NIS Directive 2: New cybersecurity obligations for companies

HomeBlogSmernica NIS 2: Nové povinnosti v oblasti kybernetickej bezpečnosti pre firmy
Blog

NIS Directive 2: New cybersecurity obligations for companies

In today's digital age, cybersecurity is a key priority for businesses of all sizes. With the increasing number of cyberattacks and growing dependence on technology, it is becoming essential to implement measures to protect systems and data.

The European Union is responding to this challenge by adopting Directive NIS 2 (Network and Information Systems Directive), which sets out new rules to enhance cybersecurity. This legislation is designed to strengthen the resilience and security of networks and information systems in EU Member States. The Slovak Republic is transposing the NIS 2 Directive by amending Act No. 69/2018 Coll. on cybersecurity, which will come into effect on January 1, 2025. In this article, you will learn what changes the directive brings, who it applies to, and how to prepare for it.

What is the NIS 2 Directive?

The NIS 2 Directive is a legislative act of the European Union that follows on from the original NIS 1 Directive adopted in 2016. Its main objectives are:

  • Increasing cyber resilience: Introducing mandatory measures to protect against cyber threats.
  • Improving cooperation: Promoting the exchange of information between states and companies.
  • Awareness raising: Spreading knowledge about cyber risks and solutions.
  • Scope extension: Involvement of a wider range of sectors and organizations, including critical infrastructure and digital services.

Differences from the previous directive:

  • Extended scope: The Directive covers a wider range of sectors, including digital services and critical infrastructure.
  • Stricter requirements: Companies must manage risks in greater detail and report incidents.
  • Higher penalties: Failure to comply with the rules can result in significant fines.

What new obligations does the NIS 2 Directive bring?

The directive sets out a number of key obligations for companies:

  • Risk management: Implementation of systems to identify, assess, and mitigate cyber risks.
  • Incident reporting: Obligation to report cyber incidents to national authorities within 24 hours of discovery and 72 hours of discovery.
  • Security measures: Implementation of technical and organizational solutions such as encryption, firewalls, recovery plans and testing, data backup, incident monitoring, and others.
  • Education: Regular training of employees on the latest cyber threats and procedures.
  • Cooperation: Companies should actively communicate with authorities and other organizations in the field of cybersecurity.

The NIS 2 Directive applies to a wide range of entities, which are divided into two main categories: key entities – those operating a critical basic service, and important entities – other basic service operators. These categories cover organizations whose activities are of vital importance to the economy, security, and society within the European Union.

Key subjects

They are considered strategically most important, and their failure can have a significant impact on the functioning of the company. These include:

  • Energy: Electricity, oil, gas, district heating, and hydrogen.
  • Transportation: Air, rail, water, and road transportation.
  • Banking and financial market infrastructure.
  • Healthcare: Including the manufacture of pharmaceutical products.
  • Drinking water supply and water treatment and distribution.
  • Digital infrastructure: DNS providers, cloud service providers, data centers, content delivery networks.
  • ICT service management: Managed services and security services.
  • Public administration
  • Outer space

Important subjects

They have a significant impact on the security and resilience of society, but their failure is not as critical as that of key entities. These include:

  • Postal and courier services.
  • Manufacturing (medical devices, electrical equipment, machinery and equipment, motor vehicles, etc.)
  • Manufacture and distribution of chemicals.
  • Food businesses.
  • Waste management
  • Digital service providers.
  • Research

Additional criteria for determining obligated entities

The NIS 2 Directive applies not only to sectors, but also to specific companies based on:

  • Organization size: if they are at least a medium-sized enterprise (min. 50 employees and turnover or balance sheet of EUR 10 million or more).
  • Criticality of their services: Entities providing services essential to the functioning of society and the economy.
  • Risk profile: Organizations whose activities pose a higher cyber risk.

How to ensure compliance with requirements?

To ensure compliance with the NIS 2 Directive, an audit of the current security status must be performed to identify security vulnerabilities. Subsequently, a risk management plan must be developed that includes a strategy for mitigating risks. Companies should implement technical measures such as firewalls, encryption, and network monitoring, as well as regularly educate employees through training and other means. Cooperation with national authorities (National Security Authority – NSA) and external experts is also an important part of this.

Failure to comply with the directive can have serious consequences for companies. These include the risk of heavy fines, the amount of which depends on the severity of the violation. Companies may also face legal disputes that can negatively affect their reputation. In addition, inadequate security can lead to a loss of trust among customers and business partners, which can weaken business relationships.

The directive represents an opportunity for companies to improve their security measures and increase their resilience to cyber threats. Although implementation can be challenging, investing in cybersecurity brings long-term benefits. If you want to ensure that your company complies with the requirements of the NIS 2 Directive and the amendment to the Slovak Republic law, contact ECTA, s.r.o.