NIS 2
NIS 2 er EU's anden-generations direktiv om cybersikkerhed. Det udvidede det oprindelige NIS-direktiv til et meget bredere sæt sektorer og enheder, og blev gennemført i national ret af medlemsstaterne senest 17. oktober 2024.
NIS 2 omfatter mange flere enheder end det oprindelige NIS, der dækkede omkring 12.000 essentielle og digitale tjenesteudbydere på tværs af EU. 24-timers tidlig varsling af hændelser er kort efter historiske standarder, og direktivet gør ledelsesorganer personligt ansvarlige for cybersikkerheds-risikostyring. Visse enhedstyper er omfattet uanset størrelse, herunder DNS-udbydere, top-level domain-registre og tillidstjenesteudbydere. De fleste softwareleverandører der sælger ind i essentielle eller vigtige sektorer vil se NIS 2-due diligence-spørgeskemaer fra købere.
Definitioner
Praktiske guides
NIS 2 sectors in scope: essential, important, and the size-cap exceptions
NIS 2 catches entities by sector and by size. Annex I lists eleven essential sectors. Annex II lists seven important sectors. The size threshold is 50 employees or €10 million in annual turnover. Some entity types are caught regardless of size.
NIS 2 incident reporting: 24 hours, 72 hours, one month
Article 23 of NIS 2 sets a three-stage incident reporting obligation. An early warning to the competent authority within 24 hours of becoming aware of a significant incident. An incident notification within 72 hours. A final report within one month.
NIS 2 management liability: what governing bodies are accountable for
Article 20 of NIS 2 makes the management bodies of in-scope entities directly accountable for approving cybersecurity risk management measures, overseeing their implementation, and following appropriate training. Several national transpositions add personal liability, including temporary bans from management positions.