Apart from the overarching goal of a better EU sync and cooperation on cybersecurity, the NIS2 directive comes with a broader scope and a wider definition of what is included in the definition of essential or important entities. And even though the NIS2 directive does not apply to micro companies, there are other aspects that lead to the need to strengthen the whole security culture within the organization. For any organization to be compliant with reporting near misses or including their supply chain security – a cybersecurity culture that involves the whole organization is crucial.
Detecting emerging threats
The proposed update to the original NIS Directive aims to address emerging cybersecurity threats and enhance cybersecurity in EU member states by extending its scope to cover more sectors, including digital service providers (DSPs) and platforms.
As a result, organizations in these sectors would be required to comply with the NIS 2 directive and implement measures to prevent and minimize the impact of cyber incidents. One of the key requirements of the directive is to ensure that staff members who have access to sensitive systems and data receive adequate cybersecurity training and awareness.
Therefore, organizations in the affected sectors would need to develop and implement comprehensive cybersecurity awareness training programs for their employees. The training would need to cover topics such as identifying and reporting cybersecurity incidents, safe use of IT systems and networks, and best practices for protecting sensitive information.
The NIS 2 directive also requires organizations to conduct regular training and awareness assessments to ensure that employees are equipped with the necessary knowledge and skills to prevent and respond to cybersecurity incidents.