Question 1

Reporting obligations (Article 23 NIS2 Directive)

Accepted Answer

The notification period for the suspicion of a significant security incident is 24 hours (early warning) and 72 hours for a detailed assessment including the severity and its impact. One month after the notification of the early warning, a detailed final report must be submitted to the competent supervisory authority, describing the security incident in detail in terms of its cause and impact, as well as the remedial measures taken/underway. Cross-border effects must be reported in any case.

Question 2

Risk management (Article 21 NIS2 Directive)

Accepted Answer

Affected organisations shall take appropriate and proportionate technical, operational and organisational cyber security measures that reflect the state-of-the-art and include at least the following:  Policies: policies on risk analysis and information system security Incident Handling: Prevention, detection and management of cyber incidents Business Continuity: BCM such as backup management and disaster recovery, and crisis management Supply Chain Security: including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers Procurement Security: Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure Effectiveness: Policies and procedures to assess the effectiveness of cybersecurity risk-management measures Training: Basic cyber hygiene practices and cybersecurity training Cryptography: policies and procedures regarding the use of cryptography and, where appropriate, encryption Staff: Human Resources Security Access control Asset Management Authentication: Use of multi-factor authentication SSO Communikation: Use of secured voice, video and text communications Emergency communication: Use of secured emergency communication systems within the entity

Question 3

Management Duties & Governance (Article 20 NIS2 Directive)

Accepted Answer

Senior management must approve cyber security risk management measures taken, monitor their implementation and be liable for breaches of these due diligence obligations. In addition, senior management must participate in training on the identification and assessment of risks and management practices in the area of cyber security and its impact, and provide relevant training to all employees on a regular basis.

Question 4

Enforcement & Sanctions (Article 32 NIS2 Directive)

Accepted Answer

The competent supervisory authority is granted far-reaching enforcement measures and sanctions. These include, among others  Evidence and tests: Authorities are to receive evidence, review it and carry out their own tests, audits and investigations, including on-site inspections/ random checks, regular and targeted security audits and ad hoc audits (especially after a security incident). Information claims: Authorities can request and inspect data, documents, information, evidence of implementation. Binding instructions: Authorities can issue binding instructions to operators in case of non-compliance, issue public warnings, appoint a supervisor (monitor). Operating licence: In the case of continuous non-compliance, authorities can set deadlines and withdraw operating licences, certifications or similar in the event of violations.

NIS2 Directive: Are you affected? Check now!

The NIS2 Directive is likely to apply to your organisation.

Need more guidance on NIS2 directive?
Lets have a quick chat.

Want more details? Get an overview of 4 key areas to address in NIS2

Reporting obligations (Article 23 NIS2 Directive)

Risk management (Article 21 NIS2 Directive)

Management Duties & Governance (Article 20 NIS2 Directive)

Enforcement & Sanctions (Article 32 NIS2 Directive)

What to do next? Read the 10-step guide to NIS2 compliance.

The NIS2 Directive is not likely to apply to your organisation.

Unsure about what other regulations might apply to your business?
Contact us!

What to do next? Read the 10-step guide to NIS2 compliance.

Looks like you are not sure about some questions.

Need more guidance on NIS2 directive?
Lets have a quick chat.

Want more details? Get an overview of 4 key areas to address in NIS2

Reporting obligations (Article 23 NIS2 Directive)

Risk management (Article 21 NIS2 Directive)

Management Duties & Governance (Article 20 NIS2 Directive)

Enforcement & Sanctions (Article 32 NIS2 Directive)

What to do next? Read the 10-step guide to NIS2 compliance.

How can we help?Contact us.

Products

Platform

Frameworks

Solutions

Resources

Company

NIS2 Directive: Are you affected? Check now!

The NIS2 Directive is likely to apply to your organisation.

Need more guidance on NIS2 directive?Lets have a quick chat.

Want more details? Get an overview of 4 key areas to address in NIS2

What to do next? Read the 10-step guide to NIS2 compliance.

The NIS2 Directive is not likely to apply to your organisation.

Unsure about what other regulations might apply to your business?Contact us!

What to do next? Read the 10-step guide to NIS2 compliance.

Looks like you are not sure about some questions.

Need more guidance on NIS2 directive?Lets have a quick chat.

Want more details? Get an overview of 4 key areas to address in NIS2

What to do next? Read the 10-step guide to NIS2 compliance.

How can we help?Contact us.

Products

Platform

Frameworks

Solutions

Resources

Company

Need more guidance on NIS2 directive?
Lets have a quick chat.

Unsure about what other regulations might apply to your business?
Contact us!

Need more guidance on NIS2 directive?
Lets have a quick chat.