Skip to content
EN

NIS2: The EU directive with implications for Swiss cybersecurity

NIS2, the successor to NIS1, strengthens cybersecurity requirements within the European Union and aims to increase resilience to cyber threats. NIS2 aims to achieve a higher level of harmonization by establishing general standards and requirements for cybersecurity and incident response.  NIS2 applies not only to companies domiciled in the EU, but also to suppliers from outside EU, e.g. from Switzerland. Swiss Post Cybersecurity is therefore actively developing frameworks and methods to support its customers who must meet the requirements of this updated regulation.

Overview

TheNetwork and Information Systems Directive2 (NIS2) is an updated legal framework designed to improve cybersecurity in the European Union. Building on its predecessor (NIS Directive), NIS2 expands the scope of the rules, introduces stricter security measures and improves incident reporting protocols. Companies face common challenges in complying with the regulations, including resource constraints, the complexity of adapting to the detailed requirements and varying enforcement across member states.

In the DACH region, national regulations or laws have not yet been finalized. It remains to be seen what the detailed requirements for each sector will look like and by when these requirements must be met. Switzerland does not fall directly within the scope of NIS 2 and therefore no corresponding regulation is being prepared.

Background to the NIS

The NIS2 was adopted by the European Parliament in December 2020 as a successor to the original NIS Directive of 2016to address the changing landscape of cybersecurity threats. The directive was prompted by the increasing number of sophisticated cyberattacks on critical sectors such as energy, transport, banking and healthcare.

The NIS2 applies to entities that provide essential or important services to the European economy and society, including suppliers. The specific scope varies by sector, but a general rule of thumb is:
Category Number of employees Annual turnover Balance sheet
Significant facilities
z. e.g. energy, transport, finance, public administration, health, digital infrastructure		 250 € 250 million € 43 million
Important facilities
z. e.g. postal services, waste management, chemicals, research, food, digital providers		 50 € 10 million € 10 million

The most important requirements of NIS2

NIS2 introduces several important requirements that organizations must meet:

Key_Requirements

  1. Expanded scope:
    NIS2 expands the scope of sectors and types of organizations that fall under its jurisdiction, including more public sector entities as well as critical infrastructure providers.
  2. Risk management and incident reporting:
    Organizations must implement risk management measures that include risk analysis and security policies for information systems. Incidents with significant impact must be reported within 24 hours.
  3. Supply chain security:
    There will be a greater focus on securing supply chains and organizations will need to ensure that their third-party vendors comply with appropriate cybersecurity standards.
  4. Governance and accountability:
    Senior management must be involved in approving cybersecurity measures and can be held accountable for non-compliance. Regular audits and monitoring are required to ensure ongoing compliance.
  5. Cooperation and information sharing:
    There is a call for increased cooperation between member states and better mechanisms for the cross-border exchange of information on threats and incidents.

Frequent difficulties in meeting the NIS2 requirements

Despite the clear objectives, organizations encounter various difficulties in adapting to NIS2:

Common Difficulties

  1. Limited resources:
    Smaller organizations and public sector entities often struggle with limited budgets and human resources, making it difficult to implement comprehensive cybersecurity measures.
  2. Complex compliance landscape:
    Navigating the complex and detailed requirements of NIS2 can be daunting. Companies must ensure that they interpret and apply the regulations correctly, which may require expert legal and technical advice.
  3. Supply chain management:
    Ensuring that all third-party suppliers and partners in the supply chain adhere to the same security standards can be challenging, especially when dealing with a large number of suppliers.
  4. Incident reporting and response:
    The requirement to report incidents within 24 hours can be difficult to fulfill, especially for companies that do not have advanced detection and response capabilities.
  5. Harmonization issues:
    Different member states may implement and enforce the NIS2 provisions with some variations, creating an inconsistent compliance environment that can be difficult for multinational organizations to manage.

High-level plan for NIS2 implementation

The implementation of NIS2 requires a comprehensive approach that takes into account the technical , organizational and procedural aspects of cybersecurity. Swiss Post Cybersecurity recommends its customers to use a structured plan to fulfill the NIS2 requirements.

The following plan is a high-level overview and must be tailored to the specific needs and context of the organization implementing it. It is recommended to regularly engage with legal and cybersecurity experts to ensure a comprehensive and effective understanding of national law in relation to NIS2.

High-Level Plan

A) Preliminary assessment and planning

  1. Applicability and scope of application
    Clarify whether your company or organization falls within the scope of NIS. While this article was written in summer 2024, most EU countries have not yet finalized their national NIS2 regulations, so there may still be some ambiguity about applicability and final requirements. Therefore, the following general plan should be adapted to the requirements of the jurisdiction or jurisdictions in which the organization operates, as well as to the needs of the organization itself.
  2. Conduct a gap analysis
    Create an assessment of current cybersecurity measures against NIS2 requirements to identify gaps . Prioritize areas needing immediate attention based on risk assessments .
  3. Develop a compliance roadmap
    Create a detailed action plan with timelines, responsibilities and resources required for compliance. Secure budget and management approval for the roadmap.
  4. Set up a NIS2 compliance team
    Form a cross-functional team with representatives from IT, legal, risk management and senior management.

B) Risk management and policy development

  1. Implementation of risk management measures
    Conduct regular risk assessments to identify potential threats and vulnerabilities. Developing and implementing risk management measures that include preventive, detective and corrective controls.

  2. Updating information security policies
    Revise existing security policies to align with NIS2 requirements and ensure comprehensive coverage of all critical areas. Ensure policies address supply chain security, incident response and governance.

C) Technical and operational improvements

  1. Strengthen incident detection and response
    Utilize advanced threat detection tools and technologies. Create a robust incident response plan with defined roles, responsibilities and processes .
  2. Improvement of supply chain security
    Assess the cybersecurity posture of third-party vendors. Require suppliers to comply with cybersecurity standards and include appropriate clauses in contracts.
  3. Introduce continuous monitoring and auditing
    Set up continuous security validation to detect and respond to threats in real time. Conduct regular audits and reviews to ensure continuous compliance with NIS2.

D) Training and awareness

  1. Conduct phishing and awareness training for employees
    Develop and conduct regular awareness training for all employees. The focus is on the importance of cybersecurity, recognizing threats and complying with security guidelines.
  2. Involvement of senior management
    Specific training for managers on their roles and responsibilities under NIS2. Ensure that management understands the strategic importance of cybersecurity and supports compliance efforts.

E) Reporting and documentation

  1. Establish incident reporting mechanisms.
    Develop processes for internal and external incident reporting in line with NIS2 timelines.
    Ensure that incidents are reported within the 24 hour window required by NIS2.

  2. Maintain complete documentation
    Thoroughly document all policies, procedures, risk assessments and incident reports. Ensure documentation is easily accessible for audits and regulatory reviews.

F) Collaboration and coordination

  1. Promote internal collaboration
    Encourage collaboration between IT, Legal, Compliance and other departments to ensure consistent implementation. Hold regular meetings to review progress and address challenges.
  2. Collaborate with external stakeholders
    Participate in industry forums and working groups to stay informed of best practices and regulatory updates. Establish communication channels with national and EU authorities to receive guidance and support.

Review and continuous improvement

  1. Conduct regular reviews
    Schedule regular reviews to assess the effectiveness of the measures implemented. Update the compliance roadmap based on review findings and evolving threats.
  2. Establish feedback loops
    Gather feedback from stakeholders on the measures implemented. Use the feedback to continuously improve policies, procedures and technical controls.

You are not alone - How Swiss Post Cybersecurity can support you

With more than 28 years of experience in cybersecurity and dedicated consulting and operations departments, Swiss Post Cybersecurity can support organizations in meeting the upcoming NIS2 requirements by conducting a gap analysis, assisting management and project leaders in defining objectives and strategies, and collecting and adapting existing documentation, policies and regulations. Our large selection of templates and blueprints helps with the implementation of processes and technical security measures.

Through audits , reviews and, if necessary, pentests, Swiss Post Cybersecurity is able to ensure a continuous improvement process. This comprehensive approach not only allows organizations to adapt to NIS2 from autumn 2024, but also to keep pace with regulatory updates.

This approach will ensure that your organization improves overall cybersecurity resilience and that you are well prepared to meet the requirements of NIS2.

Our conclusion on NIS2

NIS2 is a significant step forward in improving cybersecurity in critical sectors within the EU. Although it brings with it stringent requirements to protect against cyber threats, companies face several challenges in complying with the regulations. Addressing these challenges requires strategic investment in cybersecurity resources, comprehensive risk management practices and increased collaboration within the EU to ensure a harmonized and effective cybersecurity framework.

Achieving NIS2 compliance is an ongoing process that requires strategic, coordinated efforts across the organization. With a structured plan, organizations can systematically meet NIS2 requirements, improve their cybersecurity posture and ensure their resilience to evolving cyber threats.
Home
Next article

Press Release

You may be interested in

Incident bell icon

Immediate reaction

Do you need immediate reaction in front of a Cyber attack? Just call us.
+41 21 519 05 01

Our support team is available Monday to Friday, 8:00 AM to 6:00 PM. Customers with an active SLA benefit from 24/7 access. 

Please note: We exclusively support companies and organizations — private individuals are kindly asked to contact their service provider or the local authorities.