Srity issued an updated presentation on the NIS 2 Directive, covering several key aspects of the updated cybersecurity legislation in the EU. Here is a summary of the main points:

The NIS 2 Directive builds on the original 2016 NIS Directive, aiming to enhance cybersecurity across the EU by broadening its scope to include more industries and introducing stricter requirements. The main objectives include improving Member States’ preparedness, fostering cooperation among Member States, and promoting a culture of security across vital sectors such as energy, transport, healthcare, and digital infrastructure.

The timeline for the NIS 2 Directive includes its publication in 2022, with a deadline for transposition into national law by October 2024. In Belgium, the process involves several steps, including the setup of a working group, draft law adoption, and parliamentary review, with final adoption expected by October 2024.

Entities affected by NIS 2 are categorized based on their activity and size. Essentials and Important entities must implement various cybersecurity measures, such as risk analysis, incident handling, business continuity, supply chain security, and the use of multi-factor authentication.

Reporting obligations under Article 23 require entities to notify their CSIRT or competent authority of significant incidents without undue delay. The reporting timeline includes an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month.

Authorities will conduct controls on entities, with essential entities subject to both ex-ante and ex-post supervision, while important entities face ex-post supervision only. Potential fines for non-compliance can reach up to EUR 10 million or 2% of total worldwide annual turnover for essential entities, and EUR 7 million or 1.4% for important entities.

The next steps for interested customers include taking a NIS2 assessment, confirming if they are in scope of NIS 2, informing senior management of regulatory requirements, and ensuring compliance with Articles 21 and 23 through specific control assessments and incident management processes.

Please feel free to contact us to receive the presentation and for further NIS 2 explanations tailored to your needs.

It is clear for a few years now that IOT devices in our different industry has become a primary target for cyber criminals that want to penetrate or disrupt orperations. The below report by forescout dig out on the main threat and challenges of this neglected aspect of security in a smart way. Analysing the problem in different industry verticals and pointing out again and again three main point of attention:

1. Know what you have

2. Upgrade your devices

3. Patching Patching and Patching.

These basic security hygiene principles makes total senses in the world of IOT as customers and IOT vendors races to come-up with strategies matching the onces of major software vendors.

https://www.forescout.com/the-enterprise-of-things-security-report-state-of-iot-security/

The European Agency for Cyber Security pulbilsh a yearly European centered threat landscape report. An interesting read to get a picture of the actual cyber menace for European Companies.

https://www.enisa.europa.eu/publications/enisa-threat-landscape-2021