The NIS2 Directive
The NIS2 Directive
The NIS2 Directive is an enhanced version of the EU's cybersecurity measures adopted in 2022, aiming for a higher level of cybersecurity in critical sectors. As such, it is important to prepare and implement it in a timely manner as it can require significant effort and cost. The NIS2 Directive will have a significant impact on organisations and services in critical sectors. The implementation of the Directive is the responsibility of the Member States, and in Hungary it will be transposed by the 2023 Cybersecurity Act, which will enter into force gradually, with particular emphasis on high-risk areas, and will designate the Supervisory Authority for Regulated Activites (SARA) with the control tasks.
The NIS2 Directive provides cybersecurity measures to keep up with increased digitisation and an evolving cybersecurity threat landscape. Organizations covered by the NIS2 Directive must implement measures to prevent or minimize the impact of various attacks. The Directive sets out the broad outlines of the system of expectations, leaving the detailed rules to the Member States. In Hungary, The Cybersecurity Act XXIII of 2023 (Kibertan. tv.) contains the rules on cybersecurity certification.
Improvements and changes to the NIS2 Directive
The NIS2 aims to correct the shortcomings of the previous Directive and modernise it to meet current challenges, ensuring that it remains relevant in the future. Significant changes are:
- Extension of the scope of the regulation to cover more sectors and businesses
- Required monitoring and accountability of security risks
- The provision of increased detailed guidelines on incident reporting
- Increased strictness concerning penalties and sactions for non-compliance
- Management of cybersecurity risks in supply chains for individual companies
- The call for stricter enforcement standards and rules on the supervision of national agencies and the coordination of Member States' criminal justice policies.
- The establishment of an EU register for the coordinated publication of vulnerabilities
Relevant Sectors
The Directive directly affects companies with an annual net turnover of more than €10 million and employing more than 50 people, as well as affecting smaller companies in critical sectors and their suppliers indirectly. The Directive aims to force companies whose failure would have a major impact on our society to increase cyber security. It therefore applies to players in the following industries:
Service providers and organisations in high-risk sectors
- Energy (electricity, district heating and cooling, oil, natural gas, hydrogen)
- Transport (air, rail, water, road and public transport)
- Health
- Drinking water, waste water
- Digital infrastructure
- Outsourced ICT services
- Space-based services
Service providers and organisations in risky sectors
- Postal and courier services
- Food production, processing and distribution
- Waste management
- Manufacturing, production and distribution of chemicals
- Manufacturing (manufacture of medical equipment, computers, electronic and optical products, electrical equipment, machinery and machinery equipment, motor vehicles, trailers and semi-trailers, other transport equipment)
- Digital service providers (online marketplaces, online search engines, social media platform providers)
- Research (research centres)
NIS2 Directive Deadlines
Legislation
EU Directive: (EU) 2022/2555
Hungarian Implementing Regulation: Not yet publicised.
Supervision
The NIS2 Directive establishes a uniform sanction framework for cybersecurity breaches in the EU. Sanctions may include binding instructions, warnings, administrative fines or bans. Competent authorities will have to take into account the specific circumstances of each case, such as the nature, seriousness, duration, damage or loss caused, and the intentional or negligent nature of the breach.
Authorities responsible for cybersecurity oversight (Hungary)
SZTFH: Szabályozott Tevékenységek Felügyeleti Hatósága
MNB Magyar MNB Nemzeti Bank
NBSZ Nemzetbiztonsági Szakszolgálat
KNBSZ Katonai Nemzetbiztonsági Szolgálat
NIS2 tasks
Cybersecurity risk management measures required by the NIS2 Directive, which must be demonstrated through a mandatory independent audit every 2 years:
- Develop policies: on risk analysis and areas of IT systems security
- Incident management: incident detection, response and recovery
- Incident reporting to the proper authorities
- Business continuity: planning, crisis management and recovery
- Supply chain security: relating to the security of IT relationships between the organisation and its suppliers and the operation of suppliers
- Consideration of security aspects in the procurement, development and maintenance of network and IT systems, including prior assessment of vulnerabilities
- Cyber hygiene exercises and cyber security awareness training
- Use of encryption and development of policies and procedures for the use of encryption
- Human resource security and access management policies
- Use of multi-factor authentication solutions
What requirements does NIS2 place on your organisation?
- Management: management should be aware of the requirements of the Directive and its risk management. They have a direct responsibility to identify and manage cyber risks to comply with the requirements.
- Reporting to authorities: Organisations should have processes in place to ensure that they are able to report appropriately to the authorities. These processes ensure that, for example, in the event of a major incident, a report can be delivered within 24 hours.
- Risk management: They should implement measures to minimise risks: this includes incident management, improving supply chain security, network security, access control and encryption.
- Business continuity: Organisations should consider how to ensure business continuity in the event of a major cyber incident. This may include system recovery, emergency procedures and the establishment of a crisis management team.
Sanctions
The Directive entered into force on 16 January 2023, but its provisions will apply from 18 October 2024. By that date, organisations must designate a professional to hold the position of Information Security Officer, who must prepare the organisation for the audit to be carried out by 31 December 2025. However, it is important to note that there are approximately 2,600 companies in the country covered by the law, but there is a shortage of auditors and information security professionals to prepare for the audit, so it is recommended to not leave it to the last minute.
The supervisory authority can apply a range of sanctions to non-compliant organisations, such as:
- Warning the organization
- Ordering the rectification of detected safety deficiencies
- Prohibition of the organisation from engaging in activities that directly compromise the fulfilment of safety requirements (taking into account the opinion of the authority that authorised or supervised the organisation's activities)
- Imposition of a fine (up to a maximum of €10 million, or 2% of turnover if higher, and in a repeatable manner)
- Informing users of the services provided by the organisation of the potential threat to them
Conclusion
Preparing for NIS2 is not only an obligation, but also an opportunity to improve cybersecurity and introduce common requirements. Proven standards and frameworks can serve as good examples of compliance. More stringent requirements will improve cyber security and increase the resilience of organisations to threats. All relevant organisations should review and assess their cybersecurity posture, including those that partner with companies covered by the Directive. Compliance checks on subcontractors may be necessary to ensure supply chain security. Implementing the necessary measures and deploying technologies requires expertise, so it is recommended to seek external assistance if internal resources are lacking. Implementing the requirements, especially in companies where cyber security has not been a focus in the past, may take longer, so it is recommended to start preparing early.