Security

Your guide to NIS2 and what it means for your organisation’s cybersecurity

Failures or impairments of critical infrastructure can result in supply shortages, disruptions to public safety or other dramatic consequences. The EU directive NIS2 (Network and Information Systems Directive 2022) aims to strengthen the cyber resilience of European companies and institutions that form critical infrastructures. Are you one of the critical infrastructures and if so, what does your organisation need to consider with regard to NIS2?

14.11.2023
6 minutes 6 minutes
Table of Contents
The Waterfall Security shows a dramatic increase in cyber-attacks on critical infrastructure from 2021 to 2022 – namely by 140%. According to this study, most cyber-attacks on critical infrastructure in 2022 were ransomware, which not only affected the IT network, but also had physical consequences in the real world through crippled IT systems. The report lists examples such as outages at 14 top automobile manufacturing plants, 23 tyre plants, a major food company and publishing company, flight delays for tens of thousands of air travellers, and malfunctions of loading and unloading of cargo containers.

Why NIS2: Cybersecurity for Critical Infrastructures:  

The NIS2 directive requires critical infrastructure companies to address potential risks such as human errors, system failures, malicious actors, natural disasters and the physical and environmental security of systems that impact their network and information security. These companies should monitor their cyber security risks and have plans in place to maintain their business continuity. 

The potential consequences of non-adherence to the rules make for sobering reading, with organisations that flout the rules potentially facing fines of up to 10 million Euros, or 2% of total annual global turnover. 

When will NIS2 come into force 

The EU’s NIS2 came into effect on 16th January 2023 and will be installed in every EU member state’s law by 17th October 2024. While there was a predecessor to the new policy - NIS was originally introduced in 2016 - NIS2 applies to more organisations than NIS. 

This article will help you find out if your organisation is subject to NIS2 and if it is, provides tips on how you can comply with this law and avoid the dangers of non-compliance. 

Is your organisation subject to NIS2 regulations? 

Whether you fall under NIS2 depends mainly on two factors - the industry you operate in and the size of your organisation.  

Industries that are covered by NIS2 (also divided into ‘Very Critical’ and ‘Critical’) include: 

 

Very critical 

Critical 

Transport 

Manufacture  

Energy 

Waste Management  

Banking and Financial Market Infrastructure 

Postal and Courier Services  

Healthcare 

Food production, processing, and distribution  

Drinking water 

Chemical and Pharmaceutical Production  

Wastewater 

Digital Service Providers  

Digital Infrastructure 

Research  

Management of ICT services (B2B) 

 

Government 

 

Space travel 

 

The size of the company/organisation is also a deciding factor, with all medium-sized organisations (51-249 employees; annual turnover < 50 million Euros) and large organisations (> 250 employees; annual turnover > 50 million Euros) being covered by the legislation. 

Are you Essential or Important?

If your organisation qualifies for NIS2 regulations, there is an additional important distinction to be made: Companies that are ‘Very critical’ are ‘Essential’, companies that are ‘Critical’ are ‘Important’. 

Both are subject to the same cybersecurity management requirements and incident reporting obligations under NIS2. However, the compliance monitoring is different for each: 
 
Very critical = Essential  Critical = Important 
For 'Essential' organisations monitoring must
be strictly proactive and clearly reflected within
processes, with regulators checking that these organisations are applying these measures and complying correctly. 
For ‘Important’ organisations, monitoring will be reactive when there is evidence of a cyber incident. 

 

Four key requirement areas 

NIS2 builds upon NIS and has four new key requirement areas that are designed to ensure the cybersecurity of your organisation. 

You need to ensure you can demonstrate the following: 
  • Risk management - Organisations need to address all potential risks including human error, system failure, malicious actors, natural disasters, and the physical and environmental security of systems. 
  • Corporate accountability - NIS2 holds C-level executives responsible and requires management to oversee, approve, be trained on, and address risks to their organisation’s cybersecurity. Executives will be held personally liable through measures such as suspension from holding management positions if they fail to do this. 
  • Reporting obligations – NIS2 has detailed requirements for reporting security incidents, so if your organisation is applicable to NIS2 it is vital that you have processes in place for promptly reporting security incidents. 
  • Business continuity – As NIS2 applies to providers of services that are vital to the functioning of society, these organisations must have plans in place to keep their services running if they experience a major security incident. These plans should include system recovery, emergency procedures, and creating a crisis response team. 

Minimum security measures you are required to cover under NIS2 

If you organisation is subject to NIS2 regulations, you must take appropriate and proportional risk management actions to prevent security incidents and minimise their impact. 

To help address these, NIS2 stipulates ten baseline measures you must consider:
  1. Policies on risk analysis and information system security.   
  2. Incident handling.   
  3. Business continuity - such as backup management and disaster recovery, and crisis management.   
  4. Supply chain security - including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers. 
  5. Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure.    
  6. Policies and procedures to assess the effectiveness of cybersecurity risk management measures.   
  7. Basic cyber hygiene practices and cybersecurity training.    
  8. Policies and procedures regarding the use of cryptography and, where appropriate, encryption.
  9. Human resources security, access control policies and asset management. 
  10. The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems within the entity – where appropriate.
  

Ensuring you meet the requirements of NIS2 – How Konica Minolta can help you  

Now is the time to take action, as Martin Mølvig, Head of Security Services Europe at Konica Minolta commented, "The launch of NIS2 has brought cybersecurity concerns sharply into focus for many organisations that were unaffected by the original NIS regulations and that may not have been aware beforehand. It is vital that all organisations consider how they are affected and what they must do to be compliant.” 

Martin added, “It may be tempting to avoid investing in the right cybersecurity protection, but NIS2 raises the bar for everyone. For example, from a Business Continuity point of view there may be workarounds to keep the business going through to recovery. But what do you say to stakeholders, customers, and the press etc when there are interruptions to your operations?”
 
Konica Minolta offers a number of professional security solutions that can help to address some of the key NIS2 requirements, such as: 

  • Incident handling and maintenance, including vulnerability handling and disclosure. 
  • Business continuity with backup management.  
  • The use of multi-factor authentication. 

Incident handling and maintenance, including vulnerability handling and disclosure 

Konica Minolta's endpoint protection service Workplace Intrusion Patrol, which is based on Microsoft Defender, protects IT endpoints such as PCs/laptops, tablets and mobile phones, as well as servers, regardless of where employees work and even short periods when they are not connected to a network. The service detects and neutralises stealthy attacks that have managed to bypass other protective security measures (such as passwords and traditional anti-virus tools) and are now present in the IT environment, stopping intruders before they can use the endpoint as a springboard for wider or more serious attacks on central systems and data. In the event of a threat, this cloud-based service isolates the device and eliminates the threat before it spreads further in the IT environment. 

The leading-edge anti-virus solution Bitdefender can be embedded in Konica Minolta's multi-functional printer bizhub i-Series’ firmware and monitors all scanned files and documents transferred to and from it in real time. It immediately detects viruses and malware and informs about the potential threat. It also enables manual scanning on hard drives as well as scanning on demand. This prevents the spread of viruses to other PCs and servers and ensures that the multifunction device does not become a springboard for the loss of corporate information.  

Further, with Shield Guard - Konica Minolta's cloud service for remote security monitoring and management for MFPs - security settings of multiple MFPs can be monitored from anywhere. It collects information about the security status of all devices, sends notification in the event of an incident, and performs mitigation. 

Business continuity with backup management 

Konica Minolta’s Workplace One is a comprehensive solution that includes a managed Microsoft 365 environment, managed backup services, proactive remote monitoring and enabling online services such as Exchange, Teams, OneDrive, etc. in Microsoft 365. Workplace One’s Managed Backup service provides a fully managed, automated backup and recovery service to avoid data loss and costly business interruptions. With its management services and daily backups, Konica Minolta ensures that all your emails and files – including OneDrive, SharePoint and Microsoft Teams – are always protected and restores the data backed up to the Date Centre in the event of data loss due to a cyber-attack threat. The data is hosted in Konica Minolta's ISO27001 certified data centres in Germany and Sweden. Download eBook 

The use of multi-factor authentication 

On top of this, Workplace One offers multi-factor authentication (MFA) which prevents unauthorised access to sensitive information. With MFA, your users must present a combination of two or more credentials to verify their identity for login. Konica Minolta’s cloud print solution Workplace Pure offers also MFA.

You can try Workplace Pure for free for 30 days (with no obligation) here.

Help with your cybersecurity requirements

For further help and assistance with your cybersecurity needs and obligations, please download your free cybersecurity guide.
This may also be interesting for you:

1,000 days of GDPR: what have businesses learned?

GDPR compliance can be challenging. Streamline your efforts and reduce your...

Security
21.06.2022

How remote work is transforming cybersecurity

As organizations of all sizes extend their commitment to supporting remote...

Security
29.09.2020

Understanding the five key phases of a hacking attack to fortify your business IT

The term ‘Hacking’ has been in the public consciousness for decades and the...

Security
29.11.2023