NIS2 – Risk Assessment and Incident Reporting

New requirements of the Network and Information Security Directive. Learn about key changes and implementation deadlines.

The NIS2 Directive (Network and Information Security Directive 2) is the EU's next step towards strengthening cybersecurity at the European level. Member states must transpose the directive into national law by October 17, 2024. NIS2 significantly expands the scope of entities covered by regulations and introduces stricter risk management requirements, including personal data protection and anonymization techniques.

Extended Scope

NIS2 covers many more sectors than the previous directive. Entities are divided into "essential" and "important", which determines the level of requirements and supervision. All covered entities must ensure protection of processed data, including personal data. Implementing data anonymization processes can reduce risks associated with potential breaches and limit GDPR obligations.

Risk Management Requirements

The directive requires implementation of cybersecurity risk management measures proportional to the risk. This includes security policies, incident management, business continuity, and supply chain security. Personal data protection is also important, including the use of data anonymization techniques wherever full identification is not necessary. Automatic personal data detection enables identification of areas requiring special protection.

Incident Reporting – New Deadlines

NIS2 introduces detailed incident reporting requirements. Initial notification must occur within 24 hours of incident detection, and a full report within 72 hours. For incidents involving personal data, rapid identification of the breach scope is necessary. Personal data detection tools enable precise determination of what information was compromised and whether anonymization of remaining data is required.

Penalties and Management Liability

The directive introduces severe sanctions for non-compliance – up to €10 million or 2% of global turnover for essential entities. Importantly, it also introduces personal liability for management members for oversight of risk management measures. Implementing effective data protection processes, including personal data anonymization and retention control, is crucial to minimize penalty risk.

Wizards.io solutions support NIS2 compliance. **Revelio** automatically detects personal data in systems and documents, enabling identification of areas requiring special protection. **Nocturno** is an advanced data anonymization tool that enables irreversible transformation of personal data while maintaining analytical utility. **Oblivio** manages personal data retention, automatically deleting data after specified retention periods.

NIS2 requires a comprehensive approach to cybersecurity, covering both technical and organizational aspects. Automatic personal data detection, anonymization where possible, and retention management are key compliance elements. Organizations should start preparations immediately.