Importantly, NIS2 emphasizes the need for computer security incident response teams to be able “to monitor the entity’s internet-facing assets, both on and off premises, in order to identify, understand and manage the entity’s overall organizational risks as regards newly identified supply chain compromises or critical vulnerabilities. Other aspects of NIS2 include:

• significant changes, including new obligations and risk management measures; a wider range of involved stakeholders and in-scope entities; and potentially hefty fines
• according Member States more flexibility to respond to cybersecurity incidents and to protect critical infrastructure with a higher level of resilience.
• regulation of the cybersecurity measures that covered organizations must take; and their reporting obligations
• an important change: significant expansion of coverage to include any sectors considered critical, including energy; transport; banking; finance; health; digital infrastructure; public administration, and certain aspects of infrastructure. Under the old directive, it was up to Member States to determine which organizations were considered in-scope.
• a threshold for defining medium sized companies: 50 employees and an annual turnover exceeding €10,000,000
• a timeframe of 24 hours from when an entity first becomes aware of a cyber incident to submit an initial notification, then a formal incident report no later than 72 hours; and a final report no later than one month after the incident. Failure to comply with NIS2 requirements, could result in substantial fines up to €10 million or 2% of the entities’ total turnover worldwide, whichever is higher

In addition to the new legal ramifications of a breach, organizations affected by the new cyber directive face other financial costs, in addition to reputational damage. Additionally:

• Organizations should continuously monitor internal and external networks so that they can quickly identify, validate, and rank risk, as well as remediate any cyber security issues where appropriate.
• Issues like ransomware and malware need to be swiftly addressed. It is imperative to quickly deploy patches for critical issues and maintain IT hygiene across the infrastructure.
• When it comes to supply chains, organizations need to make sure they know which vendors, suppliers, and other third parties are being used, and what network and data access they may have, to implement a solid strategy to address supply chain cyber security challenges.
• The best solution is to continuously monitor the organization’s supply chain to identify, prioritize and remediate critical issues such as unpatched systems or IT hygiene issues.