The original NIS directive applied to organizations in seven sectors, the new NIS2 directive adds eight extra: providers of public electronic communications networks or services, Wastewater and waste management, manufacturing of certain critical products, food, digital services, space, postal and courier services as well as public administration.
The NIS2 require that more organizations comply with stricter cybersecurity requirements. Compared to its predecessor, NIS2 places high demands on the governing bodies such as the company boards. According to Article 20, “members of the management bodies of essential and important entities” must undergo training and member states must encourage significant entities to regularly offer similar training to their employees, so that they acquire sufficient knowledge and skills to be able to identify cybersecurity risks.
The measures shall include “at least” the following:
- policies on risk analysis and information system security;
- incident handling;
- business continuity, such as backup management and disaster recovery, and crisis management;
- supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
- security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
- policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
- basic cyber hygiene practices and cybersecurity training;
- policies and procedures regarding the use of cryptography and, where appropriate, encryption;
- human resources security, access control policies and asset management;
- the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.