have a cascading effect on supply chains and key services. Therefore, companies operating in this sector are expected to invest in stronger cybersecurity measures to prevent attacks that could disrupt the flow of goods and people.
- Financial services: The financial services sector, which includes banks, insurers and payment service providers, is already subject to strict financial regulations, but NIS-2 will bring further cyber security obligations. This sector has long been a valuable target for cybercriminals, and NIS-2 places additional emphasis on protecting critical financial infrastructure and preventing fraud, theft or other disruptions that could affect financial markets.
- Digital infrastructure: With the rise of cloud computing, data centers and internet services, the digital infrastructure sector will also be heavily impacted. Providers of cloud services, domain name systems (DNS) and other key internet infrastructure will need to implement more stringent cybersecurity measures as disruptions in this sector could have a devastating impact on other industries that rely on their services.
- Public administration and governments: Given the essential role that public administrations play in providing services and maintaining order, local, regional and national governments also fall within the scope of NIS-2. Public bodies must ensure that their systems are protected from attacks that could disrupt administration, services to citizens and critical public infrastructure.
How NIS-2 affects companies
The NIS 2 Directive requires companies to make a number of changes to their cybersecurity practices. The most important obligations are listed below:
- Risk management: Companies must apply a sound risk management approach to cyber security. This includes identifying and remediating vulnerabilities, securing their networks and systems, and developing incident response plans.
- Incident reporting: Companies will be required to report significant cyber incidents to the relevant authorities within a tight timeframe. Penalties may be imposed if such incidents are not reported.
- Board-level responsibility: NIS-2 places a strong emphasis on governance, which means that board members and senior executives are directly responsible for cybersecurity policies and compliance. This is to ensure that cybersecurity is treated as a strategic priority and not just an IT issue.
- Supply chain security: One of the outstanding features of NIS-2 is the focus on risks in the supply chain. Companies must assess and manage the risks posed by third-party vendors and service providers and ensure that security measures extend beyond their own operations.
Sanctions for non-compliance
To enforce the directive, the NIS-2 introduces harmonized and stricter penalties for non-compliance. Companies that fail to take adequate cybersecurity measures or fail to report significant incidents will face severe fines, including fines based on a percentage of annual turnover, similar to the General Data Protection Regulation.
The importance of shredding, physical destruction and demagnetization for compliance with the NIS-2 Directive
While much of the NIS 2 directive focuses on securing digital networks and systems, the proper disposal of physical media is equally important for comprehensive cybersecurity. Sensitive data stored on physical devices such as hard disks, magnetic tapes, USB drives and even CDs are still at risk even when they are no longer in use. If disposed of improperly, attackers can retrieve confidential information from these devices, leading to potential security breaches and heavy penalties under NIS-2.
To meet the strict requirements of the directive, companies must prioritize secure methods of data destruction as part of their overall cybersecurity strategy.
ncorporating methods such as shredding and degaussing into a company's cybersecurity practices is not only a best practice, but also necessary to ensure compliance with NIS-2. Here are the reasons why:
- Mitigating insider threats: Even in trusted environments, physical media that is not disposed of properly can be mishandled or stolen. Shredding and degaussing eliminates the risk of sensitive information falling into the wrong hands.
- Protection of sensitive information: Sectors covered by NIS-2, such as healthcare, finance and energy, often process highly sensitive or classified information. The secure disposal of physical data carriers is essential to prevent unauthorized access and maintain the trust of those involved.
- Avoiding penalties: NIS-2 provides for strict penalties for non-compliance, including for data breaches resulting from improper disposal of data media. Organizations that fail to take appropriate data destruction measures can suffer significant financial and reputational damage.
- Supporting a comprehensive cybersecurity strategy: By integrating physical data destruction methods into a broader cyber security concept, companies can ensure that all aspects of data protection are covered - both digital and physical.
In light of the stricter legal framework imposed by NIS-2, companies must take every measure to protect both their digital and physical assets. Securely destroying obsolete data carriers by shredding or degaussing is a crucial step in protecting sensitive information and ensuring compliance with the directive.
Implementation of NIS-2: The next steps for companies
With NIS-2 in effect since October 17, 2024, companies need to act now to ensure compliance. Here are some important steps:
- Carry out a cyber security audit: Identify areas where your organization may not be compliant with NIS 2 requirements and develop a roadmap to close these gaps.
- Invest in technology: Implement robust security technologies such as firewalls, encryption, advanced threat detection tools to protect critical systems, and on-site data destruction solutions such as degaussers or shredders.
- Strengthen incident response plans: Ensure you have a comprehensive incident response plan and clear reporting procedures in place in the event of a cyber-attack.
- Collaboration across supply chains: Work with suppliers and partners to ensure cyber security measures are in place throughout your supply chain.
Conclusion
The NIS-2 Directive is a turning point for cybersecurity in Europe. By extending the scope of the regulations to more industries, increasing penalties and emphasizing responsibility at board level, the NIS-2 Directive ensures that companies in a wide range of industries are better prepared for the growing threat of cyberattacks.
With the NIS-2 Directive in force since October 17, 2024, now is the time for companies to invest in their cybersecurity infrastructure and governance to ensure they are not only compliant, but also resilient in an increasingly digital world.
For an overview of the NIS-2 Directive, download our guide to the NIS-2 Directive.