Pharma IT Insights

Cybersecurity in Pharma: What is NIS2?

By Steen Lindebjerg

February 26, 2024

Pharma IT Insights

Cybersecurity in Pharma: What is NIS2?

By Steen Lindebjerg

February 26, 2024


Share on email

Share on linkedin

Share on facebook

Share on whatsapp

Share on twitter

Regulatory compliance is a constant challenge for life science companies around the world. In this Insight, we dive into the EU’s second Network and Information Security Directive (NIS2 Directive). Keep reading for a high-level summary of the legislation and next steps for ensuring compliance.

What is the NIS2 Directive?

The NIS2 Directive is a cybersecurity directive. It is a continuation and expansion of the EU’s previous Network and Information Security Directive (NIS). Through in-depth stakeholder collaboration, the EU identified four key deficiencies with NIS:

  • Insufficient cyber resilience of businesses operating in the EU
  • Inconsistent level of cyber resilience across Member States and sectors
  • No common understanding of the main cybersecurity threats and challenges among Member States
  • Insufficient joint crisis response
NIS2 seeks to address these challenges by strengthening the collective cybersecurity and cyber resilience level of EU member states. The directive comes into full force by October 2024, by which time EU member states must have incorporated the directive into their national regulatory frameworks.
 
To do so, NIS2 includes increasing cybersecurity enforcement requirements for critical infrastructure sectors. NIS2 also imposes stricter security requirements and penalties for non-compliance, including fines of up to 10% of an entity’s annual turnover.

Who has to comply with NIS2?

The scope of NIS2 is more expansive than NIS. Pharmaceutical, Biotech, and Medical Device companies are now required to comply, if they fall within the following categories:
  • Healthcare providers as defined in Article 3(g) of Directive 2011/24/EU of the European Parliament and of the Council(18)
  • EU reference laboratories referred to in Article 15 of Regulation (EU) 2022/2371 of the European Parliament and of the Council(19)
  • Entities carrying out research and development activities relating to medicinal products as defined in Article 1(2) of Directive 2001/83/EC of the European Parliament and of the Council(20)
  • Establishments manufacturing pharmaceutical raw materials and pharmaceutical preparations as referred to in main section C, main group 21, of NACE rev. 2
  • Entities that manufacture medical devices that it considers to be critical in a public health crisis situation (‘list of critical medical devices for public health crisis situations’) in Article 22 of Regulation (EU) 2022/123 of the European Parliament and of the Council ( 21) used meaning
  • Research Organizations

The NIS2 Directive adds new requirements for your organization in four primary areas: Management, Reporting, Risk Management and Business Continuity

Management

It is necessary for management to be aware of and understand the requirements of the directive and risk management efforts. Members of management now hold direct responsibility to identify and address cyber risks to comply with NIS2 requirements. 

Risk Management

To meet the new requirements, organizations must implement measures to minimize risks and consequences. This includes incident management, improved supply chain security, network security, vulnerability handling and disclosure, access control, and encryption.

Reporting to the authorities

Organizations need to have established processes for ensuring proper reporting to authorities. There are requirements, for example, that major incidents should be reported within 24 hours. 

Business Continuity

Organizations must consider how to ensure business continuity in the event of major cyber incidents. This includes, for example, system recovery, emergency procedures, and establishment of a crisis response team.

Begin processes to ensure NIS2 compliance as soon as possible

The following five points represent high level milestones to achieve to ensure and maintain compliance.

  1. Am I in scope? Assess how the NIS2 Directive impacts you and if your company is in scope
  2. What’s missing? Conduct a Gap-Analysis to understand your current compliance level
  3. Do management members understand their responsibilities? Since management will be held directly responsible for non-compliance, it is critical to ensure NIS2 compliance awareness at the board level.
  4. What steps to take? Develop a plan to implement the missing requirements. In Figure 1 below, we have included a non-exhaustive illustration of some of the measures and policies that may be required to ensure NIS2 compliance.
  5. Implement missing measures, strategies, and routines as soon as possible. An early start can help you ensure compliance and avoid fines.
NIS2 Directive Compliance will require pharma companies to implement governance, risk management, new policies, vendor security, incident handling, training and more!

Figure 1. A non-exhaustive illustration of some of the governance, risk management, policies, procedures, vendor security measures, incident handling, and training required to ensure NIS2 compliance.

Pharma IT can help you ensure NIS2 compliance

We have experience helping customers identify and close compliance gaps for a range of cybersecurity & data privacy regulations, including NIS2, GDPR, and more. Our consultants can provide tailor made support to help you ensure compliance. We also offer NIS2 & Cybersecurity Training at the Pharma IT Academy.

You can contact our team directly by clicking the button below.


About the author

Steen Lindebjerg is a Principal Consultant with more than 20 years’ experience within the IT compliance area, working in both the pharmaceutical industry and finance sector. He is highly specialized in Data Privacy and IT-Security. He has performed leading roles, such as a Data Protection Officer (DPO), Auditor, Compliance Lead on projects and in operation, as well Project Manager and Validation Lead on application implementation. Steen holds privacy professional (CIPP/E), ISO 27001 Lead Implementor, Scrum Master and ITIL certifications.