Approval of EU NIS2 directive

Η ESET welcomes the decision of the European Union legislators to issue the second Directive on the security of networks and information systems (Network and Information directive) NIS2 with the aim of strengthening cyber security in the EU.

The new legislation comes to answer the growing dependence of neuralgic branches from digitization and their increased exposure to cyber threats.nis2

Η directive that has already been adopted replaces it the NIS Directive introduced in 2016, as the first EU-wide cybersecurity legislation. NIS2 provides wider field of action, affecting more entities in “core” sectors, both public and private, such as energy, transport, banking, water and wastewater, among other critical infrastructure. At the same time, new obligations are introduced for those active in other "critical" sectors, such as manufacturing, food, chemicals, waste, postal services and courier services.

Businesses classified in "vital" category should take both technical and operational measures to comply with the NIS2 directive, including incident response, supply chain security, encryption and vulnerability disclosure, appropriate risk analysis, testing and auditing of cybersecurity strategies, as well as crisis management planning to ensure continuity of businesses. In incident case in cyberspace, such entities should also submit an initial notification within 24 hours and more detailed information within 72 hours. The NIS2 directive also introduces penalties for non-compliance, such as suspension of certification and personal liability in managerial positions, according to national laws.

Finally, the directive establishes This makes it a perfect choice for people with diabetes and for those who want to lose weight or follow a balanced diet. European Cyber ​​Crisis Liaison Organization Network, EU-CyCLONE, to enable cooperation between national organizations and authorities responsible for cyber security, while each Member State should also clearly identify a single point of contact for reporting cyber incidents.

Do SMEs also have to comply?

The NIS2 directive establishes "the application of the maximum size rule, according to which all medium-sized and large enterprises, as defined in Commission Recommendation 2003/361/EC, active in the sectors or providing the type of services covered by this Directive, fall in its scope". Although it exempts Small and Very Small businesses from the obligation to comply with the new rules, certain exceptions apply, such as for SMEs in the sectors of electronic communications networks or publicly available electronic communications services, trust service providers or registries registration of TLD names.

SMBs are increasingly becoming the target of supply chain attacks due to limited security resources. Such supply chain attacks can have knock-on effects on the entities to which supplies are made. Member States should, through their national cyber security strategies, help SMEs to address the challenges they face in their supply chains. Member States should have a contact point for SMEs at national or regional level, which will either provide guidance and assistance to SMEs or direct them to the appropriate bodies for guidance and assistance on cybersecurity-related issues.

Last March, as part of the consultation on the NIS2 proposal, the European DIGITAL SME Alliance, the EU's largest ICT media network, has published the text with its positions, welcoming the new directive, but also warning about the indirect impact of NIS2 on the media.

Speaking to ESET, James Philpot, Project Manager at DIGITAL SME, notes that the first step the media should take to "understand the specific needs to strengthen their cybersecurity practices" is to review their "national cybersecurity center and ENISA's guides and recommendations." However, it "may be easier or harder" to get the right information, as "each Member State provides different resources". However, the NIS2 directive "mandates States to provide support and resources", especially when it comes to understanding in detail the scope of the legislation in question "and whether their customers will be subject to it", which "will help with planning".

Towards safer businesses

ESET's report on digital security trends in SMEs, published just last month, revealed that while 83% of SMEs believe that cyber warfare is a absolutely real threat and 71% have moderate to high confidence in their ability to investigate the root cause of cyber-attacks, 43% see a lack of employee awareness as the main cause of concern, while the actual adoption of end-point detection and response (EDR) solutions, which help specifically in this area, was only at 32%.

As Philpot also notes in his conversation with ESET, “the impact of cyber incidents is well known” in the media: data, significant financial impact and loss of customer trust. Thus, "in a more general sense, we should be positive" about the NIS2- at the very least, this directive will play an important role in raising awareness, even for companies that "are not required to comply, may develop greater awareness".

The NIS2 directive will be implemented after EU member states have incorporated the directive into their national law: until September 2024. However, some organizations may want to be ready sooner rather than later, not just to be on time in implementation, but also to test various best practices regarding incident handling, audit policies, etc. The main, the NIS2 directive defines a common minimum level of cyber security in Europe, which should be considered as the minimum and in no case as the maximum.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
eset, NIS2

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).