Raivis Bidinsh, Tet company’s cybersecurity consultant, said: 24 ChannelsUkrainian companies also need to prepare for these changes, as most business data is stored and processed abroad and the country is on its way to joining the EU. So what is important to know now and what requirements will become mandatory?

What is NIS2?

The NIS2 Directive is a key European legislative document designed to increase the level of cybersecurity and resilience of critical infrastructure and essential services in the EU. It was accepted at the end of 2022, but it became mandatory for companies to implement it as of October 17, 2024.

NIS2 provides for the strengthening of cybersecurity requirements, as well as the mandatory implementation of a number of actions: development and implementation of a clear plan and measures for risk management, creation and training of digital security teams, etc.

How is NIS2 different from the previous version?

The European Union had already adopted the NIS1 cybersecurity directive in 2016, but this directive was advisory in nature and less perfect. The new version of NIS2 includes several important differences:

• The requirements of the directive apply to a wider range of sectors, including critical infrastructure facilities in the fields of energy, transport, healthcare and finance;
• new security measures are mandatory and sanctions are provided for non-compliance;
• introduced mandatory reporting (with established deadlines) of serious cyber threats to state administrative bodies in order to implement the necessary security measures at the national level;
• Responsibility for both administrative and financial violations lies with the management of the enterprise.

NIS2 compliance requirements for European companies

Stricter IT security requirements for European organizations include comprehensive security measures such as CISO (in-house or outsource), regular employee training, access control, two-factor (2FA) and multi-factor (MFA) authentication, mobile security, and more. device management (MDM), use of secure virtual private networks (VPNs), and encryption to protect data.

In addition, the security level must be checked regularly and inspections must be carried out. To ensure the effectiveness of all institutional systems, they need to be monitored and evaluated. Audits may include IT security audits, GDPR compliance and technology audits to help ensure a high level of protection.

Tools such as pentests and PCI DSS security assessments are particularly important for organizations that handle sensitive information, including payment data.

What should Ukrainian businesses know about NIS2?

EU companies subject to and subject to NIS2 can identify Ukrainian companies as critical partners on which business continuity depends when assessing the security of their supply chains. It is important to know your “status” for EU partners.

Raivis Bidinş

Tet’s cybersecurity advisor

The fact is that in order to continue cooperation, Ukrainian companies must meet additional IT security requirements. For example, this may include regular IT security audits, changes to contracts and tighter controls on third parties involved in the collaboration.

Although Ukrainian companies will not be required to directly meet all the requirements of NIS2, in case of critical cooperation Ukrainian businesses need to be ready for additional requirements and an increase in the level of IT security upon request. European partners.