Introduction
NIS 2 compliance for all relevant entities is becoming increasingly important in today’s digital landscape.With the implementation of the NIS 2 Directive in EU, many businesses face new cybersecurity requirements to achieve NIS 2 compliance for their operations. The Ministry of Defence’s legislative proposal from July 2024 introduces cross-sectoral framework legislation with sector-specific regulations that must be in place by March 2025. This article provides an overview of what your business needs to be aware of to ensure compliance.
1. Who Is Covered by NIS 2?
To assess whether your business is covered by NIS 2, the following must be evaluated:
- Does the company provide services listed in Annex 2 or 3 of the law?
- Is the company established in the EU or provides services to the EU?
- Does the company exceed the thresholds for SMEs?
- At least 50 employees
- Annual turnover of at least EUR 10 million or a balance sheet total of EUR 10 million.
If your company provides services across sectors, this may require registration with multiple authorities to ensure NIS 2 compliance for all required areas.
It is also essential to note that small and medium-sized enterprises that would typically fall outside the directive’s requirements may be included if they significantly influence critical sectors. This applies, for example, to supply chain companies or technology providers that play a vital role in the operation of critical infrastructure.
2. Cybersecurity Requirements
NIS 2 imposes comprehensive cybersecurity requirements, including:
- Policies for risk analysis and information system security.
- Incident management and business continuity.
- Supply chain security, including supplier requirements.
- Security procedures for the development and maintenance of systems.
- Basic cyber hygiene and employee training.
- Use of multi-factor authentication and encryption.
Sector-specific regulations will elaborate on the requirements for achieving full NIS 2 compliance for businesses. Ensure your business is prepared to meet them now.
In addition to these requirements, the directive emphasizes the need for continuous evaluation and adjustment of security measures. This means that companies must implement mechanisms to monitor threats, assess risks, and respond quickly to security incidents to maintain NIS 2 compliance for all operations. It is also important to ensure that clear procedures for employees are in place and kept up to date with the latest requirements and technologies.
3. Registration and Reporting Obligations
Registration:
Companies must assess whether they are covered by NIS 2 and register with the relevant authority for compliance purposes. Deadlines are:
- Digital service providers: January 17, 2025.
- Other entities: April 17, 2025.
Incident Reporting:
- Early warning (24 hours): Description of the security incident.
- Update (72 hours): Initial assessment of the incident.
- Final report (1 month): Detailed documentation.
Reporting is expected to occur via platforms such as virk.dk to ensure efficient NIS 2 compliance for all reporting requirements.
It is crucial to have clear internal procedures for handling reporting obligations, including identifying which incidents qualify as significant. Delayed or incomplete reporting can result in fines and damage the company’s reputation, impacting overall NIS 2 compliance for the business.
4. Sanctions and Management Responsibility
Violation of NIS 2 may lead to sanctions affecting compliance efforts:
- Essential entities: Fines up to 2% of global turnover or EUR 10 million.
- Important entities: Fines up to 1.4% of global turnover or EUR 7 million.
In Denmark, fines are issued through police reports. Management must also approve and oversee security measures and participate in relevant training to ensure NIS 2 compliance.
Management is also responsible for ensuring that the company not only meets minimum requirements but also proactively integrates cybersecurity as a strategic priority, ensuring thorough NIS 2 compliance for enhanced security. This includes regular internal audits, assessment of supply chain risks, and collaboration with external specialists to enhance security. Read More
5. Our Recommendations
- Start now: Identify whether your business is covered by NIS 2 and register with the relevant authorities for compliance.
- Stay informed: Keep up to date with implementing acts from the EU and Danish sector-specific regulations to maintain NIS 2 compliance.
- Implement security measures: Ensure your business meets the technical and organizational requirements for full NIS 2 compliance.
- Consult experts: If unsure about the requirements, we can help with achieving NIS 2 compliance for your business.
We also recommend that companies establish a dedicated internal group or collaborate with external advisors to monitor legislative changes and implement necessary measures. This approach ensures not only compliance but also strengthens the company’s resilience to future threats while achieving NIS 2 compliance. Read more
Conclusion:
The implementation of the NIS 2 directive in EU introduces significant new requirements for cybersecurity and reporting, especially for companies providing critical services. It is crucial for businesses to assess their status under the directive, ensure proper registration, and comply with the extensive security and incident management requirements. Active leadership involvement and accountability are key to not only meeting these requirements but also integrating cybersecurity as a strategic priority to achieve full NIS 2 compliance.
Companies should act now by mapping their obligations, implementing necessary measures, and staying updated on regulatory changes. Collaboration with experts and establishing robust internal procedures can help ensure compliance and enhance resilience against future threats. This is not just a legal obligation but also an opportunity to improve overall security and strengthen the company’s reputation by ensuring NIS 2 compliance for all critical operations.
