The Network and Information Security Directive 2 (NIS2) is a legislative framework adopted by the European Union to improve digital infrastructure and information security, to strengthen protection against cyber-attacks on critical infrastructure and services, and to improve the management and reporting of online security incidents.
The European Union's NIS2 Directive, which was introduced at the end of 2022, entered into force in Hungary on 1 January 2024, under the terms of Act 23/2023 (19 December 2023), also known as the Cybercrime Act. This law is mandatory for domestic companies and organisations in the sectors it affects.
To help our existing and future customers and partners comply with the NIS2 Directive as effectively as possible, we have gathered all the relevant information on the Cyber Security Directive and its implementation in 2024.
The NIS2 Directive, sets out the digital security standards that must be met by organisations providing essential services (ESPs) and digital service providers (DSPs). The basic objectives of the Directive include:
- Ensuring the availability and resilience of essential infrastructure services such as transport, energy, the financial sector and health care.
- Reducing the risk of cyber-attacks.
- Promote cooperation and information exchange between EU Member States and businesses.
By complying with the Directive, organisations can improve their cybersecurity preparedness and more effectively protect their networks and information systems against cyber-attacks.
According to an update on 1 February 2024, the draft Ministerial Decree on Security Classification and the Protection Measures to be Applied has been published for public consultation.
NIS2 extends the previous NIS Directive, broadening the scope of organisations covered and the mandatory reporting requirements.
In addition to the service providers covered by the previous NIS regulation, the scope of NIS2 also covers entities in risky sectors (important and essential) and new sectors not yet covered. Accordingly, the NIS2 Directive applies to well-defined public authorities, public administrations and privately owned medium and large enterprises.
However, what is extremely important is that suppliers of these organisations and companies are also covered by the Directive, regardless of the industry to which they belong!
The NIS2 requirements mainly cover medium-sized companies, i.e. companies with more than 50 employees or an annual turnover of more than €10 million. A recent change in the application of NIS2 is that the scope of the Directive has been extended to new industries and organisations.
Compliance with NIS2 requires considerable effort for companies and is a major challenge for supervisory authorities. It is important to start preparing in time to avoid a repeat of the situations that occurred when the GDPR was introduced, when many companies failed to comply in time.
All organisations are affected by the risk of virtual threats, and the extension of the law will now include organisations whose services are regularly used by businesses.
The legislation aims to encourage cooperation between EU Member States to protect against cyber attacks. NIS2 requires service providers to implement security measures and report incidents, increasing transparency and speeding up response to potential attacks. Important elements include cross-sector cooperation and the creation of expert groups to protect critical infrastructures. The NIS2 also includes additional requirements for the security of IoT devices to reduce cybersecurity risks when using Internet-connected devices. Implementation and compliance with the Directive will improve the EU's digital resilience and security against cyber-attacks.
EU Member States, including Hungary, have until 17 October 2024 to transpose the NIS2 cybersecurity directive into their national legislation.
The Regulated Activities Authority (RPA) is publishing the draft for public comment, the results of which may influence the content of the final regulation. EU Member States have until 17 October 2024 to implement the NIS2 Directive into their national legislation.
- By 30 June 2024, organisations will have to apply for registration with the HESA, self-identify and appoint an IT security officer.
- By 18 October 2024, the implementation of the mandatory security measures and the payment of the specified supervision fee (up to 0.015% of the organisation's net turnover in the previous financial year, but not more than HUF 10M)
- A contract with the accredited audit firm must be signed by 31 December 2024.
- 31 December 2025 is the deadline for the first cybersecurity audit.
In the context of the implementation of NIS2, there are two main methods for the companies concerned to obtain the necessary security clearance:
Compliance self-assessment
Companies will self-assess and document the adequacy of their information security systems, and must submit the completed self-assessment questionnaire and documentation to the authority by 30 June 2024. Upon successful acceptance, this information will be entered into the HESO database. This process can be applied to information and communication technologies (ICT) that require only a 'basic' level of assurance and are low risk.
External audit evaluation
Companies entrust an independent third party to carry out the certification process. Professional auditors will carry out an objective cyber security assessment and the results of the audit will also be included in the CSRP database.
At the "basic" level, companies focus on the basic and common risks that can arise during security incidents and attacks.
At the "significant" level, companies focus on a broader range of cybersecurity risks, including threats that can be carried out by less skilled and less resourced attackers.
At the "high" level, companies aim to minimise the risk of cyber-attacks, especially those carried out by attackers requiring a high level of expertise and significant resources, often taking advantage of the latest technological developments.
Under national legislation, companies subject to NIS2 are required to implement a number of cybersecurity measures. One of the most important of these is the obligation to report incidents.
Organisations are required to report all incidents that are considered serious to the Security Incident Response Teams and the relevant supervisory bodies within 24 hours of detection. An incident is considered serious if:
- They cause or have the potential to cause serious disruption to the services provided;
- They result in a financial loss for the organisation concerned;
- They cause (or are capable of causing) significant, i.e. tangible, material or intangible damage to natural or legal persons.
These include:
- developing an IT security policy
- developing an incident response plan
- developing a business continuity plan (BCP)
- Obligation to report incidents within 72 hours
- identification of critical incidents
- carrying out vulnerability assessments
- developing a disaster recovery plan (DRP)
- risk analysis of electronic information systems
- implementing security controls
- risk analysis of stored data
- implementing the administrative, physical and logical security measures required
- network and overall system monitoring
- training of employees and managers
- mandatory biannual audits
(contact our experts for the full list!)
Managers are not only required to inform and educate their employees about cyber threats, but also have a number of additional responsibilities. One such task is to appoint a member of staff to be responsible for information security. They will also be required to have a cybersecurity audit every two years to check the company's own systems, including security classifications and to check that the company is in compliance with the necessary security standards. The companies concerned must collect all relevant information and provide it to the person or organisation carrying out the audit. This imposes a considerable administrative burden on companies, and the audit itself is costly, although the law allows the authority to set a maximum amount for the fees.
Those who fail to comply can face severe penalties of up to 2% of a company's turnover and, in some cases, a ban from the business. The work of auditors will also be closely monitored by the authority. It is important to make it clear that auditors and companies have a shared responsibility, so the contract should clearly set out the obligations and responsibilities of the parties.
Level of penalties for non-compliance with the Regulation
Failure to comply with the Regulation may result in substantial administrative fines:
- For organisations operating essential infrastructure, the penalty can be up to €10 million, or 2% of annual global turnover.
- For critical organisations, the fine can be up to €7 million, or 1.4% of the previous year's turnover.
In addition, national supervisory authorities may have the power to prohibit certain undertakings from carrying out their activities or their managers from exercising their functions in serious cases.
We support your preparations!
Our expert colleagues can help you prepare for and successfully complete next year's audit:
- We perform accurate, detailed and complete analysis of your existing processes,
- We have deep expertise and decades of extensive cybersecurity knowledge,
- Through our wide range of national and international professional contacts, we provide the best solution to eliminate potential security risks.
.
Contact us with confidence!
NIS2 information line:
+36 20 661 5661
e-mail: nis2@gloster.hu