The Network and Information Systems Directive 2 (NIS2) regulation goes into effect in October 2024, leaving European Union (EU) member states just a few fleeting months to adopt and publish its compliance recommendations.
NIS2 is part of a global trend that sees legislation being written and adopted specifically to address increasing cybersecurity threats, and it was the focus of the second part of our Summer of Software Regulations & Compliance webinar series.
Ilkka Turunen, Field CTO at Sonatype, was joined by Helen Oakley, Director of Secure Software Supply Chains & Secure Development at SAP, for a closer look at what NIS2 means for European companies. Two key themes emerged – the legislation's reach and its focus on securing the software supply chain.
NIS2 extends the scope of cybersecurity regulations
NIS2 is an update to the NIS Directive, which introduced a minimum level of security for critical network and information systems, including essential services like digital infrastructure and telecom providers. NIS2 expands the scope to more industries and applies to any company that provides essential services.
These essential services are organized into two categories, "Highly Critical" and "Critical" sectors:
|
Highly Critical Sectors
>49 employees and an annual turnover exceeding € 10 million or a balance sheet total exceeding € 10 million
|
Critical Sectors
>249 employees and an annual turnover exceeding € 50 million or a balance sheet total exceeding € 43 million
|
- Energy
- Transport
- Banking
- Financial Market Infrastructure
- Health
- Drinking Water
- Waste Water
- Digital Infrastructure
- ICT Service Management
- Public Administration
- Space
|
- Postal and Courier Services
- Waste Management
- Manufacture, Production, and Distribution of Chemicals
- Production, Processing, and Distribution of Food
- Manufacturing
- Digital Providers
- Research
|
NIS2 also includes a size-cap exemption, meaning that all medium and large organizations in the sectors covered by the Directive must comply, regardless of their criticality.
An emphasis on software supply chain security
A common theme among many of the emerging regulations, including NIS2, is a focus on improving the security of the software supply chain and providing evidence for how organizations are managing vulnerabilities. Software bills of material (SBOMs) are one of the most valuable tools for managing software integrity because they offer a comprehensive list of all components that make up a software application. This is particularly important as the usage of open source software becomes a foundational part of the development process.
NIS2 Compliance Demystified: Insights with SAP and Sonatype is now on demand. You can also register for our upcoming webinars and learn more about compliance topics.
