GET PREPARED FOR NIS2!
YOU NEED TO BE FULLY COMPLIANT IN:
The stakes for cybersecurity have never been higher.
Recognizing the alarming surge in cyber threats, the EU has introduced the NIS2 Directive: an updated set of new requirements and obligations designed to enhance cybersecurity resilience across critical sectors. With the application deadline set for 18th October 2024, businesses must act swiftly to meet these new standards and safeguard their operations.
We are hard at work helping organizations navigate this transition, helping your business meeting the new cybersecurity standards and staying protected against evolving cyber threats.
*Hornetsecurity provides non-binding advice which is given for general information purposes only and should not be relied upon as a replacement for legal advice. Please reach out to your supervisory authority for any additional guidance.
What is NIS2?
As early as 2013, the European Union recognized that the number of cyber-attacks was significantly increasing and was a major challenge for organizations and citizens. As a response, the E.U. introduced, in 2016, the NIS Directive (Network and Information Security) security measures to improve the cybersecurity capabilities of networks and infrastructure systems in seven sectors, including energy, transport, banking, financial markets infrastructures, healthcare, drinking water supply, and digital infrastructure.
The NIS2 Directive provides that businesses implement security measures to manage risks and prevent and minimize the impact of cybersecurity incidents.
What is the difference between NIS and NIS2?
With NIS2 legislation, the European Union expanded the scope of the 2016 NIS Directive and identified essential entities and important service entities falling within the scope of this Directive for the purpose of compliance with cybersecurity risk-management measures and reporting obligations.
NIS2 strengthened cybersecurity obligations and monitoring by each Member State, creating one supervisory authority per State and for the first time, implementing sanctions for entities breaching its provisions. These sanctions include the possibility, for a supervisory authority, to issue a fine up to 10 000 000 euros or 2 % of the total worldwide annual turnover of the entity, whichever is higher.
Essential entities were already part of NIS, but NIS2 has expanded the scope of the covered sectors. We believe that your organization should run a thorough review of its current security practices in preparation for the transition from NIS to NIS2. That should notably imply enhancing your incident response capabilities, implementing stronger cybersecurity measures, and ensuring compliance with the security requirements of the NIS2 Directive.
Which companies are affected by NIS2?
While NIS was applicable to medium-sized and large companies, NIS2 applies to companies of all sizes, whether small or large.
This means that, from October 2024, smaller organizations with a turnover of minimum €10 million and at least 10 employees, depending on provided services, might now also have to comply with the Directive NIS2.
What are the new requirements and obligations?
The NIS2 Directive introduces new requirements and obligations for organizations in four key areas:
- Risk management: Companies need to take measures to minimize cyber risks, including incident management, stronger supply chain security, enhanced network security, better access control, encryption.
- Corporate accountability: Corporate management must oversee, approve, and be trained on the entity’s cybersecurity measures to address cyber risks.
- Reporting obligations: Entities must have processes in place for prompt reporting of security incidents with significant impact on their service provision or recipients.
- Business continuity: Ensure business continuity in the case of major cyber incidents, including system recovery, emergency procedures, and setting up a crisis response team. Learn more.
How can Hornetsecurity help?
Every company that is covered by NIS2 must verify that all its suppliers have a similar security level. For this reason, all companies offering cybersecurity products to a NIS2 covered entity will have to be NIS2 compliant to offer their services to their customers.
Thus, Hornetsecurity is a great partner for all companies that want to be NIS2 compliant because:
- We maintain a strong internal cybersecurity program based on the implementation of ISO 27001 security measures for some of our solutions, and a proven risk management process necessary to achieve NIS 2 compliance.
- We host a Computer Security Incident Response Team Lab within our teams with several cybersecurity analysts working on threat analysis daily (Security Lab and Vade TIRC teams).
- We have a responsible vulnerability disclosure policy publicly available to ensure the safety and security of Hornetsecurity’s systems and technologies.
We are a European leader with a specific cybersecurity focus and we work with national authorities to ensure both European and global cyber security resilience for our customers.
Hornetsecurity’s comprehensive solution, 365 Total Protection Compliance and Awareness, helps companies achieve NIS2 compliance, offering email security, backup and recovery, compliance, permission management, and security awareness. Managed through a central cloud-based console, it ensures comprehensive digital protection, enhances customer trust, and facilitates business continuity.
365 Total Protection Compliance and awareness
Critical NIS2 areas covered by Hornetsecurity solutions
Risk Management:
Entities must take measures to minimize cyber risks, including:
Risk Management:
Entities must take measures to minimize cyber risks, including:
Incident management: Content analysis after attack: email header analyses in CP, immutable email body preservation in Archiving
Strong supply chain security: Support for SPF/DKIM/DMARC; AI recipient validation (SMF)
Enhanced network security: Spam and Malware Filter, Advanced Threat Protection, Webfilter
Better access control: CP with 2FA and synch with your directory service, 365 Permission Manager
Encryption: Encryption Service (SMF), communication is TLS 1.2/1.3 encrypted
✅ 365 Total Protection Compliance and Awareness
✅ Advanced Threat Protection
✅ 365 Permission Manager
Business Continuity:
Entities must ensure business continuity in case of:
Major cyber incidents: Geo-redundant data center
System recovery: Automated backups for mailboxes, teams, OneDrive and SharePoint
Emergency procedures: Email Continuity Service, Archiving
Setting up a crisis response team: Support from the Hornetsecurity Security Lab experts
✅ 365 Total Protection Compliance and Awareness
✅ Email continuity
✅ 365 Total Backup
✅ VM Backup
Corporate Accountability:
Corporate management must:
Oversee & approve: Security Awareness Service group reports with ESI
Be trained: on the entity’s cybersecurity measures Security Awareness Service e-learnings
Be able to address cyber risks: Security Awareness Service phishing campaign raising the awareness
✅ 365 Total Protection Compliance and Awareness
✅ Security Awareness Service
Reporting Obligations:
Entities mush have processes in place for:
Prompt reporting of security incidents with significant impact on their service provision or recipients: Reporting on email threats & Status notification in case of service issues, related to any of our services
Emergency procedures: Email Continuity Service, Archiving
Setting up a crisis response team: Support from the Hornetsecurity Security Labs experts
✅ 365 Total Protection Compliance and Awareness
✅ 365 Total Protection Enterprise Backup
What are the sanctions?
According to Article 32 and 33 of the NIS2 directive, the supervisory authority can act if you do not follow or comply with the NIS2 regulations.
This includes conducting their own tests and investigations based on the evidence the organization provided after a cybersecurity incident. These tests include onsite inspections, random checks, regular audits, ad hoc audits, and others.
In case of non-compliance with NIS2 or failure to provide up-to-date information, the authorities may issue public warnings, monitor your activities, set deadlines, and withdraw your operating license or certification so that your company can no longer operate.
If companies do not comply with NIS2, there are different sanctions:
Fines
NIS2 creates administrative fines that can be up to €10 million or 2% of global annual revenue for essential entities, and up to €7 million or 1.4% of global annual revenue for important entities.
Non-monetary remedies
NIS2 also provides that Member States can award non-monetary remedies, among which compliance orders, security audit implementation orders, binding instructions, and notifications of threats to the companies’ customers.
The same applies to essential and important businesses.
IS your Organization Ready for the NIS2 Deadline?
Learn how Hornetsecurity can help your organization meet NIS2 requirements. Simply fill out the contact form and we’ll get back to you.
*Hornetsecurity provides non-binding advice which is given for general information purposes only and should not be relied upon as a replacement for legal advice. Please reach out to your supervisory authority for any additional guidance.