The NIS 2 Directive replaces and repeals the NIS Directive (Directive 2016/1148/EC). Adopted in 2016, the NIS Directive is the first EU-wide legislation on cybersecurity. It requires member states to ensure that organizations part of a nation’s critical infrastructure have appropriate security measures in place to manage security risks and remain resilient in case of an attack or disruption.

NIS 2 is introducing fines and enforcement, a broader set of mandatory security measures, and new incident notification requirements for essential and important entities. Management bodies will have a crucial and active role in approving cybersecurity risks, and non-compliance is punished with fines up to 10M EUR or 2% of the global annual revenue.

If you are considered an "essential" or "significant" entity, don't wait to take the measure of the new obligations that will apply to you

See https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32022L2555 for the full text of the Directive.

To be compliant with NIS 2, organizations must implement appropriate cybersecurity measures to protect their networks and information systems from cyber threats. There are several cybersecurity frameworks that organizations can use to help them meet these requirements.

One commonly used framework is the ISO/IEC 27001 standard, which outlines the requirements for an information security management system (ISMS). This standard provides a framework for organizations to follow to protect their information assets from threats and vulnerabilities.

Another relevant framework is the ISA/IEC 62443 standard, which outlines the requirements for the secure design, implementation, and maintenance of industrial control systems (ICS). This standard is specifically designed for the unique security needs of the industrial automation and control systems (IACS) sector.

In addition to these standards, there are also several sector-specific cybersecurity frameworks that may be relevant for organizations operating in specific sectors, such as the financial, healthcare, or energy sectors.

Overall, the choice of cybersecurity framework will depend on the specific needs and requirements of the organization, as well as the sector in which it operates. It is important for organizations to carefully consider their cybersecurity needs and select a framework that is appropriate for their specific situation.

To implement ISO/IEC 27001 and ISA/IEC 62443 to help comply with the "NIS 2" standard, an organization can follow the following strategy:

1. Identify the scope of the ISMS and IACS: This involves determining which information assets and control systems need to be protected and how they are used within the organization.
2. Conduct a risk assessment: This involves identifying the threats and vulnerabilities facing the organization's information assets and control systems and evaluating the likelihood and impact of these risks.
3. Implement controls: Based on the risk assessment, the organization should implement appropriate controls to mitigate the identified risks. This can include technical measures such as firewalls and access controls, as well as non-technical measures such as policies and procedures and employee awareness.
4. Establish a management system: This involves developing a set of processes and procedures for managing the ISMS and IACS, including how to identify and address risks, how to monitor the effectiveness of the controls in place, and how to continually improve the system.
5. Review and audit: The organization should regularly review and audit its ISMS and IACS to ensure that they are effective and compliant with NIS 2. This can involve internal audits as well as external audits by a certification body.

Contact us today to learn more about our cybersecurity service and how we can help you to address the NIS 2 requirements or to implement ISO27001 or ISA/IEC 62443.

contact@digisoter.com +32 2 318.12.71