Ensuring compliance with NIS2, DORA, CER
The NIS2 Directive on measures for a high common level of cybersecurity within the territory of the Union, known as NIS-2, is EU-wide legislation that, by introducing legal measures, forces regulated entities to undertake significant technical and organizational changes.
The NIS 2 directive gives way to the previous division into key service operators, digital service providers and public entities. According to estimates, there will be more than one million regulated entities within the European Union, covering many sectors previously outside the scope of regulators’ attention.
The most significant change resulting from NIS-2 is the introduction of penalties:
- key entities committing violations will be subject to administrative fines of a maximum of at least €10,000,000 or at least 2% of the total annual worldwide turnover in the preceding fiscal year of the company to which the key entity belongs, with the higher amount applying.
- valid entities committing violations will be subject to administrative fines of a maximum of at least EUR 7,000,000 or 1.4% of the total annual worldwide turnover in the preceding fiscal year of the company to which the valid entity belongs, with the higher amount applying
The directive requires that key entities and important entities implement appropriate and proportionate technical, operational and organizational measures to manage risks to the security of the networks and information systems they use to conduct their business or provide their services, and to prevent or minimize the impact of incidents on the recipients of their services or on other services.
The following measures, among others, have been imposed on NIS2 covered entities:
risk analysis and information systems security policies;
business continuity assurance, such as backup and disaster recovery management; and crisis management;
supply chain security, including security-related aspects of the relationship between each entity and its direct suppliers or service providers;
security in the acquisition, development and maintenance of networks and information systems, including the handling and disclosure of vulnerabilities;
policies and procedures for evaluating the effectiveness of cyber security risk management measures;
basic cyber hygiene practices and cyber security training;
policies and procedures for the use of cryptography and, where applicable, encryption;
human resource security, access control policies and asset management;
the use of multi-factor or continuous authentication, secure voice, text and video communications, and secure communications systems within an entity during emergencies.
Report of the incident – key or important entities are obliged to report incident based on following schedule due to possible financial sanctions:
Where essential or important entities become aware of a significant incident, they are required to submit an early warning without undue delay and in any event within 24 hours.
The entities concerned should submit an incident notification without undue delay and in any event within 72 hours of becoming aware of the significant incident.
A final report should be submitted not later than one month after the incident notification.
CISO4U will ensure your company adapts to the requirements of the NIS2 and DORA directives, will allow you to meet the initial conditions and ensure ongoing compliance with the regulations.
The CISO4U consulting service along with continuous monitoring of customer’s infrastructure allows you to report potential incidents within the timeframe required by law, which minimize the risk of possible financial sanctions (administrative penalties).
NIS-2 Directive essential and important sectors
Essential sectors: :
- Energy (electricity, district heating, oil incl. central oil stocktaking entities, gas and hydrogen)
- Transport (air, rail, water, road)
- Financial market infrastructures
- Health (healthcare, EU reference labs, research and manufacturing of pharmaceuticals and medical devices)
- Drinking water
- Waste water
- Digital Infrastructure (IXP, DNS, TLD, cloud, data centres, Content Delivery Networks, electronic communications, trust service providers)
- ICT Service management
- Public administration entities
- Postal and courier services
- Waste management
- Chemicals (manufacture, production, distribution)
- Food (production, processing, distribution)
- Manufacturing (medical devices; computer, electronic and optical products; electrical equipment; machinery; motor vehicles and (semi-)trailers;
- Digital providers (search engines, online market places and social networks)
Security Operations Center Solutions
SOC as a Service – Remote monitoring
CISO as a Service – providing specialists
IEC 62443 Cybersecurity Audits
Ensuring compliance with NIS2, DORA, CER