NIS2 Minimum Security Measures

Essential and important entities shall take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems. Policies on risk analysis and information system security are required.

Measures for incident handling including prevention, detection and response to incidents. Entities must have documented incident response procedures and test them regularly.

Business continuity measures such as backup management and disaster recovery, and crisis management. Entities must ensure continuity of operations during and after significant incidents.

Security in supply chain including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers. Entities must assess and manage supply chain cybersecurity risks.

Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure. Secure development practices and vulnerability management are required.

Policies and procedures to assess the effectiveness of cybersecurity risk-management measures, including the use of cryptography and, where appropriate, encryption.

Human resources security, access control policies and asset management. Entities must implement appropriate personnel security measures and manage access rights.

The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

Member States shall ensure that essential and important entities notify, without undue delay, the CSIRT or, where applicable, the competent authority of any incident having a significant impact on the provision of their services. Entities shall submit an early warning within 24 hours.

Entities shall submit an early warning (within 24 hours), an incident notification (within 72 hours), and a final report (within 1 month) for significant incidents.

Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities, oversee its implementation and can be held liable for infringements. Management bodies must undergo cybersecurity training.

Member States shall, in order to demonstrate compliance with certain requirements set out in Article 21, require essential and important entities to use particular ICT products, ICT services and ICT processes that are certified under European cybersecurity certification schemes.

Essential and important entities shall be deemed to fall under the jurisdiction of the Member State in which they are established. Entities providing services in the EU but not established in the EU must designate a representative.