The revised EU directive on the security of network and information systems (NIS2) sets baseline security risk management measures for all the entities operating across the sectors falling within its scope. The directive applies an “all-hazard” approach, thus the risk management measures should also address physical and environmental security (e.g. natural disasters, system failures).

Essential and important entities are required to take appropriate technical, operational, and organisational measures to safeguard the entity’s network and information systems against any security threats. Under the NIS2, they are expected to implement at least several security measures listed in the revised directive, for example, establishing access control policies, and setting up an incident handling procedure.

Essential and important entities must notify significant security breaches to the national computer security incident response team (CSIRT) following a multi-step process. The initial notification should be submitted within 24 hours, followed by a second one within 72 hours after having become aware of a significant incident. A final report with additional information on the breach should be submitted in one month.

Cullen International is releasing a series of reports on the different aspects of the newly revised directive on the security of network and information systems (NIS2). Our second of five reports provides an analysis of the common security risk management and reporting requirements, which apply to all essential and important entities covered by the revised directive.

See also Part 1: Scope

For more information and to access our NIS2 report series, please click on “Access the full content” - or on “Request Access”, in case you are not subscribed to our European Digital Economy service.