Your guide to NIS2 and what it means for your organisation’s cybersecurity

Why NIS2: Cybersecurity for Critical Infrastructures:  

The NIS2 directive requires critical infrastructure companies to address potential risks such as human errors, system failures, malicious actors, natural disasters and the physical and environmental security of systems that impact their network and information security. These companies should monitor their cyber security risks and have plans in place to maintain their business continuity. 

The potential consequences of non-adherence to the rules make for sobering reading, with organisations that flout the rules potentially facing fines of up to 10 million Euros, or 2% of total annual global turnover. 

When will NIS2 come into force 

The EU’s NIS2 came into effect on 16th January 2023 and will be installed in every EU member state’s law by 17th October 2024. While there was a predecessor to the new policy - NIS was originally introduced in 2016 - NIS2 applies to more organisations than NIS. 

This article will help you find out if your organisation is subject to NIS2 and if it is, provides tips on how you can comply with this law and avoid the dangers of non-compliance. 

Is your organisation subject to NIS2 regulations? 

Whether you fall under NIS2 depends mainly on two factors - the industry you operate in and the size of your organisation.  

Industries that are covered by NIS2 (also divided into ‘Very Critical’ and ‘Critical’) include: 

 

Very critical	Critical
Transport	Manufacture
Energy	Waste Management
Banking and Financial Market Infrastructure	Postal and Courier Services
Healthcare	Food production, processing, and distribution
Drinking water	Chemical and Pharmaceutical Production
Wastewater	Digital Service Providers
Digital Infrastructure	Research
Management of ICT services (B2B)
Government
Space travel

The size of the company/organisation is also a deciding factor, with all medium-sized organisations (51-249 employees; annual turnover < 50 million Euros) and large organisations (> 250 employees; annual turnover > 50 million Euros) being covered by the legislation. 

Are you Essential or Important?

If your organisation qualifies for NIS2 regulations, there is an additional important distinction to be made: Companies that are ‘Very critical’ are ‘Essential’, companies that are ‘Critical’ are ‘Important’. 

Both are subject to the same cybersecurity management requirements and incident reporting obligations under NIS2. However, the compliance monitoring is different for each: 
 

Very critical = Essential	Critical = Important
For 'Essential' organisations monitoring must be strictly proactive and clearly reflected within processes, with regulators checking that these organisations are applying these measures and complying correctly.	For ‘Important’ organisations, monitoring will be reactive when there is evidence of a cyber incident.

Four key requirement areas 

NIS2 builds upon NIS and has four new key requirement areas that are designed to ensure the cybersecurity of your organisation. 

You need to ensure you can demonstrate the following: 

• Risk management - Organisations need to address all potential risks including human error, system failure, malicious actors, natural disasters, and the physical and environmental security of systems. 
• Corporate accountability - NIS2 holds C-level executives responsible and requires management to oversee, approve, be trained on, and address risks to their organisation’s cybersecurity. Executives will be held personally liable through measures such as suspension from holding management positions if they fail to do this. 
• Reporting obligations – NIS2 has detailed requirements for reporting security incidents, so if your organisation is applicable to NIS2 it is vital that you have processes in place for promptly reporting security incidents. 
• Business continuity – As NIS2 applies to providers of services that are vital to the functioning of society, these organisations must have plans in place to keep their services running if they experience a major security incident. These plans should include system recovery, emergency procedures, and creating a crisis response team. 

Minimum security measures you are required to cover under NIS2 

If you organisation is subject to NIS2 regulations, you must take appropriate and proportional risk management actions to prevent security incidents and minimise their impact. 

To help address these, NIS2 stipulates ten baseline measures you must consider:

1. Policies on risk analysis and information system security.   
2. Incident handling.   
3. Business continuity - such as backup management and disaster recovery, and crisis management.   
4. Supply chain security - including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers. 
5. Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure.    
6. Policies and procedures to assess the effectiveness of cybersecurity risk management measures.   
7. Basic cyber hygiene practices and cybersecurity training.    
8. Policies and procedures regarding the use of cryptography and, where appropriate, encryption.
9. Human resources security, access control policies and asset management. 
10. The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems within the entity – where appropriate.

  

Ensuring you meet the requirements of NIS2 – How Konica Minolta can help you  

Now is the time to take action, as Martin Mølvig, Head of Security Services Europe at Konica Minolta commented, "The launch of NIS2 has brought cybersecurity concerns sharply into focus for many organisations that were unaffected by the original NIS regulations and that may not have been aware beforehand. It is vital that all organisations consider how they are affected and what they must do to be compliant.” 

Martin added, “It may be tempting to avoid investing in the right cybersecurity protection, but NIS2 raises the bar for everyone. For example, from a Business Continuity point of view there may be workarounds to keep the business going through to recovery. But what do you say to stakeholders, customers, and the press etc when there are interruptions to your operations?”
 
Konica Minolta offers a number of professional security solutions that can help to address some of the key NIS2 requirements, such as: 

• Incident handling and maintenance, including vulnerability handling and disclosure. 
• Business continuity with backup management.  
• The use of multi-factor authentication. 

Incident handling and maintenance, including vulnerability handling and disclosure 

Konica Minolta's endpoint protection service Workplace Intrusion Patrol, which is based on Microsoft Defender, protects IT endpoints such as PCs/laptops, tablets and mobile phones, as well as servers, regardless of where employees work and even short periods when they are not connected to a network. The service detects and neutralises stealthy attacks that have managed to bypass other protective security measures (such as passwords and traditional anti-virus tools) and are now present in the IT environment, stopping intruders before they can use the endpoint as a springboard for wider or more serious attacks on central systems and data. In the event of a threat, this cloud-based service isolates the device and eliminates the threat before it spreads further in the IT environment. 

The leading-edge anti-virus solution Bitdefender can be embedded in Konica Minolta's multi-functional printer bizhub i-Series’ firmware and monitors all scanned files and documents transferred to and from it in real time. It immediately detects viruses and malware and informs about the potential threat. It also enables manual scanning on hard drives as well as scanning on demand. This prevents the spread of viruses to other PCs and servers and ensures that the multifunction device does not become a springboard for the loss of corporate information.  

Further, with Shield Guard - Konica Minolta's cloud service for remote security monitoring and management for MFPs - security settings of multiple MFPs can be monitored from anywhere. It collects information about the security status of all devices, sends notification in the event of an incident, and performs mitigation. 

Business continuity with backup management 

Konica Minolta’s Workplace One is a comprehensive solution that includes a managed Microsoft 365 environment, managed backup services, proactive remote monitoring and enabling online services such as Exchange, Teams, OneDrive, etc. in Microsoft 365. Workplace One’s Managed Backup service provides a fully managed, automated backup and recovery service to avoid data loss and costly business interruptions. With its management services and daily backups, Konica Minolta ensures that all your emails and files – including OneDrive, SharePoint and Microsoft Teams – are always protected and restores the data backed up to the Date Centre in the event of data loss due to a cyber-attack threat. The data is hosted in Konica Minolta's ISO27001 certified data centres in Germany and Sweden. Download eBook 

The use of multi-factor authentication 

On top of this, Workplace One offers multi-factor authentication (MFA) which prevents unauthorised access to sensitive information. With MFA, your users must present a combination of two or more credentials to verify their identity for login. Konica Minolta’s cloud print solution Workplace Pure offers also MFA.

You can try Workplace Pure for free for 30 days (with no obligation) here.