Trusted and used by companies

Canon-4 The Cheeky Panda Burger King Unicef UK-1 Free Now

Table of Contents:

  1. Introduction 
  1. Key areas covered by Clause 4.1 
  1. Benefits of understanding the organisation and its context 
  1. How Clause 4.1 can help organisations manage risks 

NIS2: The new directive to strengthen cyber security

The new EU directive NIS2 to strengthen cybersecurity is coming into force: We explain what it means for UK businesses and how you can best prepare for the changing landscape. The cornerstone of NIS2 compliance is an information security management system (ISMS) that meets the requirements of ISO 27001. In fact, if you’re ISO 27001 certified, you already complete 70% of the NIS2 security requirements.

We will also discuss what’s new in risk and asset management, reporting and business continuity.

Does the NIS2 Directive apply to UK businesses?

The short answer is no, the UK is not implementing NIS2 as they are no longer bound by EU legislation. But what they’re doing is making changes in their existing cybersecurity laws, such as adding managed service providers to the scope of the NIS regulations, including more supply chain security-related policies, or increasing the incident reporting-related obligations.

What do I need to do about NIS as a UK business operating in the EU?


The good news is that if your organisation is already ISO 27001 certified, you have taken significant steps towards becoming NIS2 compliant. In fact, by building an ISO 27001-compliant ISMS, you complete 70% of the NIS2 requirements. These requirements include risk management, corporate accountability, reporting obligations, and business continuity.

NIS2 Compliance

nis2-compliance-what-if

1. Severe penalties

Under NIS2, national authorities have a much wider range of sanctions at their disposal:

  • Directors and management can be held personally liable for failures in implementation.

  • Fines can be up to €10 million or 2% of total turnover (for essential entities) or €7 million or 1.4% of total turnover (for important entities).

  • Regulators may suspend business operations if necessary for network security.

 

2. Insufficient protection against cyberattacks

Data breaches cost an average of $4.35 million per incident last year. Yet 83% of companies have already had more than one data incident – many of which go undetected until the damage is done.

To adequately protect your company against these threats, you need to implement the comprehensive measures in the NIS2 Directive as soon as possible.

Current estimates suggest that you’ll need to increase your cybersecurity budget by 22% to make this happen.

You can use our two-pager to provide your CEO with concise and precise information about NIS2 and show how important it is to act quickly.

Only available in German

Download now

What are the NIS2 requirements?

The new NIS2 Directive requires companies to strengthen their cybersecurity and to communicate more with national supervisory authorities – for companies that do business in Germany. This is the Federal Office for Information Security (BSI).

The main requirements at a glance:

  • Processes must be established for risk analysis and management, information security and cyber incident management. These are based on the ISO 27001 criteria for an ISMS.

  • Continuity and recovery plans must be in place to respond to emergencies.

  • Significant incidents must be reported to the BSI within very short deadlines – in some cases, 24 hours.

  • Company-wide use of encryption technology and multi-factor authentication is required.

  • Regular training for all staff to educate them on best practices in information security and changes in the risk landscape must be demonstrated to the BSI.

How to efficiently prepare for NIS2 compliance

We know how challenging it can be for businesses to implement the NIS2 Directive. The requirements are somewhat vague, and Member States are still working on drafts of national legislation.

You need guidance. Like the guidance that Dr Marnix Dekker, Head of Sector NIS at the European Union Agency for Cybersecurity (ENISA), gave us in a recent DataGuard webinar in business newspaper Handelsblatt:

“With ISO 27001, you should be all set.”

So if you base your ISMS on the requirements for ISO 27001 certification, you will also be well-positioned to meet the requirements of the NIS2 Directive.

How DataGuard can help you achieve ISO 27001 certification – and more

The first step is to conduct a gap analysis with you to identify where your business is vulnerable.

We then provide you with tailor-made recommendations to close these gaps in accordance with ISO 27001 and NIS2.

We also work with you to optimise your risk and asset management processes and develop plans for business continuity, cyber incident management and staff training. In this step, the NIS2 requirements sometimes go beyond ISO 27001 – with DataGuard experts on your side, you can be confident that your business is implementing the right measures.

Ultimately, you will build your ISMS on these company policies before it is certified in accordance with ISO 27001 through an external audit. To date, all DataGuard customers have a 100% success rate on their first go at certification.

Setting up an ISMS is a large investment. So, imperious to use your resources as efficiently as possible. By using our information security platform, you can automate many of the processes involved, reducing the cost of certification by up to 40%.

With DataGuard, nothing stands between you and NIS2 compliance – book your free consultation now!

Book an appointment

NIS2 FAQs

Our answers to your most frequently asked questions 

Entry

What is the NIS2 Directive?

NIS2 is the EU’s second directive to strengthen network and information security in the European Economic Area. It was first adopted by the EU Parliament in 2022 and still has to be transposed into national law by the Member States by October 18, 2024. The directive will affect a total of 18 sectors.

Entry

What companies does NIS2 apply to?

NIS2 defines 11 sectors as essential entities and 7 others as important entities. Only companies with at least 50 employees and an annual turnover of €50 million will be affected. Irrespective of their size, essential entities also include digital infrastructure providers as well as public administrators and operators whose failure would have a significant impact on society, the economy and security.

Entry

What does the acronym ‘NIS’ stand for?

NIS stands for ‘Network and Information Security’. It is an EU directive designed to strengthen cybersecurity in the European Economic Area. The first NIS Directive was adopted by the EU Parliament in 2016. The second version of the directive (NIS2), which builds on the first, was introduced in 2022.

Entry

What does the new NIS Directive aim to achieve?

The new NIS Directive, NIS2, aim to improve cyber-resilience, i.e. protection against cyberattacks, in all affected sectors. The aim is to achieve a high and consistent level of security across the EU. To achieve this, Member States will cooperate more closely in the future by sharing information and data. This will also enhance supply chain security in all affected sectors.

Entry

What is NIS1?

NIS1 was the first EU-wide directive on cybersecurity and was adopted in 2016. The aim was to increase resilience to cyber threats in the EU by standardising security measures. However, businesses still need help to implement the directive due to its unclear requirements. Critics also complained that it was too limited in scope, as it applied to too few sectors.

Entry

What changed from NIS1 to NIS2?

One of the most significant changes in NIS2 is its expanded scope. This means that it now applies to a much more comprehensive range of organisations and sectors, including smaller companies and providers of digital infrastructure. In addition, the security requirements imposed by the directive are significantly stricter. They now cover the entire supply chain. Finally, NIS2 gives national authorities greater scope to impose sanctions and exercise more oversight.

Entry

My company is already ISO 27001 certified. What do I need to do now?

It’s a good first step, but the ISO 27001 requirements only cover 70% of NIS2. The new EU directive extends the requirements for risk and asset management and business continuity plans. It also requires companies to put in place standardised incident reporting processes. Finally, NIS2 imposes greater liability on board members and CEOs. This means that they will need to be more involved in security processes than before and will therefore need to receive appropriate training.

Entry

Does the NIS2 Directive apply to UK companies?

The short answer is no. The UK is not implementing NIS2 as it is no longer bound by EU legislation. But the UK is making changes in its existing cybersecurity laws, such as adding managed service providers to the scope of the NIS regulations. Or including more supply chain security-related policies or increasing the obligations for incident reporting.   

Entry

What do I need to do about NIS as a UK business operating in the EU?

The good news is that if your organisation is already ISO 27001 certified, you have already taken significant steps towards becoming NIS2 compliant. In fact, by building an ISO 27001-compliant ISMS, you complete 70% of the NIS2 requirements. These requirements include risk management, corporate accountability, reporting obligations and business continuity.

Don’t miss these topics:

Related Resources

Trusted and used by companies

Canon-4 The Cheeky Panda Burger King Unicef UK-1 Free Now

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Transparent consent collection
  • Comply with GDPR, CCPA, LGPD, ePrivacy, and more
  • Consolidate consents across multiple touchpoints
  • Support from privacy experts
  • Integrates with your marketing tools and CRM

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Let's talk