When implemented, NIS2 will increase the (minimal) effort that organizations should spend on cybersecurity. It does so by allowing governments to hold management personally accountable if gross negligence is proven after a cyber incident.
Depending on organization classification, NIS2 furthermore allows governments to (temporarily) stop a person from exercising managerial positions in case of repeated negligence.
This is however a worst-case scenario and NIS2 provides guidelines for preventing such negligence. For example, to ensure that management is sufficiently aware of cyber risks, NIS2 mandates that management bodies receive adequate cybersecurity training.
NIS2 advices that all employees receive such training, but this is not mandatory. Furthermore, it requires risk management and assessment activities to be performed to ensure that management is aware and has considered the cybersecurity risks within their organization.
Incident obligations
These pro-active and preventive measures are not the only thing described in NIS2, it also describes mandatory post-incident activities. NIS2 defines an incident as an event that compromised or was capable of compromising “the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the related services offered by, or accessible via, network and information systems”.
When an organization becomes aware of such an incident, they are required to provide an early warning to the applicable authorities within 24 hours of becoming aware of the incident, and perform an initial assessment within 72 hours.
This assessment must include the severity and impact of the incident, and possibly indicators of compromise on a best effort basis. Lastly, all incidents require a complete incident report within one month of the initial report.