The NIS2 Directive is a European Commision regulation that is intended to enhance cybersecurity protection and incident response across the European Union.
It came into effect in October 2024, and EU countries are now transposing the Directive into national law.
A wide range of ‘essential’ and ‘important’ entities will be subject to the regulation.
NIS2 covers both the public sector and private businesses in various industries deemed strategic to the EU’s stability (e.g. energy, finance, water, transport, etc.).
Compliance with NIS2 will be enforced by ‘competent authorities’ in each EU country.
If a company’s data ever gets breached, then the competent authority will request information about the breach and may fine organizations that are found to have had lax protections.
The competent authorities will also conduct random spot checks on firms.
Another kind of audit will happen in supply chains. If a business sells products or services to ‘essential’ or ‘important’ entities, they may also be required to undergo an audit of their security posture.
As mentioned above, when an organization gets audited, they will have two weeks to compile evidence to show how they are complying with the regulation.
If you are not practicing continuous compliance, collating all this information can be very challenging.
You will need to gather significant amounts of information and data from various systems and employees, then compile this into a report.
Especially when the audit is unexpected, this can be very disruptive.
