The revised EU directive on the security of network and information systems (NIS2) sets baseline security risk management measures for all the entities operating across the sectors falling within its scope. The directive applies an “all-hazard” approach, thus the risk management measures should also address physical and environmental security (e.g. natural disasters, system failures).
Essential and important entities are required to take appropriate technical, operational, and organisational measures to safeguard the entity’s network and information systems against any security threats. Under the NIS2, they are expected to implement at least several security measures listed in the revised directive, for example, establishing access control policies, and setting up an incident handling procedure.
Essential and important entities must notify significant security breaches to the national computer security incident response team (CSIRT) following a multi-step process. The initial notification should be submitted within 24 hours, followed by a second one within 72 hours after having become aware of a significant incident. A final report with additional information on the breach should be submitted in one month.
Cullen International is releasing a series of reports on the different aspects of the newly revised directive on the security of network and information systems (NIS2). Our second of five reports provides an analysis of the common security risk management and reporting requirements, which apply to all essential and important entities covered by the revised directive.
See also Part 1: Scope
For more information and to access our NIS2 report series, please click on “Access the full content” - or on “Request Access”, in case you are not subscribed to our European Digital Economy service.
more news
04 November 24
Nine European countries have symmetric access obligations that go beyond the Broadband Cost Reduction Directive or Gigabit Infrastructure Act
Our new benchmark analyses where regulators imposed asymmetric SMP obligations for access to ducts and where symmetric access obligations go beyond BCRD and GIA.
31 October 24
Update on 5G security measures across Europe
Based on publicly available information, Estonia, Germany, Romania and Sweden are the only EU countries that explicitly banned certain 5G equipment vendors.
31 October 24
Most countries in the Americas have no restrictions on vendors for 5G networks
Cullen International’s new benchmark on 5G national security in the Americas region shows that Brazil, Chile and the United States are the only researched countries that have adopted network security measures that apply to 5G networks.