The NIS2 Directive brings stricter digital security standards for European businesses. This blog explains what’s important for UK SMEs. Ensure your business is ready for the increased requirements and avoid supply chain risks when working with larger partners. Find out who is affected and how to comply with the new cybersecurity standards.
The Network and Information Security (NIS2) Directive is a European regulation aimed at increasing the digital resilience and security of networks and information systems within the EU. The Directive aims to improve the digital and economic resilience of European Member States. The Directive includes a Duty of Care, a Duty of Notification, and a Duty of Oversight, all aimed at achieving stronger cybersecurity. NIS2 replaces the original NIS Directive of 2016 and significantly expands its scope and requirements. Whereas the original NIS Directive focused mainly on large companies and vital sectors, NIS2 extends the requirements to a wider range of sectors, organisations and companies.
It applies to large and medium-sized companies (with more than 50 employees or an annual turnover of more than €10 million) in certain sectors considered essential or important to society or the economy. These include sectors that play a critical role in society and the economy and therefore require extra protection against cyber threats. Essential sectors include:
Other key sectors include:
For SMEs, this means that companies in these sectors may also have to comply with NIS2 requirements, especially if they are part of the chain of larger organisations covered by this Directive..
Although NIS2 is a European regulation, it can be relevant to UK companies trading with European organisations. Many EU companies covered by NIS2 will need to ensure that their entire supply chain, including external suppliers, meets higher standards of cyber security. UK companies working with European customers or partners may therefore be required to meet certain cybersecurity requirements themselves, in order to meet the expectations and requirements of EU partners.
Although micro and small businesses are mostly outside the scope of the NIS2 Directive, customers who are covered by the NIS2 Directive will begin to require you to meet certain cybersecurity standards in order to do business. So you will be indirectly affected by NIS2 requirements if your customers or suppliers are covered by the directive. Large organisations that have to comply with NIS2 must ensure that their suppliers meet higher standards of cyber security. As a result, customers and partners are imposing stricter requirements on SMEs to mitigate supply chain risks.
Under NIS2, the consequences of poor cyber management have been significantly increased compared to the original NIS Directive. Companies now risk heavy fines and even legal action, with fines of up to a percentage of annual turnover. In addition, executives can be held personally liable for inadequate cyber measures, which can lead to dismissal or other legal consequences. The Directive also introduces greater oversight, allowing regulators to conduct regular compliance audits, increasing the pressure for continuous compliance. In addition, companies must report serious cyber incidents to the authorities within a short period of time; failure to report on time can also lead to sanctions. With these additions, NIS2 encourages companies to take a proactive and diligent approach to cybersecurity.
Digital resilience offers several benefits to SMEs, especially as cybersecurity becomes increasingly important in collaborations and regulations:
While the NIS2 Directive applies mainly to larger organisations in vital sectors, it is wise for SMEs to take cyber security seriously too. Securing online data not only helps prevent incidents, but also protects your company's reputation.
Here are some steps to get you started:
When customers and partners know that you take data security seriously, it builds trust in your brand. On the other hand, a security incident can lead to a loss of customer confidence and negative publicity. In the long run, this can damage your reputation. Reliable security demonstrates that your business is responsible, which is important to customers and business partners who value security and integrity.
Cybersecurity is critical for business and personal responsibility, where individuals can be held liable with the new NIS2 sanctions. Our platform incorporates this into governance questions to help businesses. Want to know how your business can comply with NIS2 and other standards? Get in touch with Eevery!