The EU’s Network and Information Systems Directive 2 (NIS2) updates cyber security requirements in relation to NIS1. This is a hot topic especially now that the number of cyber attacks is increasing year on year. Who is required to implement NIS2 and what exactly is changing?
What is the NIS2 Directive?
The aim of the NIS 2 Directive is to create a harmonised level of security across the European Union. It primarily applies to state-critical sectors, but may also extend to private market entities. Check if your organisation is subject to the new legislation!
Who is affected by the NIS2 Directive?
The personal scope of the NIS2 Directive is indicated in Article 2 of the Directive and covers a broad catalogue of both public and private entities that are medium or large companies from almost 20 sectors, as indicated in the Annexes to the legal act. The entities covered are divided into important and key sectors. Key sectors include:
- Energy;
- Transport;
- Banking;
- Financial markets infrastructure;
- Healthcare;
- Drinking water;
- Wastewater;
- Digital infrastructure (including cloud service providers, trust service providers or DNS services).
In turn, industries included as important include car manufacturing, electrical machinery and equipment, chemicals manufacturing or digital service providers (including search engines and social networking platforms).
The Directive may also apply to operators in other sectors not explicitly mentioned if certain conditions are met, e.g. the disruption of the service provided by the operator could lead to a serious systemic risk, in particular in sectors where the disruption could have a cross-border dimension.
While the provisions of the Directive allow for the possibility of exempting selected categories of entities, only to a certain, limited extent. It should be borne in mind that each trader is obliged to verify for himself whether he falls within the scope of the Directive. If the answer is yes, it should submit the data set to the competent authorities.
What does the NIS2 Directive change? Elements of a cyber security policy
Entities classified as critical and important sectors are required to implement a cyber security risk management strategy. Such a strategy should be approved by the supervisory authority. Technical, operational and organisational measures should be appropriate and proportionate to the type and scope of services provided and should prevent or at least minimise the impact of incidents on service recipients. Businesses under NIS2 should ensure, in particular:
- Risk analysis and information systems security policies;
- Incident handling;
- Maintenance of business continuity of the service provided (e.g. through backup management, disaster recovery or crisis management of systems);
- Supply chain security;
- Security in the acquisition, maintenance and development of networks and systems;
- Establish procedures to assess the effectiveness of cyber security risk management measures;
- Implementation of cyber security practices, including cyber security training;
- Internal policies and procedures for cryptography and encryption;
- Establishment of an asset access control policy;
- Use of two-factor authentication and, in emergency situations, fully secured connections.
It is worth remembering that the directive imposes an obligation to report serious incidents to the CSIRT within a limited timeframe:
- At the latest within 24 hours of becoming aware of a serious incident, an early warning must be sent, the content of which indicates whether the serious incident was presumed to have been caused by unlawful or malicious activity, or whether it may have had a cross-border impact;
- Within 72 hours at the latest of becoming aware of the serious incident, a proper incident report should be sent with an indication of the seriousness of the incident, optionally with an update of the information previously provided.
Member States are required to establish at least one CSIRT – a team set up to respond to computer security incidents. They are tasked with receiving incident reports and in favour of troubleshooting support. There are currently three CSIRT-type entities in Poland – CSIRT GOV, CSIRT MON and CSIRT NASK.
What does the NIS2 directive mean for your organisation?
The entry into force of NIS2 brings with it the need to implement a whole range of IT solutions or adapt existing infrastructure to the new requirements. In practice, this may require a costly overhaul of the business model.
The Directive grants competent authorities a range of supervisory and control powers, including those relating to conducting audits, requesting information and issuing orders to ensure compliance with EU regulations. Supervisors can also conduct security scans and request evidence of the implementation of security policies, such as the results of security audits.
Penalties for non-compliance in favour of the NIS2 directive
Failure to comply with NIS2 regulations carries the risk of severe monetary sanctions. Sanctions can be as high as €10 million or 2% of annual worldwide turnover in the previous financial year. The higher sanction is always applicable.
When does the NIS2 directive come into force?
The deadline for implementing the changes associated with the NIS2 Directive coming into force is 17 October 2024, so there is not much time left to self-identify and set up your company’s processes and procedures. To make sure that the requirements related to EU regulations have been implemented correctly, it is worth taking advantage of the support of professionals.
Linke Kulicki Law Firm’s team will help determine whether your company falls under NIS2. We will identify areas that require improvement. We will also propose solutions tailored to the entrepreneur’s individual capabilities and ensure full compliance with formal requirements.