Global

Please select a language

Please select the country/region where you would like to introduce your business.

Asia / Oceania

America

Europe / Middle East / Africa

Contact Us
Contact Us
Global

Please select a language

Please select the country/region where you would like to introduce your business.

Asia / Oceania

America

Europe / Middle East / Africa

Knowledge What is the NIS2 Directive? Introducing its requirements and the need for cyber resilience(2/4)~Important NIS2 Requirements for Overseas Branches~

For global companies, the requirements of the NIS2 Directive are significant challenges that require strategic responses. What specific aspects should managers of overseas branches pay particular attention to?

img

As the risk of cyberattacks increases worldwide, it has become urgent for global companies with overseas branches to implement comprehensive cybersecurity measures. The NIS2 Directive, established by the EU, aims to strengthen "cyber resilience" to minimize the damage caused by cyberattacks and provides specific guidelines for strengthening security.

This article provides an overview of the NIS2 Directive and the importance of cyber resilience and introduces specific strengthening methods and examples in four parts.

2. Important NIS2 Requirements for Overseas Branches

Important NIS2 Requirements for Overseas Branches

For global companies, the requirements of the NIS2 Directive are important issues that require a strategic response. This chapter explains three critical points that managers of overseas branches should pay particular attention to.

Strengthening risk management (Article 21)

The NIS2 Directive requires strengthening risk management systems through measures such as conducting risk assessments, managing threats, establishing incident response procedures, and conducting regular security audits. It is necessary to establish a system that enables rapid detection, response, and recovery in the case of a cyberattack or disaster.

Stricter reporting requirements (Article 23)

The NIS2 Directive sets out strict requirements for reporting incidents. This requirement aims to prevent the expansion and recurrence of cyberattacks by sharing information with countries and related organizations, so each location must share information quickly and transparently.

ItemReport time limitReport content
Early notification

Within 24 hours

  • A summary of suspected illegal or malicious activity
  • Is there a possibility of cross-border impacts?
Incident notificationWithin 72 hours
  • Initial evaluation information (severity, scope of impact)
  • Details of indicators of compromise (IoC)
Interim ReportAs neededProviding the latest information when requested by CSIRT*
Final ReportWithin one monthOverall evaluation of the incident and response status
*CSIRT (Computer Security Incident Response Team) = Security incident response team(Subheading)       

Strengthening international cooperation (Article 10)

Because there are limitations to security responses provided by overseas branches, the NIS2 Directive recommends establishing CSIRTs in each country and building a cross-border cooperative system. There is a need to develop a framework for preventing the spread of incidents caused by increasingly complex cyberattacks and for cooperating to address issues that a single location, company, or country cannot handle.

Strengthening international cooperation diagram
Source:Summary of EU NIS2 Directive (Ministry of Economy, Trade and Industry)
Japanese)https://www.jraia.or.jp/members/uploads/files/230526_METI_NIS2.pdf
Source:EUR-Lex Document 02022L2555-20221227
https://eur-lex.europa.eu/eli/dir/2022/2555