{"id":9403,"date":"2024-08-13T11:53:46","date_gmt":"2024-08-13T09:53:46","guid":{"rendered":"https:\/\/aboveit.fi\/nis2-an-easy-two-day-effort\/"},"modified":"2025-11-27T14:04:04","modified_gmt":"2025-11-27T12:04:04","slug":"nis2-an-easy-two-day-effort","status":"publish","type":"post","link":"https:\/\/aboveit.fi\/en\/nis2-an-easy-two-day-effort\/","title":{"rendered":"NIS2 – An easy, two-day effort?"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

NIS2 – An easy, two-day effort, I’ve heard it said. However, this may not be the case and requires a slightly more comprehensive approach to the matter. This is especially true for organizations where administrative cybersecurity may have previously taken a back seat. The NIS2 EU directive comes into force this October. Now, at the latest, organizations should examine the matter more closely. <\/em><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

What is NIS2?<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The European Union’s Network and Information Security Directive NIS2 comes into force this October. NIS2 is an expanded and updated version of the previous NIS EU directive, which came into force in 2016. The purpose of the directive is to improve member states’ capabilities to combat cyber threats and to harmonize the level of cybersecurity between member states. NIS2 targets critical sectors of society, such as healthcare, energy, transport, finance, public administration, and the ICT sector. The directive sets minimum requirements for organizations regarding the level of cybersecurity. Organizations must be able to demonstrate compliance with these minimum requirements if necessary. <\/p>\n

I personally consider the arrival of the directive to be genuinely positive and welcome. It covers a very broad range of cybersecurity areas and provides a good foundation for further developing cybersecurity. Responsibility for the obligations of the NIS2 directive also extends beyond organizations’ IT departments. Now, at the latest, the gap between IT management and general management in cybersecurity matters will close, as the framework’s obligations extend to the leadership level. Secondly, I would highlight the general emergence of the administrative cybersecurity aspect in organizations. Especially in small and medium-sized enterprises, cybersecurity improvements are often made at a technical level, and there’s nothing wrong with that, but a comprehensive overview with cybersecurity strategies may not have been considered. Organizations should consider answers to questions such as: What purpose do we aim for and address with technical changes? What requirements are placed on us by different stakeholders? What cybersecurity framework do we follow? <\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Is everything clear concerning the directive?<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

There seems to be some ambiguity as to whether the NIS2 directive applies specifically to our organization or not. The sectors have been specified at a very high level, and clarifications have been requested for at least some of the areas. There is room for interpretation in certain areas, for which further clarifications are hopefully forthcoming. However, it is important to note that even if an organization does not directly fall within the scope of the NIS2 directive, it may, as part of the supply chain, be required to demonstrate its level of cybersecurity to an organization that does fall within the scope of the NIS2 directive. <\/span><\/p>\n

One of the areas of the NIS2 directive is partner management, which includes verifying the cybersecurity level of partners. Generally, NIS2 targets organizations in socially critical sectors with more than 50 employees or an annual turnover and balance sheet exceeding 10 million euros. The sectors targeted by the directive are divided into essential sectors (highly critical) and important sectors (critical). There is no difference between these two in terms of requirements, but the penalties for non-compliance with the directive are stricter for operators in essential sectors. <\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Essential Sectors<\/strong><\/p>\n

<\/p>\n