Datanet » NEWS AND EVENTS » Industry Trends » NIS2 Directive Approaches the Finish Line: What Steps Are Needed for Compliance?
SOITRON GROUP
Menu
Datanet » NEWS AND EVENTS » Industry Trends » NIS2 Directive Approaches the Finish Line: What Steps Are Needed for Compliance?
NIS2 Directive Approaches the Finish Line: What Steps Are Needed for Compliance?

Scheduled to become law across all European Union member states from October 2024, the NIS 2 Directive imposes stringent cybersecurity obligations on a wide spectrum of medium to large enterprises, as well as other entities identified as significant by regulatory authorities.

Transitioning from NIS 1 to NIS 2 entails not only an expansion in the regulatory ambit but also an augmentation of the technical prerequisites. Initial assessments indicate that in Romania alone, approximately 6-7 thousand organizations will fall within the purview of NIS 2, with the majority being ill-equipped, both strategically and technologically, to meet the new stipulations.

The journey toward NIS 2 compliance is multifaceted, bearing more profound implications than those encountered during the onset of GDPR. Given the palpable surge in cybersecurity threats, aligning with NIS 2 standards is indispensable for sustaining a resilient business ecosystem.

Read the below article to tackel about:

  • What are the main differences between NIS Directive 1 and 2
  • Which organizations fall under NIS 2
  • What are the cyber security obligations required by the new directive
  • What you need to do to align with the NIS 2 Directive

 

The NIS 2 Directive is legislation approved as early as 2022, aimed at enhancing cybersecurity levels within the European Union. One of the ways it achieves this is by addressing a broader spectrum of industrial sectors, mandating the implementation of extensive cybersecurity measures, with strict requirements for incident reporting. NIS 2 not only requires public and private organizations to enhance their cybersecurity measures but also mandates national authorities to establish collaboration and intervention programs. In broad terms, NIS 2 targets the implementation of four key security objectives:

  • Risk management
  • Protecting against cyber attacks
  • Incidents detection
  • Minimizing the impact of attacks.

NIS 1 versus NIS 2

 

Introduced in 2016 and transposed into Law 362/2018 in Romania, the NIS 1 Directive sought to elevate the security standards of networks and information systems for critical infrastructure operators, both physical and digital, throughout Europe. Recognizing the pervasive digitalization and profound shifts in the cyber threat landscape in recent years, the European Commission identified the imperative for legislative updates. These updates aimed not only to encompass a wider array of industries but also to bolster and refine security mandates.

The new directive streamlines and fortifies security and reporting requirements for corporations by mandating a risk management approach. This approach delineates a minimum set of fundamental security elements that must be implemented. Furthermore, it introduces more stringent provisions concerning incident reporting procedures, report content specifications, and deadlines.

A critical aspect of NIS 2 is its approach to ecosystem security, encompassing supply chains, and client-supplier relationships, with a particular focus on the IT&C sector. Additionally, the new directive introduces stricter oversight measures for national authorities and requirements for pan-European collaboration.

Of course, penalties for non-compliance or violation of norms are not to be overlooked. While NIS 1 stipulated fines of up to €100,000, NIS 2 raised the ceiling to €20 million or up to 2% of the annual turnover for essential service providers, and €7 million or 1.45% of the annual turnover for significant service operators. However, the sanctions are graduated and may include warnings, temporary bans, public exposure, and so forth.

 

What companies fall under the scope of NIS 2?

 

According to European legislation, the NIS 2 Directive applies to all economic entities that meet or exceed the threshold for small and medium-sized enterprises (€10 million in turnover or 50 employees) and large enterprises (€50 million in turnover or 249 employees) and are providers of essential or important services.

Under the category of “Essential Entities,” the NIS 2 Directive includes the following 11 sectors and 9 sub-sectors: energy (electricity, central heating and cooling, oil, gas, hydrogen), transportation (air transport, rail transport, water transport, road transport), banking sector, financial market, healthcare, drinking water, wastewater, digital infrastructure, public administration, ICT service management (B2B), space activities. Additionally, the category of “Important Entities” refers to 7 main sectors and 6 sub-sectors: postal and courier services, waste management, manufacturing, production and distribution of chemicals, general manufacturing (medical devices, computers, electronic and optical products, electrical equipment, machinery and equipment, motor vehicles, trailers and semi-trailers, transport equipment), digital providers (marketplaces, search engines, social networking platforms), and research.

However, the legislation allows local authorities (the National Cyber Security Directorate – DNSC, in Romania) to extend the applicability to other organizations that fall below these thresholds but have a high-risk profile in terms of security. These organizations should also be subject to the obligations outlined in the new directive.

 

Security obligations imposed by NIS 2

 

Member states must ensure that essential and important entities adopt appropriate and proportionate technical, operational, and organizational measures to manage risks to the security of networks and information systems they use for their operations or service provision, which will enable them to prevent or minimize the impact of incidents on their service beneficiaries and other services.

The obligations imposed by NIS2 are structured across several levels:

  • Conducting risk analyses and establishing IT security policies.
  • Establishing a plan for managing security incidents.
  • Maintaining an operational continuity plan, including backup, disaster recovery, and crisis management.
  • Securing the entire supply chain, including business partners, clients, and suppliers.
  • Securing IT networks and systems and associated providers at the procurement, development, or maintenance level.
  • Implementing policies for managing security risks and effectively applying mitigation measures.
  • Adhering to essential cyber hygiene practices (such as ZERO Trust) and training employees accordingly.
  • Utilizing encryption technologies.
  • Adopting multi-factor authentication solutions.

Furthermore, the NIS 2 Directive introduces a range of reporting obligations for cyber incidents that significantly impact service continuity. In Romania, this requirement aligns with those stipulated by cybersecurity legislation, compelling organizations to promptly notify authorities of any relevant incidents within 24 hours of detection. Subsequently, the regulations mandate updates within 72 hours, along with a comprehensive assessment after 30 days.

The directive defines an “incident” as any event that jeopardizes the availability, authenticity, integrity, or confidentiality of data stored, processed, or transmitted by an operator or its services. Moreover, it establishes specific parameters (such as the number of affected users, duration, and scope) to determine the relevance of an incident, thereby triggering reporting obligations. With a strong emphasis on collaboration and information sharing, the final notification must provide a detailed account of the incident, including its severity, impact, threat type, root causes, and remedial actions taken.

 

How do we ensure compliance with NIS 2?

 

From Datanet Systems’ perspective, aligning with NIS 2 requires a three-pillar approach:

  • Analysis of cybersecurity processes and strategy. This is necessary for a precise categorization within the defined classifications of the new regulations and for assessing how the company’s operations are affected.
  • Evaluation of the security level for all solutions, tools, policies, and security procedures to understand the current situation within the organization. This process will identify priority measures required for alignment with the requirements.
  • Development and implementation of a new security architecture aimed at achieving standards compliant with NIS 2 requirements, both technologically and procedurally, as well as promoting cyber hygiene among users.

At Datanet Systems, we offer comprehensive support throughout the entire alignment process, providing both consultancy and implementation services. Our portfolio features solutions from top global providers, addressing all operational needs arising from NIS 2 compliance. Furthermore, these solutions are flexible, available in both cloud and on-premises deployments, and tailored to each organization’s specific requirements, available resources, deadlines, and budget constraints.

For further details on how to ensure compliance with the NIS 2 directive, please reach out to us at sales@datanets.ro.