NIS2

EUROPEAN AND NATIONAL LEGISLATION ON THE CYBER SECURITY OF ORGANIZATIONS

The new European directive Network and Information Security Directive 2 (NIS2) is set to become effective in Maltese legislation as early as October 2024. Currently, the NIS1 directive is in force in Malta. The new directive imposes significant requirements on the cybersecurity level of organizations in various societal sectors that are characterized as essential or important.

These mandatory, risk-based cybersecurity measures can effectively contribute to a better security level, and many elements will already be part of the cybersecurity policy of the organizations. However, failure to comply with these mandatory measures may result in significant fines.

BDO Global has developed a clear NIS2 assessment tool that can provide you with insight into your current situation immediately. You can access this tool via the button below.

HOW IT WORKS

NIS2 IN BRIEF:

As NIS2 is not equally accessible to everyone, we offer a brief overview of this European Directive on Network and Information Security. In this article, we explain the essence and tell you who it is important for. Discover the requirements and best practices for compliance with NIS2.

WHERE DO YOU STAND?

To ensure that your organization is ready for these legal cybersecurity requirements in time, it is important to start with the right preparations now. Although the requirements have not yet been formalized in national legislation, it is clear which direction it is heading, and the parallels with existing frameworks and good practices such as ISO 27001.

Run the NIS2 Analyzer now and get a first impression of where you are today.

What?

The NIS2 imposes security requirements that are grouped under duty of care, reporting obligation, and supervision, and are already relatively concrete before they are formalized in national legislation. These include, among others, the concrete lists of measures from Article 21 and the significant fines from Article 34 (4). Read more in the directive: EUR-Lex – 32022L2555 (europa.eu). In addition, there are a number of other notable elements such as security in the supply chain, reponsability of management bodies, and training obligations.

FOR WHOM?

Organizations that will fall under the new European directive Network and Information Security Directive 2 (NIS2) include energy companies, airlines, water companies, digital service providers, government agencies, and their suppliers.

WHICH ENTITIES?

 The NIS2 directive is aimed at more types of companies and organizations than the first NIS directive. This means that there are now more public and private organizations that must comply with the rules.

The organizations now covered by the NIS2 directive include:

Annex 1 sectors Annex 2 sectors
  • Energy
  • Transport
  • Banking
  • Infrastructure financial market
  • Healthcare
  • Drinking water
  • Digital infrastructure
  • ICT-service providers
  • Wastewater
  • Government services
  • Space
  • Digital service providers
  • Postal and courier services
  • Waste management
  • Food production
  • Chemicals
  • Research
  • Manufacturing

Essential entities 

These are large organizations that are active in a sector from Annex I of the NIS2 directive (see table).

An organization is considered large based on the following criteria:

  • at least 250 employees; 
  • an annual turnover of more than €50 million and a balance sheet total of more than €43 million.

Important entities 

These are medium-sized organizations that are active in a sector from Annex I and medium and large organizations that are active in a sector from Annex II.

An organization is considered medium-sized based on the following criteria:

  • at least 50 employees; or 
  • an annual turnover and balance sheet total of more than €10 million.

Our services

We can support your organization in achieving and maintaining NIS2 compliance and the required cybersecurity measures through various services.

Customised cyber security maturity assessment

Our team conducts a thorough evaluation of your current cyber security posture based on and aligned with industry standards and sector-specific best practices.

Gap analysis

Identify weaknesses and vulnerabilities in your existing cyber security organisation, identifying ‘must have’s to ensure NIS2 compliance in your jurisdiction but also ‘nice to haves’ based on your desired security level.

Customised action plan

Together with you we create a tailored action plan with clear, concrete and actionable steps to improve your cyber security posture and resilience.

Implementation support

Our experts guide your team in implementing the recommended security measures to ensure better protect your organization and ensure NIS2 compliance. E.g.

Management accountability and training

Define management responsibilities and awareness training to the Board.

Third Party Risk Management

Identify relevant suppliers, assess potential security risks and exercise oversight on critical suppliers.

Contingency planning

We can help you create a contingency plan and develop and test procedures in the event of a (simulated) incident.

Incident reporting

Incident handling and reporting procedures.

Contact us!

© 2024 BDO Canada LLP