security-testing | ethical-hacking | news

Navigating the NIS 2 directive - Key takeaways

As the NIS2 Directive deadline approaches, immediate action is crucial. The European Union faces increased vulnerabilities due to frequent, sophisticated cyber-attacks, rapid digitization, and the looming threat of conflict. This urgency has driven the modernization of the Network and Information Security (NIS) Directive, resulting in the introduction of the NIS2 Directive.

Balazs PoznerAugust 06, 2024 · 6 min read · Last Updated:

With the NIS2 directive deadline on the horizon, it’s vital to act now and not postpone preparations. The European Union is grappling with heightened vulnerabilities from frequent and sophisticated cyber-attacks rapid digitization, and the looming threat of war. This urgency necessitated the modernization of the Network and Information Security (NIS) Directive, leading to the introduction of the NIS2 Directive.

The NIS 2 directive (Network and Information Security Directive 2) serves as a pivotal measure in safeguarding digital infrastructure. The introduction of these new regulations is a response to the substantial surge in cyber threats in recent times. The NIS2 requirements, outlined in EU Directive 2022/2555, were meticulously formulated to enhance cybersecurity across member states.

Key Objectives of NIS2 Directive

  • Enhanced Cybersecurity Maturity: Achieving a consistent, high level of cybersecurity across all member states.
  • Resilience and Incident Management: Strengthening the resilience and incident management capabilities of public and private entities in critical sectors.
  • Stricter Safety Requirements: Implementing stronger safety protocols to safeguard against cyber threats.
  • Improved Supply Chain Protection: Ensuring robust protection throughout the supply chain.
  • Stricter Reporting Obligations: Mandating more rigorous reporting requirements for both industry-specific companies and government agencies.

The NIS2 Directive aims to fortify the EU’s cybersecurity framework by addressing these areas, making it more resilient against evolving threats.

Why is NIS 2 important?

Cybersecurity is one of the EU’s most pressing challenges. The integration of digital technologies into the economy, governance, and daily life has made them indispensable. Consequently, the susceptibility of European businesses to cyberattacks has increased, posing threats to critical infrastructure, potentially inflicting substantial financial losses, and eroding confidence in digital services.

The scope of the NIS 2 directive extends to the following organizations:

  • Companies and suppliers: This includes organizations that play a key role in maintaining the European economy and society by providing essential or important services, such as companies providing energy, transportation, water supply, healthcare, and digital services, postal and parcel delivery services, telecommunications providers, data centers, and companies providing cybersecurity services.
  • Other organizations: It can also extend to other organizations whose activities may pose significant cybersecurity risks.

Compliance is mandatory if an organization falls into any of the above categories, has at least 50 employees, or has an annual turnover exceeding 10 million euros. NIS 2 also affects many companies that were previously subject to little or no data security regulations outside of the GDPR. This change forces these companies to implement cybersecurity developments that they have previously neglected.

Key Deadlines for Effective Cybersecurity Planning

Meeting crucial deadlines is essential for successful cybersecurity planning. Here are the key dates to keep in mind:

  • June 30, 2024:
    • Conduct self-identification.
    • Implement security measures.
    • Apply for registration.
  • October 18, 2024:
    • Deadline for conducting the NIS2-required risk analysis.
    • Develop an action plan.
    • Implement protective measures.
  • December 31, 2024:
    • Finalize a contract with the selected auditor for the first cybersecurity audit.
    • Focus on tendering and selecting auditors in the third quarter.
  • December 31, 2025:
    • Conduct the first cybersecurity audit.

By adhering to these deadlines, companies can ensure robust cybersecurity measures and compliance with regulations.

Ensuring Compliance with the NIS 2 Directive: A Guide for Firms

To stay compliant with the evolving legal landscape, firms must closely monitor changes in laws and adhere to the NIS 2 directive’s requirements. Key steps include:

  • Risk Assessments and Management: Conduct thorough risk assessments and implement effective risk management strategies.
  • Technical and Organizational Measures: Put in place necessary technical and organizational measures to safeguard your systems.
  • Incident Management Plan: Develop a comprehensive incident management plan to address potential security breaches.
  • Incident Reporting: Ensure timely reporting of major incidents to the relevant authorities.

While the NIS 2 directive is mandatory in Hungary, other EU member states may also adopt similar regulations. Notably, the directive now encompasses the Vulnerability Disclosure Program (VDP). As outlined in Section 15.18 of the law, organizations must establish a channel for receiving reports of vulnerabilities in their IT system components.

By proactively addressing these requirements, firms can enhance their cybersecurity posture and ensure compliance with the NIS 2 directive.

The NIS 2 directive — What can we expect?

The NIS 2 directive indirectly influences businesses, a result of EU member states, including Hungary, assimilating the directive’s prerequisites into their national legal systems. Consequently, laws dictate which businesses are subject to the NIS 2 directive’s national-level requirements and the responsibilities they must undertake.

Specialists deem the Hungarian rendition of NIS 2 exemplary due to its thoroughness and strictness. The regulation encompasses many stipulations that surpass the EU directive’s minimum requirements, obliging Hungarian businesses to construct superior cyberattack safeguards.

According to NIST 800-53 Rev. 5, the reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of research vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity. However, it may request a specific time period to remediate the vulnerability properly.

Looking for a partner to support your preparation?

Our team has several years of experience in cybersecurity, working in this field long before the introduction of NIS 2. We have numerous international references and are proud to assist our clients in mitigating cybersecurity risks and complying with NIS 2 requirements.

With our managed VDP program, we help Hungarian companies establish a secure and cost-efficient channel to identify vulnerabilities.

Ready to secure your business and be NIS2 compliant?

Contact us today! For more informations please visit: https://www.hckrt.com/Home/mVDP

Written by Balazs Pozner
CEO and Founder of HACKRATE Ltd.

Related ArticlesView All