The clock is ticking as the deadline for implementing Network and Information Security (NIS2) Directive (EU) 2022/2555 approaches. Effective since January 16, 2023, Member States must transpose this Directive into their national laws before October 17, 2024. With non-compliance carrying severe penalties, it’s crucial for businesses, particularly Medical Device Manufacturers (MDMs), to prepare adequately.
What are the key changes between NIS and NIS2?
An expansion in the scope based on manufacturer size
NIS2 revises the criteria for all entities that fall under its scope, now including both medium and large-sized MDMs in specified sectors.
Harmonization of the cybersecurity requirements
NIS2 aims to bring uniformity in cybersecurity measures, setting forth a shared regulatory framework and compliance procedures.
Introducing an entity registration mechanism
Entities now have the responsibility to register directly with the European Union Agency for Cybersecurity (ENISA), which is tasked with informing the respective Member States.
New entity classifications
The NIS2 Directive introduces new categories, namely “essential” and “important” entities, with direct stipulations for both. The healthcare sector and its MDMs remain pivotal, being classified as essential entities.
The compliance checklist for MDMs includes:
- Reporting procedures: Establish mechanisms for cybersecurity risk management and reporting.
- Cybersecurity measures: Implementation of security policies, incident response plans and other protective measures are required.
- Incident reporting: Entities must promptly report security incidents to national computer security incident response teams or their competent authorities.
- Information sharing: NIS2 fosters sharing information on cyber threats, vulnerabilities, and tactics, including coordinated vulnerability disclosure.
What are some actionable steps for MDMs?
When considering what to do next, we suggest asking yourself these initial questions:
- Are you affected by NIS2 changes?
- What do you need to do?
- When is the deadline to be compliant?
- What happens if you fail to comply?
To help you find the answers to these questions, below is an infographic, providing further clarity.
Attaining NIS2 compliance is a standard process that requires around 12 months for completion. Organizations and MDMs need to pay attention to the essential components of this Directive and act before the approaching deadline arrives.
Looking for assistance?
Our range of services includes consulting, audits and tools implementation to assist in your NIS2 compliance journey. If you’d like a breakdown of the NIS2 Directive, download our free e-book “NIS2: The basics for MDMs.”