Table of Contents
What is NIS2?
To whom does NIS2 apply?
How does SaaS management play into NIS2?
NIS2 is a new directive concerning EU member states, coming into effect in October 2024. The NIS2 directive is a continuation of the original NIS directive which entails how organizations and businesses that are deemed important to society and provide essential services should handle cyber security and what procedures and best practices they must follow. The directive is a response to increasing digitalization and the cyber security issues that come with it and will act as a standardization of certain security measures and risk management methods across the EU.
NIS2 - "Network and Information Security Directive"
The new NIS2 directive includes the following areas:
Risk management: Organizations must utilize cyber security measurements. This includes incident management, supply chain security, improved encryption, access management, and network security.
Corporate accountability: Corporate management must ensure they are trained and capable of managing an entity's cyber security measures. Failure to do so now includes more liability and may result in fines and other repercussions
Reporting Obligations: Affected entities must now have procedures in place to report security incidents with significant impact, and to do so within certain timeframes.
Business Continuity: Organizations must now create plans for how business can continue during a major disruption or security incident. This includes efforts such as system recovery and response teams
Apart from these four main areas, several “minimum requirements” are also listed. These requirements are:
- Risk assessments and security policies in place
- Procedures for cryptography and in some cases encryption
- Special security procedures applicable to employees with access to more sensitive and important data
- Use of multi-factor authentication (MFA)
- Procedures for the evaluation of effectiveness in security measures
- An action plan for handling security incidents
- Cyber security training for employees
- Creating plans and procedures for managing operations during and after a security incident
- Stricter security in regards to supply chains and supplier relationships
To whom does NIS2 apply?
NIS2 contains two different types of classifications for organizations within critical sectors: Essential entities (EE) and Important entities (IM)
Apart from these categories, Essential entities and Important entities are also judged by their size in the form of number of employees and annual turnover.
How does SaaS management play into NIS2?
Implementation of a proper SaaS management platform for digital services becomes crucial for many aspects of NIS2. It helps businesses control the usage of their online software, protect sensitive data, and make sure only authorized users have access to different systems with access control.
This is, of course, very, very important for organizations that are directly affected by NIS2 to keep track of. But what some may miss is that since NIS2 also covers supply chain security, companies and third parties that deliver some sort of service or product to these organizations must comply with NIS2 to be eligible for business.
This means that a great deal of companies, not only those directly categorized within NIS2, will be affected and must overlook their cyber security. Requirements such as having routines for data security and managing access control to software systems will therefore become minimum criteria for all companies that have some form of business relation towards organizations categorized within NIS2.
If you are working at a small or medium-sized business and are looking for a user-friendly and cost-efficient management platform to aid you in access control and data security, consider contacting us here to get to know Substly better
