What does NIS2 mean to you?
Created: 2023-03-14 09:47:32
Compared to its previous version, the new NIS Directive eliminates the distinction between operators of essential services and digital service providers: entities would be classified based on their importance, and divided into two categories: essential and important entities, which will be subjected to different supervisory regimes.
It means that all sectors and organisations coming under NIS2 are of great importance to communities within EU member-states. It is understood that their disruption would cause serious harm to society if they were no longer able to execute their functions. Ultimately, the two categories were created to distinguish the fact that not all sectors impact society at the same scale in the event of an incident. Below, we explore the difference between the two groups — essential and important — and their impact on what changes NIS2 will bring about.
Essential or important?
The introduction of NIS2 will increase the regulatory scope of the original NIS Directive. Specifically, more organisations will have to start complying with the requirements. But what are these requirements, and how will they be enforced?
Duty of care and duty to report
All organisations covered by NIS2 — essential or important — will have to start complying with their duty of care. The Directive contains a list of types of measures that service providers must comply with as a minimum. These include risk assessment to check whether an organisation pays sufficient attention to information systems security, crisis management, and operational continuity in the event of a major cyber incident, and can ensure the security of their supply chain. Further, the duty of care includes ensuring the security of network and information systems, using cryptography and encryption, and having policies and procedures that assess the effectiveness of risk management measures. The reporting obligation will also apply to all organisations covered by NIS2. This reporting obligation will require affected organisations to notify their national authorities within 24 hours of becoming aware of an incident, followed by a 72-hour update and a final assessment one month after.
Monitoring
Both entities have the same duties and obligations; e.g., members of the management bodies of essential and important entities are required to follow training, and must take appropriate and proportionate technical, operational, and organisational measures to manage the risks posed to the security of network and information systems. Entities use these for operations or the provision of services to prevent or minimise the impact of incidents on recipients of their or other services.
Essential organisations will also be required to have a proactive preparedness framework to evaluate the impact of mismanagement even without an incident. For the second category, important entities, compliance is expected reactively. This means that these organisations will only be checked for compliance with laws and requirements after an incident. Should it be concluded that insufficient action was taken and requirements were not met, the same sanctions apply to both types of entities.
It is important to note that by 17 April 2025, and every two years after that, the competent authorities shall notify the Commission and the Cooperation Group of the number of essential and important entities for each sector.
About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.
Join ESET at Facebook