Facing NIS 2 directive

Abstract

In January 2023, the European Union introduced the updated Network and Information Security Directive, referred to as “NIS 2”. This directive aims to improve cybersecurity and resilience within organizations in the European Union. To achieve this objective, it will enforce stricter safety requirements, tackle supply chain security, streamline reporting obligations, and implement tougher supervisory measures and enforcement protocols, including standard- ized penalties across the EU. The directive is applicable to all companies providing services or operating in the EU, as long as they have at least 50 employees, or an annual turnover and balance sheet total exceeding 10 million euros, and belong to one of the critical sectors. ”It is feared that the competent authorities will be over- whelmed in practice with the oversight of approximately 160,000 entities,” warns Centre for European Policy cyber expert Philipp Eckhardt [31]. It is essential for each company to consider, “Does this affect me?” and if so, to take necessary action. In this thesis, a comprehensive explanation of the changes introduced by NIS 2 will be provided, highlighting the practical measures, related to cy- ber hygiene, affected enterprises must comply with and the tools that can be leveraged to meet these requirements. The focus will be on open source tools that are well documented, easy to deploy, and maintainable to assist mainly small and medium companies with limited financial and personnel resources. Since the novelty of the argument it does not exist any other work that describes how companies can achieve compliance with this kind of requirements.