NIS 2, Directive 2022/2555 on measures for a high common level of cybersecurity across the Union of 14 December 2022, repealed Directive (EU) 2016/1148, and stands as the pivotal framework to fortify the cybersecurity posture of organizations, particularly within the critical and important sectors across the European Union. Aimed at aligning the industry with digital advancements and innovations, NIS 2 addresses the risks associated with the extensive reliance on Information and Communication Technologies (ICT). This Directive sets out the baseline for cybersecurity risk management measures and reporting obligations across the sectors that fall within its scope.
From the outset, NIS Directive aimed to build cybersecurity capabilities across the Union, mitigate threats to network and information systems used to provide essential services in key sectors and ensure the continuity of such services when facing incidents, thus contributing to the Union’s security and to the effective functioning of its economy and society.
Given the intensification and increased sophistication of cyber threats, it is essential that all entities within or out of the scope of the Directive should strive to achieve a high level of cybersecurity implement cybersecurity risk-management measures that increase their capacity to respond to security incidents and catastrophic events. Quadprime, drawing upon its extensive knowledge and experience, is at the forefront of assisting organizations in achieving NIS 2 compliance. Recognizing the unique risk profiles of critical infrastructure and other essential entities we have been working with since the first NIS Directive came into force, we offer bespoke advisory, training and technical services to navigate the intricacies of the NIS 2 requirement and ensure organisations in scope achieve the required level of compliance.
In accordance with the provisions set out by the Cyprus Digital Security
Authority in Κ.Δ.Π 389/2020, our services are designed to ensure that your operational
resilience framework aligns with the relevant regulatory requirements and you will
achieve the required compliance level.
We identify and assess risks that could impact your critical business services, including risks from third-party vendors, technological failures, and other external factors. Our approach includes the implementation of effective risk mitigation strategies.
We develop and refine incident response and recovery plans to ensure that your organization can respond effectively to disruptions and resume critical operations as quickly as possible.
The NIS2 Directive aims to address the deficiencies of the previous rules, to adapt it to the current needs and make it future-proof.
To this end, the Directive expands the scope of the previous rules by adding new sectors based on their degree of digitalisation and interconnectedness and how crucial they are for the economy and society, medium and large-sized companies in selected sectors will be included in the scope, while smaller entities with a high security risk profile could be also included in the scope of the NIS 2 Directive.
Entities would be classified based on their importance and divided into two categories: essential and important entities, which will be subjected to different supervisory regime.
It strengthens and streamlines security and reporting requirements for companies by imposing a risk management approach, which provides a minimum list of basic security elements that have to be applied. The new Directive introduces more precise provisions on the process for incident reporting, content of the reports and timelines.
Furthermore, NIS2 addresses security of supply chains and supplier relationships by requiring individual companies to address cybersecurity risks in the supply chains and supplier relationships.
The Directive introduces more stringent supervisory measures for national authorities, stricter enforcement requirements and aims at harmonising sanctions regimes across Member States.
NIS2 also establishes a basic framework with responsible key actors on coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU and creates an EU vulnerability database for publicly known vulnerabilities in ICT products and ICT services, to be operated and maintained by the EU agency for cybersecurity (ENISA).
The NIS2 directive encompasses a wide range of entities across various sectors, emphasizing those of high criticality and other critical areas. Key sectors of high criticality include:
1. Energy Sector: This includes entities involved in electricity, district heating and cooling, oil, gas, and hydrogen.
2. Transport Sector: Covers entities in air, rail, water, and road transport.
3. Financial Sectors: Includes banking and financial market infrastructures.
4. Health Sector: Encompasses health services and the manufacturing of pharmaceutical products, including vaccines.
5. Water Management: Covers entities in drinking water and wastewater management.
6. Digital Infrastructure: This sector includes internet exchange points, DNS service providers, TLD name registries, cloud computing service providers, data center service providers, content delivery networks, trust service providers, and providers of public electronic communications networks and services.
7. ICT Service Management: Managed service providers and managed security service providers.
8. Public Administration and Space Sector
Additionally, the NIS2 directive identifies other critical sectors, which include:
– Postal and courier services.
– Waste management.
– Chemicals sector
– Food sector.
– Manufacturing sector, particularly of medical devices, computers and electronics, machinery and equipment, motor vehicles, trailers, semi-trailers, and other transport equipment.
– Digital providers, including online marketplaces, search engines, and social networking platforms.
– Research organizations.
In order to strengthen the supervision that helps ensure effective compliance, the NIS2provides for a minimum list of supervisory means through which competent authorities may supervise essential and important entities. These include regular and targeted audits, on-site and off-site checks, request of information, and access to documents or evidence.
The Directive introduces more stringent supervisory measures for national authorities, stricter enforcement requirements and aims at harmonising sanctions regimes across Member States.
Sanctions include binding instructions, order to implement the recommendations of a security audit, order to bring security measures in line with NIS requirements, and administrative fines.
In relation to administrative fines, the new NIS Directive distinguishes between essential and important entities. With regard to essential entities, it requires Member States to provide for a certain level of administrative fines, a maximum fine of €10,000,000 or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. With regard to important entities, NIS2 requires Member States a maximum fine of € 7,000,000 or at least 1,4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
In order to ensure real accountability for the cybersecurity measures at organisational level, NIS2 introduces provisions on the liability of natural persons holding senior management positions in the entities falling within the scope of the new NIS Directive.
Member States will have to transpose the Directive by 17 October 2024 (21 months of entry into force of NIS2). This means that entities should start working on familiarisation with the new elements of the NIS 2 Directive and go through an impact assessment or gap analysis especially if they have been implementing the First NIS and are already within the scope of Supervisory Authorities. Make your Management Body aware of the new Directive and the key elements.
We are here to help. We offer awareness presentations and full portfolio of services including:
– NIS 2 impact assessments for new entities in scope
– Gap analysis of first NIS and the new NIS 2 for entities that already implement NIS
– Testing of the cybersecurity Controls
– Auditing and reviewing of existing security measures
– Implementation support with the risk assessments, policies, plans and security measures
– The evolving cyber threat landscape while quantifying cyber risks, ensuring cyber risk management aligns with broader GRC objectives and meeting compliance requirements.