The revised EU directive on the security of network and information systems (NIS2) sets baseline security risk management measures for all the entities operating across the sectors falling within its scope. The directive applies an “all-hazard” approach, thus the risk management measures should also address physical and environmental security (e.g. natural disasters, system failures).
Essential and important entities are required to take appropriate technical, operational, and organisational measures to safeguard the entity’s network and information systems against any security threats. Under the NIS2, they are expected to implement at least several security measures listed in the revised directive, for example, establishing access control policies, and setting up an incident handling procedure.
Essential and important entities must notify significant security breaches to the national computer security incident response team (CSIRT) following a multi-step process. The initial notification should be submitted within 24 hours, followed by a second one within 72 hours after having become aware of a significant incident. A final report with additional information on the breach should be submitted in one month.
Cullen International is releasing a series of reports on the different aspects of the newly revised directive on the security of network and information systems (NIS2). Our second of five reports provides an analysis of the common security risk management and reporting requirements, which apply to all essential and important entities covered by the revised directive.
See also Part 1: Scope
For more information and to access our NIS2 report series, please click on “Access the full content” - or on “Request Access”, in case you are not subscribed to our European Digital Economy service.
more news
25 November 24
When generative AI and copyright collide: what is at stake?
Our new Global Trends report explores the legal disputes and regulatory challenges that are arising around the world over the training of generative artificial intelligence (GAI) tools using copyright-protected material.
22 November 24
New 5G spectrum awards among other regulatory developments in MENA region
Our latest MENA Telecoms Update details the most significant regulatory developments taking place in the region between 15 August and 5 November 2024.
19 November 24
Latest updates from Americas media markets
The Mexican regulator will cease operations, while Canada will implement a law on revenue sharing for digital platforms and news outlets. The USA has set new accessibility standards, while the Brazilian communications ministry has announced its short-term regulatory goals. These are the most important developments covered by Cullen International’s latest Media Country Profiles for the Americas region.