NIS 2

The NIS 2 directive is a legislative act that sets out measures to achieve a high common level of cybersecurity across the EU.

The NIS 2 directive

In the digital world, cyber threats are becoming increasingly sophisticated, posing significant risks to businesses and individuals alike. The new Directive (EU) 2022/2555, also known as the NIS 2 Directive, aims to achieve a high level of cybersecurity and targets key sectors critical to the functioning of society. Are you interested in what NIS 2 means for you and your business? We bring you a comprehensive guide to this important legislation. We will discuss its key points, the affected sectors, and explain what steps need to be taken to achieve compliance with the new rules by the deadline of October 17, 2024. As with all areas of IT management, VNET offers its expertise to help you meet all legal requirements for NIS 2 compliance and cybersecurity in your company.

What is the NIS 2?

The NIS 2 Directive is a legislative act that establishes measures to achieve a high common level of cybersecurity across the EU. Its aim is to improve the existing cybersecurity framework by introducing stricter obligations for companies and organizations in critical sectors.

Cybersecurity is not just a phrase but a legal obligation

Obtain a grant to secure your data in cooperation with VNET

The Competence and Certification Center for Cybersecurity, acting as the National Coordination Center (NCC-SK), announces a call for project submissions focused on the development of cybersecurity in Slovakia. This call is aimed at small and medium-sized enterprises (SMEs) to support their cybersecurity resilience.

Who can apply?

Eligible applicants are legal entities that meet the following conditions:

  • Small and medium-sized enterprises (SMEs) registered in the territory of the Slovak Republic.
  • Have an approved financial statement for the completed accounting period, which is no shorter than 12 months.

Eligible projects

The call will support projects aimed at developing security documentation in accordance with the Decree of the National Security Office No. 362/2018 Coll. Projects must be implemented between November 1, 2023, and February 28, 2025.

Financial Support

  • Small Enterprises: The minimum expenditure amount is €33,705, and the maximum is €44,940. The grant covers up to 90% of these expenditures.
  • Medium Enterprises: The minimum expenditure amount is €33,705, and the maximum is €52,430. The grant covers up to 90% of these expenditures.

How to Apply

Applications can be submitted electronically via the portal www.slovensko.sk using the application form. All applications must be submitted by October 15, 2024, at 6:00 PM at the latest.

All details are described in the call and its annexes:

Are you interested in this initiative?

Download the practical handbook, where you will find all the important information and details regarding this call.

Download

What are the key points of the NIS 2 Directive?

  • Expanded scope

    The directive affects a wider range of sectors and entities, thereby strengthening overall cyber resilience. Cybersecurity obligations will now also apply to companies that were not previously regulated.
  • Enhanced protection against cyber risks

    Stricter measures for managing cyber risks are being introduced. Businesses will need to implement and maintain adequate technical and organizational solutions to protect against cyber threats.
  • Implementation of security measures

    Operators of critical infrastructure must implement strict security measures to protect their systems and data. This includes risk management, incident response plans, testing, and audits.
  • Mandatory reporting of cyber incidents

    All entities covered by the NIS 2 Directive will be required to report cyber incidents to the relevant authorities. This is crucial for the timely identification of threats, coordination of response, and prevention of the spread of cyber attacks.
  • Establishment of national teams

    Each member state must establish a national team for responding to cybersecurity incidents (CSIRT). These teams will coordinate the response to cyber attacks and share information with other member states.
  • Strengthened cooperation at the European level

    The directive emphasizes strengthening cooperation among EU member states in the field of cybersecurity. This includes information exchange, mutual assistance in addressing cyber incidents, and joint development of tools and solutions to combat cyber threats.
  • Reducing Long-Term Risks

    Investments in cybersecurity in line with the NIS 2 Directive are not just a short-term obligation but a foundation for reducing future risks and building resilience against cyber threats.

Who does the NIS 2 directive apply to?

The directive applies to a wide range of entities and distinguishes them between two types of critical infrastructure:

  • Entities of Essential Importance

    These entities, such as energy companies, hospitals, and banks, provide services that would have a serious impact on the functioning of the state, economy, or society in case of disruption. Therefore, they are subject to stricter cybersecurity requirements.

    Examples

    Energy

    Transport

    Financial markets

    Healthcare

    Water management

    Digital infrastructure and services

    Public administration

    Space industry

  • Entities of Important Significance

    This category includes organizations such as postal services, waste management, and manufacturing companies. While a disruption of their services would have a smaller impact, it still poses a risk to cybersecurity. Therefore, these entities also need to adhere to certain security measures.

    Examples

    Postal and courier services

    Waste management

    Chemical industry

    Manufacturing industry

What are the obligations for entities of essential and important significance?

The cybersecurity requirements differ for these two types of entities.

Entities of Essential Significance are subject to stricter rules due to the potentially serious impact of disruptions to their services.

Obligations for entities of essential significance

  • Compliance with all requirements of the NIS 2 Directive.
  • Reporting all security incidents, regardless of severity.
  • Monitoring warnings from the National Cyber Security Centre (NCIB) and proactively responding to threats.
  • Subject to oversight by the NCIB.
  • Data and information must be processed on servers within the designated region.
  • Assessing the cybersecurity measures of critical suppliers is mandatory.

Obligations for entities of important significance

  • Compliance with selected requirements of the NIS 2 Directive.
  • Reporting only significant security incidents.
  • Monitoring warnings from NCIS is not mandatory.
  • Subject to oversight by a certified NUCIB inspector.
  • Data and information do not need to be processed on servers within the designated region.
  • Assessing the cybersecurity measures of suppliers is not a requirement.

Challenges of the NIS 2 Directive

While the NIS 2 Directive offers many benefits, its implementation is also full of challenges, and that’s why it’s good to have a reliable partner like VNET by your side:

Obligations for Entities of Essential Significance

  • Complexity of Implementation

    The requirements of the NIS 2 Directive can be challenging for companies, especially smaller ones with limited resources, to understand and implement.
  • Implementation Costs

    Adhering to new security measures requires investments in technologies, personnel, and professional training.
  • Shortage of Experts

    The cybersecurity market suffers from a shortage of qualified professionals. This can pose a problem for companies in implementing and maintaining the required security measures.
  • Need for International Cooperation

    The success of the NIS 2 Directive also depends on effective cooperation between EU states in information sharing and coordinated responses to cyber threats.

Benefits of the NIS 2 Directive

The NIS 2 Directive offers extensive benefits for companies of various sizes and sectors in terms of cybersecurity protection in the EU:

  • Protection of Sensitive Information and Systems

    NIS 2 establishes strict cybersecurity requirements, helping companies protect their sensitive data and systems from cyberattacks.
  • Resilience to Threats

    By implementing the NIS 2 Directive, companies will strengthen their resilience to cyber threats and be better prepared to manage and respond to cyberattacks.
  • Compliance with Legislation

    NIS 2 defines clear cybersecurity requirements that companies must meet. By adhering to these requirements, companies will avoid fines and penalties for non-compliance with legal obligations.
  • Enhanced Reputation

    Compliance with the NIS 2 Directive demonstrates a company’s commitment to data protection and cybersecurity, thereby enhancing its reputation with customers, partners, and investors.
  • Prevention of Financial Losses

    Cyberattacks can cause significant financial losses for companies due to operational disruptions, data theft, and ransom demands. Implementing NIS 2 will help companies prevent cyberattacks and minimize their financial impacts.
  • Government Support

    The NIS 2 Directive also provides companies with state support in the form of access to national resources and expert knowledge in cybersecurity. In the event of a cyber incident, companies will not be alone and can seek help from governmental authorities.
  • Increased Trustworthiness

    By adhering to the strict security measures of the NIS 2 Directive, companies will gain the trust of customers and partners, making them more willing to share sensitive information.
  • Level Playing Field

    The NIS 2 Directive creates a unified cybersecurity framework for the entire EU. This levels the playing field for businesses and eliminates competitive advantages for companies that have previously avoided investing in cybersecurity.