NIS2
Thales will help your organisation adhere to the European Union’s new NIS2 directive
In 2016, the European Commission adopted the EU Network and Information Security (NIS) directive. The NIS directive was the first EU-wide cybersecurity legislation and its goal was to enhance cybersecurity across the European Union.
In May 2022, in order to respond to the growing threats posed by increasing digitalisation and the surge in cyber-attacks, the Commission announced to replace the NIS directive and thereby strengthen the security requirements and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the European Union.
1. Scale
Growing interconnectedness, rapid digitisation and ubiquitous connectivity mean more enterprises are becoming systemically important to defend from cyber risk. Redefining the original scope to be clearer in covering “essential services” – including transport, banking and public administration and entities operating in services such as food production, postal services and waste management – means cyber resilience measures will need to be taken at a much larger scale across the continent.
2. Governance
Enhancing security governance and making senior managers in a business accountable for cyber resilience is another major step. Cyber-security has to be a board-level and senior management issue and not delegated to technical teams. Accountability will empower chief information security officers (CISOs), though it also comes with expectations that they can communicate effectively with senior management and be technical and business leaders.
3. Fines and sanctions
NIS2 mandates a more comprehensive set of powers to be conferred on competent authorities. They will be able to penalise at least equal to a fixed amount or 2% of worldwide turnover for essential entities. This is a significant incentive for businesses to make sure they are meeting their obligations. These new potential penalties will be a major lever for resilience in the EU and beyond.
4. Incident response obligations
Gaps have been closed and revisions made on incident response obligations. For example, a “significant impact” on an entity will no longer be a defined metric (number of impacted users) but rather whether there was disruption to critical services, or financial or material loss. Also, notifications have been reduced from 72 to 24 hours and reporting will be to users of services and potentially the public.
Drawing on decades of experience helping corporate entities and public enterprises adhere to compliance mandates, Thales offers integrated products and services that enable your organisation to strengthen its cyber security capabilities, address the security of supply chains, streamline reporting obligations and comply with more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the European Union. In addition, Thales works closely with partners to offer comprehensive solutions that can reduce the scope of your compliance burden.
Thales offers comprehensive data protection solutions that help organisations to act in accordance with and be rightly responsible towards the NIS2 directive
Perhaps the most comprehensive data privacy standard to date, GDPR affects any organisation that processes the personal data of EU citizens - regardless of where the organisation is headquartered.
Any organisation that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbour” clause.