What is NIS2?

From the final text:

Article 21, Cybersecurity risk-management measures


1. Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.

Taking into account the state-of-the-art and, where applicable, relevant European and international standards, as well as the cost of implementation, the measures referred to in the first subparagraph shall ensure a level of security of network and information systems appropriate to the risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.


2. The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following:


(a) policies on risk analysis and information system security;


(b) incident handling;


(c) business continuity, such as backup management and disaster recovery, and crisis management;


(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;


(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;


(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;


(g) basic cyber hygiene practices and cybersecurity training;


(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;


(i) human resources security, access control policies and asset management;


(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.


3. Member States shall ensure that, when considering which measures referred to in paragraph 2, point (d), of this Article are appropriate, entities take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures. Member States shall also ensure that, when considering which measures referred to in that point are appropriate, entities are required to take into account the results of the coordinated security risk assessments of critical supply chains carried out in accordance with Article 22(1).


4. Member States shall ensure that an entity that finds that it does not comply with the measures provided for in paragraph 2 takes, without undue delay, all necessary, appropriate and proportionate corrective measures.