Coming into force in January 2023, the Network and Information Security Directive 2 (NIS2) represents a significant evolution in the European Union's approach to cybersecurity. This directive aims to achieve a high, common level of cyber-security across the EU and enhance the overall resilience and security of networks and information systems.

As businesses gear up for compliance, it is important to understand the broad implications of NIS2 and how it will impact physical security measures, particularly video surveillance systems.

Scope of NIS2 and changes from the previous directive

NIS2 builds on the foundations laid by the original NIS Directive, introducing several new changes:

Broader scope of coverage: NIS2 extends its reach to include more sectors and organizations, including digital providers, public administration, and manufacturing.
Harmonized security requirements: the directive mandates the implementation of "state of the art" security measures so that all covered entities protect their networks and information systems with the highest standards.
Enhanced reporting obligations: organizations must report significant cybersecurity incidents to the competent authorities within 24 hours of detection, followed by a detailed report within 72 hours, and a final report within one month. This tightens the response time compared to the previous directive.
Supply chain security: NIS2 introduces specific obligations to manage cybersecurity risks within the supply chain. This means that even suppliers not directly covered by NIS2 might still need to comply with certain requirements if they work with organizations in its scope.
Stricter supervision and enforcement: non-compliance can result in penalties up to €10 million or 2% of the entity’s total worldwide turnover (whichever is higher).
Increased cooperation and coordination: NIS2 aims to enhance cooperation among EU Member States, particularly in incident response and crisis management. This includes establishing a European cyber crisis liaison organization network (EU-CyCLONe).
Emphasis on strategic planning: organizations are encouraged to adopt a proactive approach to cybersecurity, including regular assessments of their security position and strategic planning to address vulnerabilities and evolving threats.

While NIS2 is an EU directive, its implications extend far beyond the borders of the European Union.

UK or other non-EU businesses operating within the EU, or engaging with EU-based clients and partners must comply with NIS2 requirements to maintain market access and avoid penalties. This includes designating a representative within an EU Member State to handle compliance issues, implement robust cyber-security measures, and adhere to stringent incident reporting protocols.

UK companies already certified with ISO 27001 are well positioned, as the accreditation covers approximately 70% of NIS2 requirements - including risk management, corporate accountability, and incident reporting. Leveraging their existing ISO 27001 frameworks means UK businesses can more easily transition to full NIS2 compliance with minimal effort.

How does NIS2 affect video surveillance and physical security?

The directive’s focus on securing networks and systems extends to video surveillance and means video data must be secured against unauthorized access and breaches.

Genetec's recent whitepaper provides a valuable perspective on how NIS2 impacts physical security, emphasizing the integration of cyber-security measures with physical security systems.

Access control and incident management are critical under NIS2, where timely reporting of cyber-security incidents and controlling access to sensitive areas are crucial to mitigating security risks.

The report also underscores the need for stringent supply chain security and recommends due diligence and robust contractual arrangements with suppliers. Given that many cyber threats originate from vulnerabilities in the supply chain, this focus is essential for comprehensive security.

Securing outsourcing arrangements also ensures that third-party service providers adhere to strict security protocols. As organizations increasingly rely on external partners, it is vital to enforce consistent security standards across all operations.

Future-ready policies are also critical and reflect the need for comprehensive cyber-security strategies and continuous risk assessments to stay ahead of evolving threats. This proactive approach ensures that organizations can adapt to new challenges and maintain robust security postures in the face of changing cyber landscapes.

Similarly, we at Pimloc believe that future-proofing cyber-security measures is not only about compliance but also about building resilience and long-term security.

Preparing for NIS2 compliance

Proactive steps towards NIS2 compliance involve several critical actions that address various aspects of cyber-security and physical security.

Risk ownership: it is important to assign clear responsibility for cyber-security risk management to the board of directors. This fosters a culture of security at the highest organizational levels.
Implement security requirements: including effective incident handling, robust business continuity planning, and the strategic use of encryption to protect sensitive data. These practices will help organizations build a resilient security framework capable of withstanding cyber threats.
Supply chain security: organizations must evaluate and manage the cyber-security practices of their suppliers and service providers. All third-party partners need to adhere to high cyber-security standards to mitigate risks that can arise from external sources.
Incident reporting protocols: organizations should establish clear procedures for reporting significant cyber-security incidents within the required timeframes. This not only ensures compliance but also enhances the organization’s ability to respond swiftly and effectively to security breaches.
Comprehensive policies and procedures: organizations need to develop detailed policies to manage cyber-security risks, conduct regular risk assessments, and maintain robust business continuity plans. This involves continuously monitoring and updating security measures to adapt to evolving threats.
Video redaction technology: anonymizing individuals and sensitive data in surveillance footage is key in adhering to privacy regulations while maintaining security. This technology ensures that video data is secured against unauthorized access and breaches, aligning with NIS2’s requirements for protecting sensitive information.

The NIS2 Directive marks a significant shift towards a more rigorous cyber-security framework within the EU. For businesses, particularly those involved in physical security and video surveillance, understanding and complying with NIS2 is essential. For UK and non-EU businesses, aligning with NIS2 is crucial for maintaining market access and ensuring robust cyber-security practices in line with international standards.