Thales banner

NIS2

Thales will help your organization adhere to the European Union’s new NIS2 directive

  • Regulation
  • Compliance

NIS2: Tightens the Gaps in the Network and Information Security (NIS) directive

In 2016, the European Commission adopted the EU Network and Information Security (NIS) directive. The NIS directive was the first EU-wide cybersecurity legislation and its goal was to enhance cybersecurity across the European Union.

In May 2022, in order to respond to the growing threats posed by increasing digitalization and the surge in cyber-attacks, the Commission announced to replace the NIS directive and thereby strengthen the security requirements, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonized sanctions across the European Union.

The NIS2 directive aims to boost the following aspects:

1. Scale

Growing interconnectedness, rapid digitization and ubiquitous connectivity mean more enterprises are becoming systemically important to defend from cyber risk. Redefining the original scope to be clearer in covering “essential services” – including transport, banking and public administration, and entities operating in services such as food production, postal services and waste management – means cyber resilience measures will need to be taken at a much larger scale across the continent.

2. Governance

Enhancing security governance and making senior managers in a business accountable for cyber resilience is another major step. Cyber-security has to be a board-level and senior management issue and not delegated to technical teams. Accountability will empower chief information security officers (CISOs), though it also comes with expectations that they can communicate effectively with senior management and be technical and business leaders.

3. Fines and sanctions

NIS2 mandates a more comprehensive set of powers to be conferred on competent authorities. They will be able to penalize at least equal to a fixed amount or 2% of worldwide turnover for essential entities. This is a significant incentive for businesses to make sure they are meeting their obligations. These new potential penalties will be a major lever for resilience in the EU and beyond.

4. Incident response obligations

Gaps have been closed and revisions made on incident response obligations. For example, a “significant impact” on an entity will no longer be a defined metric (number of impacted users) but rather whether there was disruption to critical services, or financial or material loss. Also, notifications have been reduced from 72 to 24 hours, and reporting will be to users of services and potentially the public.

Enhancing Cyber Security across the European Union

Drawing on decades of experience helping corporate entities and public enterprises adhere to compliance mandates, Thales offers integrated products and services that enable your organization to strengthen its cyber security capabilities, address the security of supply chains, streamline reporting obligations and comply with more stringent supervisory measures and stricter enforcement requirements, including harmonized sanctions across the European Union. In addition, Thales works closely with partners to offer comprehensive solutions that can reduce the scope of your compliance burden.

Protection from cyber threats every step of the way

Thales offers comprehensive data protection solutions that help organizations to act in accordance with and be rightly responsible towards the NIS2 directive

  • Protect transaction and personal data at rest: Thales’ CipherTrust Manager, Luna Hardware Security Modules (HSMs) and the Thales Data Protection on Demand (DPoD) marketplace, enable organizations to centrally manage encryption keys and deliver a variety of encryption, tokenization and data masking solutions to protect transaction and personal data in files, folders, applications, and databases on premises, in the cloud, and across hybrid environments.
  • Encrypt financial and personal data in motion: Thales High Speed Encryptors (HSE) encrypt all data that traverses networks.
  • Develop and maintain secure systems and applications: Thales Luna HSMs, available on-premises and in the cloud as Luna Cloud HSM on DPoD, enable organizations to securely store signing material in a trusted hardware device, thus ensuring the authenticity and integrity of any application code files.
  • Implement strong access control measures: Thales CipherTrust products can be setup for unique, multifactor administrative access to enterprise systems on-premises and in the cloud. In addition, SafeNet Trusted Access enables you to centrally manage unique user identities, risk-based authentication policies, and add/revoke access to systems across hybrid IT.
  • Track and monitor all access to sensitive data: All products in the Thales CipherTrust data protection portfolio produce audit records that log any encryption key lifecycle operations (creation/deletion/rotation/revocation) and other administrative functions that can be used to reconstruct events.

Other key data protection and security regulations

GDPR

Regulation
Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.

PCI DSS

Mandate
Active Now

Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Data Breach Notification Laws

Regulation
Active Now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.