The NIS2 Directive, which came into force in January 2023, is a set of cybersecurity laws and regulations designed to unify and strengthen the level of security in all European Union member countries. Member states have until October 17, 2024, to transpose and adapt this directive into their national legislation, which means that affected companies and sectors must update their systems and protocols within a limited timeframe.
Objectives and Scope of NIS2
NIS2 is an update of the previous NIS directive and aims to harmonize security measures in essential and important sectors, especially those considered critical. These sectors include energy, transportation, banking, healthcare, drinking water, digital infrastructure, and public administration, among others. Additionally, the directive places special emphasis on supply chain security and service providers from outside the EU.
Classification of Entities
The directive distinguishes between essential entities and important entities:
Essential Entities: Belong to highly critical sectors and have stricter cybersecurity obligations. They include companies in energy, transportation, healthcare, drinking water, digital infrastructure, and central and regional public administrations.
Important Entities: Part of critical sectors but not considered essential. They include postal and courier services, waste management, chemical industry, food, and digital providers like search engines and social networks.
Cybersecurity Obligations
Organizations classified as essential or important must implement appropriate cybersecurity measures to manage and minimize risks in their networks and information systems. Some key measures include:
Access control: Implementation of strict access policies and multi-factor authentication.
Malicious code protection: Use of tools and protocols to prevent and detect malware and ransomware.
Incident management: Establishment of procedures for reporting and responding to security incidents.
Mandatory Incident Notification
One of the prominent obligations of NIS2 is the mandatory notification of cybersecurity incidents. Organizations must report to the competent authorities or their Computer Security Incident Response Team (CSIRT) in three phases:
Initial Notification: Within 24 hours of detecting the incident.
Interim Notification: Within 72 hours, providing updates on the status and potential consequences.
Final Notification: Within a maximum of one month, with a detailed report on severity, impact, and actions taken.
Failure to comply with these obligations can result in significant financial penalties, up to €10 million or 2% of the global annual turnover for essential entities, and up to €7 million or 1.4% of the global annual turnover for important entities.
National Cryptologic Center Support
To facilitate compliance with the directive, the National Cryptologic Center (CCN) has set up a consultation service via email: [email protected]. Additionally, the CCN offers resources and guides, such as CCN-STIC 892, detailing the necessary measures to adapt to NIS2 following the National Security Scheme (ENS).
The NIS2 Directive represents a significant step towards improving cybersecurity in the European Union. Organizations must take proactive measures to meet the new requirements, strengthening their security systems and protocols. Cooperation and compliance will be essential to protect critical infrastructures and ensure resilience in the European digital landscape.