What is NIS2?
The EU's Network and Information Systems Directive (NIS2) builds upon the foundation laid by its predecessor, NIS1. Now fully in force across the European Union, NIS2 significantly raises the cybersecurity bar for critical infrastructure sectors.
NIS2 sets stricter cybersecurity enforcement requirements for companies and government agencies alike. Member states were required to transpose the directive into national law by October 17, 2024, making compliance mandatory for all organisations within its scope.
This expansion of EU-wide cybersecurity regulations has created a more harmonised and robust security posture across member states. Organisations operating in covered sectors must now ensure their cybersecurity practices meet the strengthened requirements of NIS2 — or face significant penalties.
GDPR vs. NIS2: A Focus Shift in EU Regulations
Think of GDPR and NIS2 as two sides of the same digital security coin, each addressing a crucial aspect.
GDPR (General Data Protection Regulation): Established in 2018, GDPR emphasizes data protection. It sets strict requirements on how EU member states handle personal data, empowering individuals with control over their information.
NIS2 (Network and Information Systems Directive): Now in full effect, NIS2 elevates cybersecurity standards across the EU. Unlike GDPR's focus on data, NIS2 targets essential infrastructure providers. It mandates a robust level of cybersecurity for these organisations to safeguard critical services.
NIS2 Expands Covered Sectors To Strengthen EU Cybersecurity
NIS2 has significantly expanded the number of sectors covered by the directive to encompass all organisations considered critical to societal infrastructure. Sectors including food production, waste management, and their entire supply chains now fall under the directive's regulations. The directive differentiates between "essential entities" and "important entities".
Essential Entities:
Important Entities:
These organisations provide valuable services but are subject to a somewhat lighter regulatory touch compared to essential entities:
How 42Gears Can Help You Achieve NIS2 Compliance?
The increased use of mobile devices for remote work — combined with access to sensitive data and communications — makes mobile security a top priority under NIS2. Since the directive mandates organisations to prioritise critical infrastructure security, this extends directly to mobile devices. Here is how 42Gears aligns with NIS2 requirements:
| NIS2 Minimum Measure | 42Gears Capability | Key Functionalities |
|---|---|---|
| Risk assessments and security policies for information systems. | Comprehensive Asset Management & Policy Enforcement | Gain a centralised view of devices, users, and applications. Enforce essential security policies like encryption and screen locks to identify and mitigate potential risks. |
| Policies and procedures for evaluating the effectiveness of security measures. | Robust Reporting & Visibility | Leverage real-time reporting to gain insights into device, software, and policy compliance. Identify and address security vulnerabilities. |
| Policies and procedures for the use of cryptography and, when relevant, encryption. | Enforced Security Policies | Enforce encryption of data to safeguard sensitive information, in line with NIS2 encryption requirements. |
| A plan for handling security incidents. | Incident Response & Remote Management | Utilise remote wipe, lock, and locate functionalities to secure compromised devices and safeguard data as part of your incident response plan. |
| Cybersecurity training and a practice for basic computer hygiene. | 42Gears Academy | Training courses and certifications to help partners and customers get the best out of secure device deployments, with access to the latest security best practices. |
| Security procedures for employees with access to sensitive data, including data access policies and asset overview. | Compliance Policies | 42Gears enforces access controls and provides a comprehensive asset inventory to help maintain an overview of relevant devices. Data access policies remain an organisational responsibility. |
| Multi-factor authentication, continuous authentication, and encrypted communications. | Enforce MFA during Enrolment | Protect admin accounts from credential theft by enabling multi-factor authentication, adding an essential extra layer of security. |
For Organizations Already Under NIS
With NIS2 now fully transposed into national law, organisations that previously operated under NIS should have already reviewed and strengthened their cybersecurity posture. If you are still in the process of aligning, focus on these key areas:
- Incident Reporting: NIS2 introduces revised timelines and thresholds for reporting incidents — including an initial 24-hour early warning and a full report within 72 hours. Ensure your processes meet these requirements.
- Security Measures: Strengthen existing security measures with a focus on encryption, access controls, and regular security audits, all of which are central to NIS2's requirements for essential digital services.
- Training and Awareness: Maintain ongoing staff training and awareness programmes on cybersecurity best practices to embed a culture of security within your organisation.
- Supply Chain Security: NIS2 places explicit obligations on managing the security of your direct suppliers. Assess each supplier's vulnerabilities and establish appropriate contractual and technical safeguards.
Minimum Measures needed to Implement NIS2
Requirements vary based on a business's size, societal role, and risk exposure — ensuring that smaller businesses are not disproportionately burdened while larger organisations meet appropriate standards. However, NIS2 mandates certain minimum measures for all relevant organisations. The following is a general summary; it is not exhaustive and professional legal and compliance advice should be sought.
NIS2 minimum measures include:
- Risk assessments and security policies for information systems.
- A plan for handling security incidents.
- A business continuity plan covering operations during and after a security incident — including up-to-date backups and a plan for maintaining access to IT systems.
- Security measures covering supply chains and direct supplier relationships, tailored to each supplier's specific vulnerabilities.
- Policies and procedures for evaluating the effectiveness of security measures.
- Security around the procurement, development, and operation of systems, including vulnerability handling and reporting policies.
- Cybersecurity training and basic cyber hygiene practices.
- Policies and procedures for the use of cryptography and encryption.
- Security procedures for employees with access to sensitive data, including data access policies and a full asset inventory.
- Multi-factor authentication, continuous authentication solutions, and encrypted communications, where appropriate.
Conclusion
With NIS2 now in force across the EU, there is no time to delay. Strengthen your organisation's security posture with SureMDM — 42Gears' MDM solution offering robust encryption, granular access controls, and regular security audits, all aligned with NIS2's requirements for essential digital services. Sign up for SureMDM today.
Disclaimer: Achieving NIS2 compliance requires implementing a comprehensive set of controls. Mobile Device Management (MDM) solutions can address many, but not all, of these controls. A layered security approach combining MDM with other security solutions is typically necessary to meet all NIS2 requirements.
FAQs
Find answers to common questions about our service.