NIS2 – what is it, who does it affect and why should you prepare today?

The NIS 2 Directive ( (EU) 2022/2555) aims to significantly improve the level of resilience against cyber attacks, strengthen the protection of personal data and increase trust in digital services in the European Union. Member states have until October 17, 2024 to implement the directive’s provisions into their national laws.

The idea is to introduce a more harmonized and consistent approach to cyber security across the European Union. If your company fails to meet the new requirements, it faces severe penalties – up to €10 million or 2% of annual turnover! Don’t wait until the last minute, it’s hard to avoid consequences then.

Who is affected by NIS2?

The new regulations distinguish between critical and important sectors to better define the scope of cyber security responsibilities.

Key sectors are those that are fundamental to the functioning of society and the economy. Their disruption could have serious consequences.

Micro and small enterprises are required to implement NIS2 requirements if they meet the requirements of the essential entities category. The directive also covers domain name registration service providers, regardless of company size.

Medium- and large-sized enterprises fall under NIS2 if their activities cover key or important sectors.

Key Sectors

• Energy – Electricity, district heating and cooling, oil, gas, hydrogen
• Transport – Aviation, rail, water transport, road transport
• Banking
• Financial markets infrastructure
• Health
• Water – Drinking water, wastewater
• Digital infrastructure
• ICT service management (B2B)
• Public administration
• Space

Sectors of importance

• Postal and courier services
• Waste management
• Manufacturing, production and distribution of chemicals
• Food production, processing and distribution
• Manufacturing – Medical devices, electronic or optical computer products, machinery, vehicles
• Digital service providers
• Research

Importance of the NIS2 directive for businesses

Cybercriminals always look for the weakest links (the least protected companies) because they are the easiest to attack. Inadequate security can lead to serious incidents such as data theft, business downtime and huge financial losses.

When a company in a key or important sector comes under attack, the consequences can be disastrous not only for itself, but for the entire economy. The disruption of one entity can have an avalanche effect, affecting other companies and sectors with which it is affiliated. That’s why NIS2 introduces measures to make companies less vulnerable to hacker attacks:

• Uniform online safety rules:

With NIS2, cyber security rules will be similar in all EU countries. This means that you no longer have to comply with different regulations in each country where you operate. This simplifies doing business and reduces bureaucracy.

• Greater protection against hacker attacks:

Better coordination and regulatory consistency mean a higher level of protection against cyber threats. This helps protect your company from attacks that can cause data loss, financial loss and even damage your reputation.

• Responsibilities for reporting cyber attacks:

If a cyber attack occurs, you must quickly report the incident to the appropriate authorities. With uniform procedures, you know exactly what to do and who to turn to, allowing you to respond quickly and minimize damage.

• Better risk management, e.g., against hacker attacks:

Unifying regulations helps to better manage risks. You can more easily implement effective risk management procedures that are in line with best practices across the EU. This increases your company’s resilience to cyber threats.

• International cooperation, e.g., if the attack comes from another country:

NIS2 facilitates cooperation among EU countries on cyber security. Your company can benefit from better information sharing and support from other countries in case of cross-border attacks. It’s an extra layer of protection that enhances your safety.

Consequences of the new directive

If a company’s operations fall under NIS2, it’s a good idea to be aware of the consequences of not meeting the requirements.

Failure to comply with NIS 2 regulations can lead to heavy financial penalties. We are talking about millions of euros! Is it worth the risk? The amount of the fines is at least EUR 10,000,000 or 2% of the company’s total annual turnover. The higher of the two amounts is used.

If the company belongs to the “important sector,” the penalties are at least €7,000,000 or 1.4% of the company’s total annual turnover. And yes, a higher amount is applied.

What exactly does NIS2 require? Minimum requirements

The NIS2 Directive (Article 21) requires companies to implement comprehensive risk management measures that include protecting both networks and information systems, as well as their physical environment, from incidents. What elements are highlighted? How to introduce them?

1. Risk analysis and information systems security policy:
   Your company must have a risk analysis policy that identifies potential threats to IT systems. You also need to implement security policies that specify how to protect your IT systems from these threats.
2. Incident handling:
   You must have cyber incident response procedures in place that enable you to manage crises quickly and effectively. If such an incident occurs, it is your responsibility to report it 24 to 72 hours after detection. Reports must be made to the relevant national authorities responsible for cyber security, such as CERT (Computer Emergency Response Team) or CSIRT (Computer Security Incident Response Team).
3. Business continuity:
   Your company should manage backups and have a plan to restore normal operations after an incident. You should also have a crisis management plan for emergencies.
4. Supply chain security:
   You must assess and manage the risks associated with suppliers and service providers to ensure that the entire supply chain is safeguarded.
5. Security in the acquisition, development and maintenance of systems:
   Introduce security policies for acquiring, developing and maintaining IT systems.
6. Evaluation of the effectiveness of the measures:
   Regularly evaluate the effectiveness of implemented risk management measures. Introduce procedures for auditing and evaluating security policies. Promote basic cyberhygiene practices among employees. Hold regular cyber security training sessions.
7. Human resource security, policies and procedures for using cryptography:
   Implement policies on the use of cryptography and data encryption where necessary. Manage security of employee access to IT systems, control access and manage assets. Implement multi-factor authentication. Provide secure internal communication systems, especially in emergency situations.

Summary

The NIS2 directive is a challenge, but also an opportunity for SMEs to strengthen their position in the market by improving security. Many companies are already in compliance with some of the requirements, but because of the number of them, it is worth getting started now. It will be crucial to use the tools, training and support available to meet the new demands. Start acting today to assess your company’s readiness and ensure compliance before national regulations take effect. Remember, non-compliance can cost you millions!

Jakub Kozioł Managing Partner

jakub.koziol@theheart.legal

(+48) 600 818 015