Being a large or medium organization offering services like healthcare, public administration, transportation, energy, water or other utilities, finance, waste management, etc. means you must be NIS2 compliant.
NIS2 is designed to improve cybersecurity among organizations operating in the European Union that are important to the bloc’s economy and stability.
The Directive has a two-tier approach and varying sizes of fines, depending on how critical the organization is deemed to be:
- ‘Essential’ entities: Maximum fines of €10,000,000 or 2% of the total worldwide annual turnover, whichever is higher. Essential entities include large companies providing critical services such as energy, water or finance.
- ‘Important’ entities: Maximum fines of €7,000,000 or at least 1.4% of total worldwide annual turnover, whichever is higher. Important entities include medium-sized businesses offering critical services, as well as large companies in sectors like manufacturing, agriculture, or waste management.
Besides the NIS2 fines themselves, the authorities will also have powers to penalize individuals at businesses that are found to be non-compliant.
Senior executives will be made personally liable for poor cybersecurity practices. The aim here is to focus minds (the reality in many firms is that security is still seen as an ‘IT thing’, and not a concern for C-level staff).
In cases of major negligence, the authorities may actually prosecute individuals (with the potential of imprisonment in extreme scenarios).
In less serious cases, the named individual may be barred from carrying out managerial responsibilities.
