Prepare to be NIS 2.0 compliant

by Cormac De Róiste
April 7, 2025
Prepare to be NIS 2.0 compliant

On the 17th of October 2024, the European Union’s updated Network and Information Systems Directive, known as NIS 2.0, came into effect. Its aim is to bolster cybersecurity measures and resilience against cyber threats. For companies, especially those involved in public procurement tenders or are in the supply chains, understanding and achieving NIS 2.0 compliance is not just a regulatory requirement but a strategic imperative. 

The Importance of NIS 2.0 Compliance

  1. Enhanced Cybersecurity Posture: NIS 2.0 mandates comprehensive cybersecurity measures, ensuring that organizations are better equipped to handle cyber threats. This includes risk management, incident response, and business continuity planning. 
  1. Competitive Advantage in Public Procurement: Compliance with NIS 2.0 is increasingly becoming a prerequisite for bidding on public procurement tenders. Governments and public sector entities prioritize vendors who demonstrate robust cybersecurity practices, making NIS 2.0 compliance a key differentiator. 
  1. Supply Chain Security: As cyber threats often target the weakest link in the supply chain. This includes ensuring that all suppliers and partners are responsible and adhere to stringent cybersecurity standards.  
  1. Regulatory Compliance and Avoidance of Penalties: Non-compliance with NIS 2.0 can result in significant financial penalties and reputational damage. Ensuring compliance helps organizations avoid these risks and demonstrates a commitment to cybersecurity. 

The 10 Minimum Requirements of NIS 2.0 

To achieve NIS 2.0 compliance, organizations must implement the following ten minimum security measures: 

  1. Risk Assessments and Security Policies: Conduct regular risk assessments and establish comprehensive security policies for information systems. 
  1. Evaluation of Security Measures: Implement policies and procedures to evaluate the effectiveness of security measures continuously. 
  1. Use of Cryptography: Utilize cryptography and encryption to protect sensitive data and communications. 
  1. Incident Handling Plan: Develop and maintain a plan for handling security incidents, including detection, response, and recovery. 
  1. Secure Procurement and Development: Ensure security in the procurement, development, and operation of systems, including vulnerability handling and reporting. 
  1. Cybersecurity Training: Provide regular cybersecurity training and promote basic computer hygiene practices among employees. 
  1. Access Control Policies: Establish security procedures for employees with access to sensitive data, including strict data access policies. 
  1. Asset Management: Maintain an overview of all relevant assets and ensure they are properly utilized and handled. 
  1. Business Continuity Planning: Develop a plan for managing business operations during and after a security incident, including up-to-date backups and system recovery procedures. 
  1. Multi-Factor Authentication: Implement multi-factor authentication, continuous authentication solutions, and encrypted communication methods where appropriate. 

What would happen if an organisation doesn’t comply:  

Non-compliance with the NIS2 Directive can lead to several serious consequences for organizations, including: 

  • Financial Penalties: Organizations can face substantial fines. For essential entities, fines can be up to €10 million or 2% of global annual revenue, whichever is higher. For important entities, fines can reach up to €7 million or 1.4% of global annual revenue 
  • Non-Monetary Penalties: Authorities can impose various non-monetary penalties, such as additional compliance orders, security audit implementation orders, and threat notification orders to the organisation’s customers. 
  • Criminal Sanctions: Top management can be held personally liable for gross negligence in the event of a security incident. This can include personal fines, public statements identifying responsible individuals, and even temporary bans from holding management positions in case of repeated violations. 
  • Reputational Damage: Non-compliance can lead to loss of customer trust, restricted access to EU contracts and funding, and increased scrutiny from regulatory authorities 

To avoid these consequences, it’s crucial for organizations to proactively align their security strategies with NIS2 requirements. 

Mapping NIS Objectives to Microsoft solutions: 

If you own a Microsoft Business premium or an Enterprise licence you will already have many features available to you to help you achieve these objectives. 

  • Implement multi-factor authentication and continuous authentication using conditional access policies 
  • Create security policies to protect your devices using Intune and defender for business, encrypt them using BitLocker and wipe them if they are lost or stolen. 
  • Detect and Manage security incidents by integrating Defender with Sentinel.  

For essential companies and those in the supply chain, achieving NIS 2.0 compliance, it’ is not just about meeting regulatory requirements; it’s about building a resilient and secure digital infrastructure. By adhering to the ten minimum requirements and understanding the broader implications of NIS 2.0, organizations can enhance their cybersecurity posture, gain a competitive edge in public procurement, and ensure the security of their supply chains.  

Embracing NIS 2.0 compliance is a strategic move that underscores a commitment to cybersecurity and positions organizations for success in an increasingly digital world. Microsoft have the ideal suite of solutions to ensure compliance and unpin your cybersecurity infrastructure. Speak to the Microsoft experts at Enterprise to ensure your IT environment is secure and compliant. asktheexperts@enterprise-solutions.ie

Recent posts
deviceTRUST - taking your zero-trust strategy to the next level
No Extra backup needed!! - Citrix on Nutanix
    Previous post deviceTRUST – taking your zero-trust strategy to the next level