menu
search
NIS2: Are you ready to protect your business?

NIS2: Are you ready to protect your business?

Tuesday 28 January 2025

If your company is trying to figure out whether it needs to comply with NIS2, the answer is probably yes, especially if you operate in critical industries such as energy, health care or transportation.

NIS2 is designed to make networks and information systems more secure by better protecting against increasingly frequent cyber attacks. This means taking stronger security measures, but also more careful management of cyber risks. If this sounds complex or if you don’t know where to start, Versya is here to help you create a customized adaptation plan.

In this article we will explain:

  • NIS2 directive: what it is
  • what it entails for companies
  • when it takes effect
  • What are the objectives of NIS2
  • what measures are required
  • Why it is necessary to strengthen security
  • which companies are involved
  • what are the first steps to take
  • How to implement a cybersecurity solution

The NIS2 Directive is in effect!

Coming into force on October 17, 2024, NIS2 – Network and Information Security 2 is a European directive that, as we mentioned earlier, aims to strengthen cybersecurity by updating and expanding previous regulations.

Under this, companies must implement technical and organizational measures to protect their systems, such as cyber risk management, continuous monitoring, and incident response.

In fact, the directive aligns with regulations such as the GDPR (EU General Data Protection Regulation 2016/679), the Cyber Resilience Act and the DORA Regulation, and, at the national level, the National Cyber Security Perimeter, in order to ensure security at the European and national levels.

NIS2 directive: what does it mean for businesses?

But what does it mean for businesses concretely? In essence, the directive requires companies operating in critical sectors, such as energy, transportation and health care, to take stronger measures to protect their IT systems.

Companies will need to not only implement technical solutions for data protection, but also create a corporate culture that puts cybersecurity at the center.

This means planning responses to incidents, constantly monitoring vulnerabilities, and ensuring ongoing staff training.

In addition, it is expected that all violations will be reported quickly so that the relevant authorities can take prompt action.

When will NIS2 go into effect?

The NIS2 directive came into effect on October 17, 2024. Therefore, all companies and organizations involved will have to comply with the requirements set forth to avoid penalties and security risks.

The main objectives of NIS2

NIS2 has five main objectives:

  1. Expand the scope to include new critical sectors such as water, digital infrastructure, cloud service providers and public administration.
  2. Improve cooperation among member states for faster and more effective response to cyber incidents.
  3. Strengthen security requirements for all organizations by imposing more stringent measures to protect information systems.
  4. Timely reporting requirements, with a 24-hour limit for reporting significant incidents.
  5. Tougher penalties for non-compliant companies, with high fines. Proceeds from fines are earmarked for theNational Cybersecurity Agency, as stipulated by the decree-law no. 82/2021 , which regulates cybersecurity in Italy.

What are the measures required to achieve compliance with NIS2

To comply with NIS2, companies must take concrete steps in several key areas of cybersecurity:

  1. Risk analysis and security: managing risks related to information systems, with a focus on vulnerabilities.
  2. Incident management: establishing procedures for reporting and handling IT incidents.
  3. Business continuity: ensure backup and disaster recovery plans.
  4. Supply chain security: monitor the security of external suppliers and services.
  5. Security in systems management: protecting the acquisition and maintenance of information systems.
  6. Evaluation of the effectiveness of security measures: implement policies to monitor and improve security measures.
  7. Information security training: educate staff and maintain basic security practices.
  8. Encryption and data protection: implement encryption policies where necessary.
  9. Access control and asset management: strengthen control over access and corporate assets.
  10. Multi-factor authentication: use advanced authentication methods for access to critical systems.
  11. Supplier safety: ensure that suppliers meet the same safety standards.
  12. Incident reporting: report significant incidents to CSIRT Italy within 24 hours.

Why strengthen security requirements?

The strengthening of security requirements under NIS2 is necessary in order to have a more rigorous and structured approach to cybersecurity management. This involves three key areas: technology, organization and governance. Let’s look at them in detail.

1. Technical Measures

These measures focus on the IT tools and solutions needed to protect digital infrastructure and business information. Some examples include:

  • Endpoint protection: antivirus software, detection and response (EDR) tools, New Generation firewall, WAF. For example, the SOC services enable event monitoring across the IT perimeter, identifying and analyzing threats before they occur or containing the incident quickly.
  • Network security: intrusion prevention systems (IPS), encryption of data in transit, and network monitoring solutions.
  • Backup and recovery: regular backup planning and verification to ensure rapid data recovery in case of incidents.
  • Vulnerability management: regular scanning to detect and fix security flaws in systems through periodic testing such as:
    • DISASTER RECOVERY ASSESSMENT – disaster simulation to verify the effectiveness of the DRP plan and implemented solutions for Disaster Recovery purposes as well as Backup processes;
    • AWARENESS ASSESSMENT – periodic testing with Phishing campaigns to verify user education in terms of Cybersecurity;
    • Vulnerability ASSESSMENT – periodic third-party audits aimed at verifying the effectiveness of implemented information system security solutions.
  • Advanced authentication: implementation of methods such as multifactor authentication (MFA) to protect access.

2. Organizational Measures.

These are processes and procedures that help maintain a constant level of security in the organization. Examples include:

  • Information security policies: drafting internal guidelines that define best practices for employees.
  • Staff training: employee awareness on phishing, password management, and safe online behaviors.
  • Third-party management: monitoring of IT supplies to ensure that partners and suppliers adhere to the same security standards.
  • Incident response plans: creating detailed procedures for responding quickly to cyber attacks or breaches.

3. Governance Measures

It concerns supervision and control at the strategic level to ensure that security is integrated into all business activities. This involves:

  • Management-level accountability: involvement of top management in making cybersecurity decisions and risk management.
  • Periodic risk assessment: regular assessments of cybersecurity-related risks to identify and mitigate potential threats.
  • Compliance: ensuring that the organization complies not only with NIS2, but also with related regulations (such as GDPR, ISO 27001, etc.).
  • Audit and monitoring: internal and external audits to check compliance and effectiveness of measures taken.

Which companies will have to implement NIS2 compliance?

The NIS2 directive broadens the scope from the previous version to include a wider range of sectors and organizations, both public and private. Critical sectors, critical to the socioeconomic functioning of the EU, must meet stringent cybersecurity requirements. Among the sectors involved are:

ESSENTIAL SERVICES (HIGH CRITICALITY)

  • Energy sector: electric, oil and gas, heating, hydrogen
  • Transportation sector: air, marine, rail and road
  • Banking and Finance Sector
  • Health care sector: health care, analytical laboratories, medical device manufacturers, research
  • Water and Wastewater Sector
  • Digital Infrastructure Sector: domain managers, cloud computing, content distribution, communication
  • TLC Services Management Sector: managed services on infrastructure and security
  • Public Administration
  • Space Sector

IMPORTANT (CRITICAL) SERVICES

  • Postal and Courier Services Sector
  • Waste Treatment Sector
  • Chemical sector: production and distribution
  • Food sector: production, processing and distribution
  • Manufacturing sector: general machinery, electrical equipment, computers, transportation equipment
  • Digital services: social networks, search engines, online marketplaces
  • Scientific research

What are the first steps to take to be in compliance with NIS2?

To be in compliance with NIS2, companies must follow some key steps:

  • Assessment of IT systems: it is essential to analyze your information systems to ensure that they meet the security standards required by the directive.
  • Adaptation plan: develop an adaptation plan to implement the technical measures required by the directive. An NIS2 consultant can support at this stage.
  • Cybersecurity by design: integrating tools for monitoring, preventing and responding to cyber attacks from the design stages of systems.
  • Crisis Team: analysis of the incident and its management, including verification of the applicability of the notification requirement within the timeframe.
  • Remediaton: Process for managing Remediation that must coordinate internal resources with IT vendor management activities
  • Procedures manual: draft a manual documenting the security procedures adopted and the technical measures used, ensuring that staff have been properly trained on cybersecurity.
  • Periodic audits: it is important to regularly check the status of compliance through audits and update the procedures manual according to any changes in requirements.

How can my company adapt to NIS2 compliance? With solutions from Versya!

Versya, in partnership with WIIT and IRIDEOS, offers advanced solutions to counter cyber threats and protect corporate information. Through a broad portfolio of services, including managed security as a service, advanced mobile device protection, and Security Check-Up, Versya supports companies in achieving NIS2 compliance, strengthening cyber resilience. Benefits of a comprehensive implementation include:

  • Protection of computer systems from unauthorized access
  • Defense of corporate reputation
  • Compliance with regulations to avoid penalties
  • Reduced operational disruptions and financial losses from attacks

Contact us today to find out how Versya can help you with NIS2.

contact us
Go to top