The revised EU directive on the security of network and information systems (NIS2) sets baseline security risk management measures for all the entities operating across the sectors falling within its scope. The directive applies an “all-hazard” approach, thus the risk management measures should also address physical and environmental security (e.g. natural disasters, system failures).
Essential and important entities are required to take appropriate technical, operational, and organisational measures to safeguard the entity’s network and information systems against any security threats. Under the NIS2, they are expected to implement at least several security measures listed in the revised directive, for example, establishing access control policies, and setting up an incident handling procedure.
Essential and important entities must notify significant security breaches to the national computer security incident response team (CSIRT) following a multi-step process. The initial notification should be submitted within 24 hours, followed by a second one within 72 hours after having become aware of a significant incident. A final report with additional information on the breach should be submitted in one month.
Cullen International is releasing a series of reports on the different aspects of the newly revised directive on the security of network and information systems (NIS2). Our second of five reports provides an analysis of the common security risk management and reporting requirements, which apply to all essential and important entities covered by the revised directive.
See also Part 1: Scope
For more information and to access our NIS2 report series, please click on “Access the full content” - or on “Request Access”, in case you are not subscribed to our European Digital Economy service.
more news
27 August 25
5G developments and other regulatory news in the Middle East and North Africa
Our latest MENA Telecoms Update details the most significant regulatory developments taking place in the region between 30 April and 11 August 2025.
14 August 25
Fighting online piracy in Brazil
The latest edition of Cullen International's Fighting Online Piracy benchmark shows that Brazil’s audiovisual sector regulator Ancine and its telecoms regulator Anatel have agreed in writing to collaborate in the fight against the online piracy of media content.
11 August 25
Getting tough on TV advertising in LATAM
The new edition of Cullen International’s benchmark on TV advertising restrictions to protect public health or minors notes developments in Argentina and Brazil.