The EU cybersecurity rules introduced in 2016 were updated by the NIS2 Directive that came into force in 2023. It modernized the existing legal framework to keep up with increased digitisation and an evolving cybersecurity threat landscape. Expanding the scope of the cybersecurity rules to new sectors and entities, further improves the resilience and incident response capacities of public and private entities, competent authorities, and the EU as a whole.
Businesses identified by the Member States as operators of essential services sectors such as energy, transport, water, banking, financial market infrastructures, healthcare, and digital infrastructure, will have to take appropriate security measures and notify relevant national authorities of serious incidents. Key digital service providers, such as search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements under the Directive.
The following is a non-exhaustive list of questions that will guide you toward cyber resiliency.
Additional security controls and questions will follow in other questionnaires/sections.