Ensuring compliance with nis2: (EU Cyber Security Law)

A Guide for the Workboat Industry

Official information from the European Union can be found here.

(Written by Kerrie Forster on behalf of the Workboat Association, March 2025.)

Introduction
The NIS2 Directive, introduced by the European Union, aims to enhance the resilience of critical infrastructure against cyber threats. This guidance outlines the key requirements of NIS2 and provides practical steps for workboat operators to achieve compliance.

Understanding NIS2
The NIS2 Directive introduces new requirements in four main areas: risk management, corporate accountability, reporting obligations, and business continuity. These measures are designed to minimise cyber risks and ensure that organisations are prepared to respond effectively to cyber incidents.ApplicationNIS2 applies to businesses that meet the following 3 criteria of application:

The 18 sectors specified by the NIS2 are:

• Energy
• Transport
• Banking
• Financial market infrastructures
• Health
• Drinking water
• Waste water
• Digital infrastructure
• ICT service management (business-to-business)
• Public administration
• Space
• Postal and courier services
• Waste management
• Manufacture, production, and distribution ofchemicals
• Production, processing, and distribution of food
• Manufacturing
• Digital providers
• Research

Key Requirements for Compliance

• Risk Management
  • Implement robust incident management procedures.
  • Strengthen supply chain security.
  • Enhance network security and access control.
  • Utilize encryption to protect sensitive data.
• Corporate Accountability
  • Ensure corporate management oversees and approves cybersecurity measures.
  • Provide training for management on cyber risk mitigation.
  • Establish accountability for breaches, including potential penalties for management.
• Reporting Obligations
  • Develop processes for prompt reporting of security incidents.
  • Adhere to specific notification deadlines, such as the 24-hour “early warning” requirement.
• Business Continuity
  • Create comprehensive plan for system recovery and emergency procedures.
  • Set up a crisis response team to handle major cyber incidents.

The 10 Minimum Security Measures
In addition to the overarching requirements, NIS2 mandates the implementation of 10 baseline security measures.

These include:

1. Conducting risk assessments and developing security policies.
2. Evaluating the effectiveness of security measures regularly.
3. Using cryptography and encryption where relevant.
4. Establishing procedures for handling security incidents.
5. Ensuring security in the procurement and operation of systems.
6. Providing cybersecurity training and promoting basic computer hygiene.
7. Implementing security procedures for employees with access to sensitive data.
8. Maintaining an overview of all relevant assets and their proper utilization.
9. Planning for business operations during and after a security incident.
10. Utilizing multi-factor authentication and encrypted communication.

Practical Steps for Workboat Operators

• Assess whether your business is required to comply with NIS2
  • Does your business meet the 3 criteria of application?
• Assess Current Cybersecurity Measures
  • Conduct a thorough review of existing cybersecurity policies and procedures.
  • Identify gaps and areas for improvement.
• Develop a Compliance Plan
  • Create a detailed plan to address NIS2 requirements.
  • Allocate resources and assign responsibilities for implementation.
• Implement Security Measures
  • Deploy necessary tools and technologies to enhance cybersecurity.
  • Train staff on new procedures and best practices.
• Monitor and Review
  • Regularly monitor the effectiveness of implemented measures.
  • Update policies and procedures as needed to address emerging threats.

Conclusion
Compliance with the NIS2 Directive is mandatory for a majority of the European trading Workboat Industry, to protect its operations and assets from cyber threats. By following the guidelines outlined in this paper, workboat operators can enhance their cybersecurity posture and ensure business continuity in the face of cyber incidents, whilst also remaining legally compliant.

Important: This information is offered as guidance only and is not legal advice. In all cases, the Workboat Associationadvocates that professional legal opinion is sought when understanding the effect of new regulation.