The EU has reached a political agreement on new Directive concerning measures for a high common level of security of network and information systems across the Union, called NIS2. The Directive binds all organizations bound by the NIS1, and additionally the following sectors:
- providers of public electronic communications networks or services,
- digital services such as social networking services platforms and data centre services,
- wastewater and waste management,
- manufacturing of certain critical products (such as pharmaceuticals, medical devices, chemicals),
- postal and courier services,
- public administration.
According to the new Directive, organizations shall report on the detected security incident within 24 hours, and within one month provide the final report with a detailed description of the incident, the root cause that triggered the incident, and the applied and ongoing mitigation measures.
Non-compliance with the provisions of the Directive will be sanctioned by financial penalties of a certain percentage of annual turnover. The maximum fine is set at 2% of annual turnover or €10 million, whichever is higher. In addition, the offender will have to follow the binding instructions of the sanctions imposed, implement the recommendations of the security audit report and put in place security measures that comply with the NIS2.
The new Directive will enter into force 20 days after publication in the EU Official Journal. Member states will then need to transpose the Directive into the national law within 21 months.
Do not hesitate adapting to the provisions of the new legislation. Stay informed about changes affecting your industry and raise the level of cyber security of your processes and systems to the required level.