New cybersecurity rules are raising the bar on compliance when working with entities domiciled in the European Union (EU), with organisations urged not to wait for further details in April 2025.
According to CloudM, a provider of Microsoft 365 (M365) and Google Workspace data management offerings, starting now means getting ahead on data security requirements in the Network and Information Security 2 (NIS2) Directive, which entered into force in 2023.
“If your organisation is likely to be classified as either an essential or important entity by the NIS2 Directive, it’s crucial to start preparing for compliance now, even amid the prevailing uncertainties,” the vendor said in a blog update.
The NIS2 Directive updated EU cybersecurity rules introduced in 2016 in a bid to “modernise” the existing legal framework with a view to increased digitisation and evolving cybersecurity threats, according to European Commission announcements.
The NIS2 Directive is intended to boost cybersecurity across the EU, it said, including “resilience and incident response capacities of public and private entities, competent authorities and the EU as a whole”.
Many UK companies and bodies that work with EU countries or companies in particular sectors especially, such as banking or finance, may be forced to take “appropriate security measures and notify relevant national authorities of serious incidents”, the announcement revealed.
“Digital service providers, such as search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements.”
EC reporting has identified threats such as cyber-attacks and espionage activities from state-sponsored threat actors and cyber criminals in private and public sectors and their supply chains – especially for 5G and renewables – as of “particular” concern.
How to approach NIS2
CloudM recommends organisations begin strengthening data security and related protocols, even though all details aren’t yet available.
“This involves conducting a thorough risk assessment and identifying potential vulnerabilities within your current systems,” the vendor said, then moving on to best practice.
CloudM’s head of legal Julie Nauwelaers said NIS2 compliance may become complex, with EU directives typically intended to set minimum standards or even mandate specific outcomes.
“By starting now, you can mitigate risks, ensure data security, and position your organisation,” she said in a related post.
“NIS2 doesn’t impose direct obligations on private operators but does set out the broad lines of the national measures that the Member States must adopt.”
As per Article 21 of the Directive, implementations must include risk analysis and information systems security policies, incident handling, business continuity, such as backup management and disaster recovery, and crisis management.
Attention will also be needed on supply chain security and policies and procedures, “basic cyber hygiene” practices and cybersecurity training including of management, she added.
“Businesses must also notify the competent authorities of any significant cybersecurity incident,” she said, pointing to this EC document for further information.
Read more on the CloudM website.
Cryptography and encryption, human resources security, access control, asset management, secured voice, video and text security, emergency communications systems, and multi-factor or continuous authentication arrangements may all require attention, Nauwelaers indicated.
( Photo by Christian Lue on Unsplash )
){kind=link}