NIS2 directive sets new security standards for visitor management



The new EU cybersecurity directive NIS2 comes into effect in October 2024. Aiming to enhance overall data security and ensure the safe handling of personal data and other information. But how will this impact the management of visitor data? We have prepared an information package to help you ensure your operations comply with the NIS2 directive.

Strengthening organizational cybersecurity

The previous NIS (Network and Information Systems) along with the upcoming NIS2 directive, are part of a broader effort to strengthen and harmonize cybersecurity across the EU. Each member state can independently decide how to implement the general regulations within its own administration.

The new directive aims to improve preparedness against potential cyber threats and data breaches, ensuring that entities protect their data properly. Organizations must ensure that all their information systems are secure and capable of detecting and responding to potential security threats.

Applicable to critical sectors

NIS2 extends the scope of the directive to new sectors and public organizations. It also covers companies with more than 50 employees and an annual turnover or balance sheet exceeding 10 million euros. However, authorities can require even smaller companies providing critical services to meet the requirements.

The sectors covered by the directive include energy, banking and finance, transportation, healthcare, public administration, food, chemical industry, space, water supply, and waste management. It also includes digital service providers like IT and cloud service producers. These sectors and services are considered essential for the functioning and security of society.

Stricter data management

NIS2 continues on the path set by GDPR, aiming for accountability in data handling. The requirements now include reporting potential security breaches within 24 hours of detecting a threat. A more comprehensive follow-up report must be submitted within 72 hours. This reporting will significantly increase transparency and cooperation with authorities.

The new directive also requires more extensive and stricter security measures in the handling of personal data and ensuring the security of physical environments and facilities. This strongly reflects in visitor management, including the secure handling of personal data and the security of devices and systems located on the premises.

Impact of NIS2 on visitor management

Solutions tailored for visitor management, which are connected to various databases and even premises access control systems, are particularly vulnerable to potential security threats.

Attention should be paid to strong encryption methods, data handling permissions, secure data transfer and storage, and advanced authentication processes that are crucial for protecting visitor information. Ensuring the smooth functionality and security of hardware is also essential.

Ensuring security in facility and induction management

In the physical environment, attention should be paid to systems managing the facility and (safety) inductions.

Solutions managing spaces, like meeting room displays, should be selected according to the new security standards. For instance, booking information displayed on a public network can be easily compromised. Instead, meeting room displays operating on a separate native application (not Chromium APP) are among the safest choices. Thanks to the native application, the displays can comprehensively verify and report their status and reliably recover from power outages.

Safety inductions, which are often integrated into visitor management processes, require the highest possible level of security. This ensures that sensitive training materials and details about the individuals who have completed the inductions remain securely stored.

Consequences of non-compliance

Non-compliance with the NIS2 directive can lead to minor or significant consequences depending on the extent of the violation. In the best case, it may result in a warning or notice. In others it can lead to the restriction of licensed or certified operations. Ultimately, even the actions of the management can be restricted.

Penalty fees require significant negligence. Maximum fines can reach up to 7–10 million euros or 1.4–2 % of the global turnover, depending on the sector’s criticality.

The supervising authority is required to notify the data protection officer if the violation has led or may lead to a data breach. However, reputational damages can often be worse than the penalty itself. Trust in safe data handling, especially with personal data, is highly valued these days.

Ensure comprehensive visitor management compliance

The NIS2 directive not only sets requirements but also offers organizations the opportunity to improve their cybersecurity and demonstrate even stronger expertise and commitment to protecting the data received from their stakeholders.

When selecting a new solution, it’s crucial to consider who can access the stored data, who owns it, and where it is stored. For example, Systam Visit stores it’s visitor management data in a Finnish ISO-certified data center. Our customers own their data and manage its retention periods. The service’s security has been extensively audited by an independent party.

If you have concerns about the security of visitor data, space management, or inductions, please contact our experts. We can help you achieve the most secure and tailored solution for visitor management, meeting room displays, and digital inductions.

Ps. GDPR provided a good foundation for meeting NIS2 requirements. If you have questions about managing visitor data in compliance with GDPR, download our free guide below.

Read also

See all news

Join us at the Morning with Securitas event

The unspoken impacts of GDPR regulations

Wrapping up the year

Meet Joonas – Software Developer