European Directive on information security NIS 2 enters into effect in October 2024

from 06/04/2023

The European Directive on Network and Information Security NIS 2 was adopted in December 2022 and is expected to become effective in October 2024. Each member-state of the EU should transpose the requirements of this Directive till October 2024 into its national legislation. The norm is extension of already existing European regulation, known as NIS 1, and translated in this country as MIMIS (minimum requirements for network information security).

NIS 2 is in the basis of risk management in the sphere of cyber security and introduces measures which work for strengthening of protection of potential cyber attacks. NIS 2 aims encouraging the exchange of information and cooperation in the management of cyber attacks between the member-states of the EU as well as increasing their level to cyber stability.  Minimum rules and mechanisms for effective cooperation between the competent authorities shall be defined in each country. Except the organizations themselves, NIS 2 affects their delivery chains. All suppliers shall be obliged directly i.e. by requirements of the organizations themselves, which they service, to observe the regulations for information and network security.

What requirements does NIS 2 introduce

  • Multistage approach for the reported accidents. The affected companies dispose with 24 hour from the moment when they have known about the incident for the first time, to apply for early warning to CSIRT or competent national body, which would allow them to seek assistance, if required such. The early warning should be followed by a notice about the incident within 72 hours after its knowing and a final report not later than a month.
  • Each member-state should observe definite standards for cyber security in order to facilitate the joint exchange of data and more effective solutions of arising cyber incidents
  • Security of delivery chains and mutual relations with the suppliers, which require the individual companies to deal with the risks for cyber security in the delivery chains and the mutual relations with the suppliers
  • Policies for access control and introduction of multifactor authentication
  • Risk-analysis of available information systems and introduction of security policies
  • Management of prevention, early detection and reaction to incidents – it is necessary each organization to possess procedures for reaction in cyber incidents
  • Use of cryptography and encryption
  • Revealing and dealing with exposures
  • Risk analysis and security policies of information systems
  • Dealing with incidents (prevention, detection and reaction to incidents)
  • Continuity of activity and management of crises
  • Security in elaboration and maintenance of networks and information systems, inclusive processing and revealing of exposures

 

Which organizations come to NIS 2 requirements

The regulation affects all organizations with more than 50 officials and/or 10 million Euro annual turnover, and a part of the companies are in the sphere of:

  1. Power engineering (electricity, petrol, gas, central heating)
  2. Transport (by air, railway, marine and automobile)
  3. Financial and bank institutions
  4. Health sector (hospitals and laboratories)
  5. Drinking water, refuse waters (only if it is basic activity)
  6. Digital infrastructures (telecommunications, DNS, TLD, data centers, cloud services)
  7. Digital services (search engines, on-line markets, social networks)
  8. Post and courier services
  9. Scrap management
  10. Chemicals (production and distribution)
  11. Foodstuff (production, reprocessing and distribution)
  12. Production (especially but not only medical, computer and transport equipment)
  13. Central and regional public administrations

 

Requirements non-observation consequences

NIS 2 Directive aims enforcement of the transition to a higher level of cyber protection, to eliminate the differences in the national requirements for cyber security and in the application of cyber security measures in the various member-states. The possibility for regulation of their observation is stipulated, which includes fining sanction up to 10 million Euro or 2% of the annual turnover of the company, depending which one of this figure is higher.

 

Requirements non-observation consequences

NIS 2 Directive aims enforcement of the transition to a higher level of cyber protection, to eliminate the differences in the national requirements for cyber security and in the application of cyber security measures in the various member-states. The possibility for regulation of their observation is stipulated, which includes fining sanction up to 10 million Euro or 2% of the annual turnover of the company, depending which one of this figure is higher.

 

How КONTRAX my assist you to improve your cyber protection

Within more than 10 years КONTRAX offers solutions to leading manufacturers in the sphere of cyber security. Therefore we can provide you with the necessary instruments and solutions, by which you nay improve your protection and to be in compliance with NIS 2 requirements. Our expertise of long-year system integrator allows us to deliver, install and maintain solutions, offered by us, as well as to upgrade them,  if necessary. We remain at your disposal for more information and consultation how to deal with the new threads and provocations in the sphere of cyber protection.