What It Is

NIS2, officially Directive (EU) 2022/2555, is an EU regulation replacing the 2016 NIS Directive. It establishes a high common level of cybersecurity across member states for essential and important entities in expanded sectors like energy, transport, health, and digital infrastructure. Employs a risk-based, continuous assurance approach shifting from static compliance to proactive resilience.

Key Components

• **Risk managementOngoing assessments, supply chain security, access controls, encryption.
• **Incident reporting24-hour early warning, 72-hour details, one-month final report.
• **Business continuityRecovery plans and crisis procedures.
• **Corporate accountabilitySenior management direct liability. Built on standards like ISO 27001 and NIST CSF; enforced via national CSIRTs with spot checks, no formal certification.

Why Organizations Use It

Mandatory for in-scope entities to avoid fines up to 2% global turnover. Enhances cyber resilience, ensures service continuity, builds stakeholder trust, and aligns with EU-wide cooperation amid rising threats.

Implementation Overview

Conduct gap analysis, implement measures, register with authorities. Targets medium/large entities (50+ employees, €10M+ turnover) in covered EU sectors. Involves training, audits, ongoing monitoring; transposition by October 2024 with grace periods.

What It Is

PDPA (Personal Data Protection Act) refers to a family of data protection laws in jurisdictions like Singapore (2012), Thailand (2019), and Taiwan, primarily regulations governing collection, use, disclosure, and protection of personal data by organizations. These are principles-based frameworks balancing individual privacy rights with legitimate business needs, employing risk-based approaches like reasonable security and accountability.

Key Components

• Core obligations: consent/notification, purpose limitation, access/correction rights, security safeguards, retention limits, transfer controls, breach notification, accountability (including DPO in some regimes).
• Built on GDPR-influenced principles but with local nuances (e.g., Singapore's deemed consent, Thailand's explicit sensitive data rules).
• No universal certification; compliance via self-assessments, audits, and regulator enforcement.

Why Organizations Use It

• Mandatory in applicable jurisdictions for data handlers, avoiding fines (up to SGD 1M, THB 5M).
• Enhances risk management, builds stakeholder trust, enables cross-border operations.
• Strategic benefits: market trust, operational efficiency, innovation via privacy-by-design.

Implementation Overview

• Phased: governance, data mapping, policy/controls, training, monitoring.
• Applies to all sizes handling personal data; intensive for multinationals.
• No certification but requires DPMP, audits; 12-18 months typical.