The NIS2 Directive is a new European Union law that aims to improve cybersecurity across the EU. It’s a follow-up to the original NIS Directive. NIS2 expands the types of businesses and organizations that must follow strict security rules. The main goal is to make Europe more resilient to cyber threats by requiring key services to have strong security measures in place.
Examples
- Hospitals and healthcare providers: They must protect patient data and keep their systems running smoothly.
- Energy companies: They need to secure power grids to prevent blackouts.
- Digital service providers: Companies like online marketplaces or cloud computing services must secure their platforms.
Context
The NIS2 Directive was created because cyber threats are growing. The old NIS law was not enough. NIS2 makes the rules tougher and adds more businesses. This ensures that a cyberattack on one key service won’t cause a domino effect across Europe. It works with other laws, like the GDPR (General Data Protection Regulation), to protect data and services.
Relevant ISO 27001 Controls
NIS2 does not directly map to ISO 27001 controls. However, many of the security measures required by NIS2 align with the principles and controls found in ISO 27001. Some relevant controls include:
- ISO 27001:2022 Annex A 5.7 Threat Intelligence: Understanding and responding to cyber threats.
- ISO 27001:2022 Annex A 5.21 Managing Information Security In The ICT Supply Chain: Having a plan for what to do when something goes wrong.
- ISO 27001:2022 Annex A 5.23 Information Security For Use Of Cloud Services: Protecting data stored in the cloud.
- ISO 27001:2022 Annex A 8.15 Logging: Keeping records of system activities to find problems.
- ISO 27001:2022 Annex A 8.12 Data Leakage Prevention: Stopping sensitive information from getting out.
