How NIS 2 Is Changing Our Industry’s Approach To Business Continuity & Risk Mitigation

by PQE Group

The updated EU-wide legislation on cybersecurity, NIS 2, which member states should adopt by 18 August 2024, will transform our industry's approach and understanding of risk mitigation and business continuity.

Built on the foundation of the existing EU legal framework to address reliance on digital systems and our increased exposure to threats, the new body of laws covers new sectors and spheres previously excluded in earlier versions in an attempt to boost cybersecurity measures across critical organizations operating within the jurisdiction of the European Union.

With the new directive, member states have more tools and capabilities to prevent accidents and deal with disasters that could have a ripple effect across Europe, given the interconnectedness of modern digital systems. NIS 2 is giving us, as an industry, the chance to strengthen our cybersecurity frameworks, enhance collaboration across borders, and implement more robust risk management practices. 

EU Nis 2_Site Banner

 

What Changes Can We Expect ? 

The distinction between ‘operators of essential services’ and ‘digital services providers’ is being replaced by a new categorization method that splits entities into two groups based on their importance and size. Instead of the old classification, businesses are now categorized as either essential or important, each subject to different levels of regulatory oversight and fines for misconduct. This new classification removes the ambiguity of previous frameworks by grouping entities based on their importance and role in the economy and daily life of EU citizens. Although both essential and important entities must adhere to the same code and report cybersecurity incidents, the level of exposure, size, and overall significance will influence how these responsibilities are managed. NIS 2's focus on risk mitigation means that the entire supply chain is now subject to scrutiny, and all entities must have cybersecurity policies in place. This includes evaluating third parties, such as suppliers, and their data practices. Organizations are also required to integrate risk management into their contracts with third parties and ensure that appropriate cybersecurity measures are enforced throughout the supply chain. 

 

Enforcement and Penalties  

Unlike in previous legislation, NIS 2 introduces financial penalties for entities that fail to comply with cybersecurity requirements. Under the framework, responsibility for ensuring compliance lies with management, and failure to comply gives competent authorities the power to sanction management and senior executives in severe cases. Administrative fines can reach up to €10 million or 2% of global turnover for essential entities, and up to €7 million or 1.4% for important entities, whichever is higher.

 

Risk Management & Business Continuity  

NIS 2 places a great emphasis on business continuity and risk mitigation. Entities deemed essential or important have a crucial responsibility to ensure their operations continue during cybersecurity incidents by implementing a comprehensive resilience framework. This includes developing robust business continuity plans and disaster recovery procedures to deal with crises when they emerge. In addition to these steps, entities must have a quick incident reporting system in place to provide early warnings in the event of cyber attacks. Staff should be well trained to handle these scenarios, and a clear incident response plan must be established to ensure a coordinated and efficient response. This includes regular drills to test preparedness and the implementation of preventive measures to minimize disruption and facilitate swift recovery. 

 

Is Your Organization Ready for NIS 2? 

As Europe awaits October 17, 2024, the date when NIS 2 will be enforced, there are several key steps you can take to ensure your organization is compliant and NIS2-ready. The first and most important step is to determine whether your organization falls under the new legal framework. If your organization employs between 50 and 250 people and has an annual turnover under 50 million euros, it falls into the important entities category. If it has more than 250 employees and an annual turnover exceeding 50 million euros, it is classified as an essential entity. In both cases, unless exempted, you will likely be subject to NIS 2. Therefore, it is crucial to audit your current IT systems, supply chain, and overall organizational security to assess weaknesses and exposure levels. Implementing access controls, such as multi-factor authentication and encryption, and conducting incident response and crisis management training for your staff will help ensure compliance and minimize the risk of data breaches and fines. 

 

At PQE Group, we're committed to helping you navigate and achieve full compliance with the latest regulatory frameworks. Our expert team in data integrity, digital governance, training, and regulatory affairs is here to provide the support you need to ensure both your team and systems are fully prepared for NIS 2. 

Want to know more?

PQE Group staff comprises experienced and skilled experts in multidisciplinary teams, available to support your company achieving the highest levels of safety for your systems. Visit our Digital Governance services page to know more or to contact us, and find the most suitable solution for your company.

Connect with us