In January 2025, EU member states will notify the European Commission of the sanctioning regime applicable under the new NIS2 Directive, designed to strengthen cybersecurity. This regulation marks a significant leap compared to its predecessor (NIS1), expanding the scope of measures, affected sectors, and compliance requirements. In this article, we explore the key aspects of this regulation, its implications for organizations, and how solutions like Applivery can help you meet current and future cybersecurity demands.
Key changes and updates in NIS2
Expansion of critical sectors: In addition to the previously covered sectors (energy, transport, finance), NIS2 includes sectors like healthcare, postal services, public administration, waste management, and space technologies. It also covers essential supply chains and digital service providers, emphasizing the need to secure critical interdependencies.
Classification of entities: The regulation distinguishes between essential and important entities:
Essential entities
These are entities whose disruption would have a significant impact on security, the economy, and society. This includes:
- Energy infrastructures: Electricity, gas, oil, and renewable energy.
- Healthcare sector: Healthcare providers, pharmaceutical services, and biotech.
- Public administration: Critical government entities at regional or national levels.
- Telecommunications: Essential communication networks and services.
- Water and waste: Drinking water supply and wastewater management services.
Essential entities are subject to stricter supervision and harsher penalties.
Important entities
This category includes organizations whose impact in case of an incident is significant, but not as critical as that of essential entities. Examples include:
- Postal and messaging services.
- Food production and distribution.
- Industrial manufacturing: Sectors like information technology and automotive.
- Research and technological innovation centers.
While security requirements are less strict compared to essential entities, these organizations still face substantial penalties.
Risk management and governance: Organizations must adopt mandatory measures such as encryption, vulnerability management, and multifactor authentication, as well as strengthen governance through active participation from senior management.
Incident notification: Affected companies must report severe incidents within 24 to 72 hours, ensuring quick responses and coordination with national authorities and CSIRTs (Computer Security Incident Response Teams).
Severe penalties: Fines can reach up to €10 million or 2% of global turnover in case of non-compliance.
Why NIS2 is more critical than ever
With the rise in cyber threats and the increasing interconnectivity of systems, companies face risks that transcend borders. NIS2 addresses this reality by demanding a proactive approach to risk management, data protection, and operational resilience. This not only involves complying with the regulation but also protecting the trust of customers and business partners.
Additionally, the regulation does not only affect companies within the EU. Organizations outside the region that offer services or products to European clients are also subject to these provisions, highlighting its global reach.
How Applivery enhances your compliance with NIS2
Secure app distribution:
Device and security policy management:
Incident notification and response:
Ongoing, auditable compliance:
Anticipate the new regulation
Compliance with NIS2 is not just a legal requirement but also an opportunity to strengthen your competitive position in the market. Investing in tools like Applivery can simplify this process, helping you integrate security at every stage of the app and device lifecycle.
