top of page

What are the key requirements of NIS2?

NIS2 establishes four overarching requirements for organizations:

​

  1. Take action to minimize cyber risks, including in the ICT supply chain.

  2. Have processes in place to report cybersecurity incidents to ENISA:

    • Within 24 hours - provide ENISA with an “early warning report”

    • Within 72 hours - provide ENISA with a fuller “incident notification”

    • Within 1 month - provide ENISA with a “final report” with a detailed description of the incident, including its severity, impact and the mitigation measures implemented.

  3. Establish a corporate accountability regime that oversees, approves and trains employees on cybersecurity measures; and

  4. Put in place a business continuity plan in case of major cyber incidents.

 

Some baseline requirements highlighted include establishing, implementing, and regularly updating:

 

  • Risk assessments and security policies for information systems.

  • Policies and procedures for the use of cryptography, and when relevant, encryption.

  • Policies for vulnerability and incident management, including for third-party suppliers.

  • Security procedures for employees with access to sensitive or important data.

  • Use of multi-factor authentication, continuous authentication solutions, voice, video, and text encryption.

  • Policies and procedures for evaluating the effectiveness of security measures.

  • Cybersecurity training and cyber hygiene practices.

  • Business continuity plans; and

  • Supply chain security measures.

​

Failure to comply with these requirements could result in fines of up to €10 million or 2 % of the entities' total turnover worldwide, whichever is higher.

How can CAYES help?

BlackBerry helps businesses, government agencies, and safety-critical institutions of all sizes secure their organizations and respond in times of crises. We can specifically help your organization in the following ways:

BlackBerry AtHoc

Respond to incidents and implement business continuity plans with BlackBerry AtHoc, a critical event management solution that combines a secure emergency notification system with incident response tools – so your organization can quickly deploy your response teams and enable them to better prepare for, respond to, and recover from critical events faster. 

SecuSUITE

Encrypt voice communications and messaging on iOS and Android devices with SecuSUITE, certified to meet the highest security requirements and protect against the most sophisticated threats. 

BlackBerry UEM

Secure your data on corporate-owned and personal devices with BlackBerry UEM, giving you granular policy control and the visibility you need to secure all endpoints, improve your security posture, and comply with regulatory requirements.

Cylance Endpoint

Prevent cyber attacks before they happen with CylanceENDPOINT, BlackBerry’s self-defending AI endpoint security solution that detects threats before they cause damage, minimizing business disruptions and the costs incurred by a ransomware attack.

Cylance Intelligence

Arm your organization with the latest cyber threat insights with CylanceINTELLIGENCE, a contextual, customized and actionable cyber threat intelligence service.

Cylance Guard

Extend and supercharge your internal security team with CylanceGUARD, BlackBerry’s world-renowned cybersecurity analysts at a fraction of the time and cost to build your own Security Operations Centre.

Cylance Edge

Restrict access to sensitive information with CylanceEDGE, BlackBerry’s cloud-native Zero Trust access solution that enables secure work from anywhere for organizations of all sizes.

What is the NIS2, and which sectors are impacted?

​

The EU directive on the security of Network and Information Systems (NIS) was originally introduced in 2016 as the first-ever EU-wide cybersecurity legislation. It established cybersecurity obligations for operators of “essential services” in critical sectors (such as energy, transport, health and finance), and for digital service providers (online marketplaces, search engines and cloud services).

 

Recognizing that the cyber threat landscape had changed considerably since the first NIS directive was adopted, in December 2020, the European Commission proposed a revised NIS directive (NIS2).  The new directive expanded the number of sectors covered to include: 

 

  • Public administration.

  • Wastewater and waste management providers. 

  • Public electronic communications networks or service providers.

  • Manufacturers of critical products such as Pharmaceuticals, Medical Devices and Chemicals.

  • Food producers.

  • Digital services such as social networking platforms and data centres.

  • Space infrastructure providers

  • Postal and courier services.

​

NIS2 entered into force on 16 January 2023, and EU Member States have until 17 October 2024 to enact the directive into national law.

bottom of page