Safetech solutions and services for compliance with the NIS2 Directive
The NIS2 Directive is EU-wide legislation on cybersecurity. It provides for legal measures to boost the overall level of cybersecurity in the EU. EU cybersecurity rules introduced in 2016 by the NIS Directive have been updated by the NIS2 Directive, which entered into force in 2023. It has modernised the existing legal framework to keep pace with increasing digitalisation and the evolving cybersecurity threat landscape.
The deadline for transposing the NIS2 Directive into national legislation (October 17, 2024) is fast approaching, and the process of aligning with the new requirements is a complex one. For organisations that have not fallen under NIS1, compliance with the new Directive requires significant changes in internal processes. These may include new security policies and tools, staff training, and the implementation of new incident response procedures.
Therefore, in order to ensure compliance and avoid the harsher sanctions announced by NIS2, an early and well-structured approach becomes essential. Safetech Innovations has prepared a service package for compliance with the NIS2 Directive, which provides guidance and support for each stage of this process.
What changes does the NIS2 Directive bring
The main objective of NIS2 is to improve cybersecurity in the European Union by strengthening/extending the legal framework initially established by the NIS1 Directive, and by addressing its shortcomings. The new Directive sets out measures to ensure a minimum level of cybersecurity for all Member States, protect critical infrastructures and prevent security incidents. In addition, it improves cooperation between authorities in the field of cybersecurity and strengthens the level of incident reporting. The NIS2 Directive brings changes on three main levels:
1. Expanding the coverage area to new sectors of activity
NIS2 proposes a new classification of the organisations concerned, dividing them into “essential entities” (EE) and “important entities” (EI), and expands the scope of NIS1 by introducing more sectors and subsectors of “critical importance” and “high critical importance”. Among the sectors covered by NIS2 are:
- Sectors of high critical importance: energy (electricity, district heating and cooling, oil, gas and hydrogen); transport (air, rail, sea and road); banks; financial market infrastructures; health, including pharmaceutical manufacturing; drinking water; wastewater; digital infrastructure (internet exchange points; DNS service providers; TLD name registries; cloud computing service providers; data centre service providers; content delivery networks; trust service providers; providers of public electronic communications networks and publicly available electronic communications services); IT&C service management (managed service providers and managed security service providers); public administration and space and
- Sectors of critical importance: postal and courier services; waste management; chemicals; groceries; manufacture of medical devices, computers and electronics, machinery and equipment, motor vehicles, trailers and semi-trailers and other transport equipment; digital providers (online marketplaces, online search engines and social media service platforms) and research organisations.
Find all sectors/subsectors, as well as further information, on the official EU NIS2 page.
According to NIS2, the main entities covered by the new Directive are large (> 250 employees) and medium-sized (> 50 employees), which “operate in the sectors indicated or provide the type of services regulated” by the Directive. Small and micro enterprises are not covered, but NIS2 provides for certain exceptions for those considered critical entities, for example SMEs active in the electronic communications sectors. These exceptions will be explicitly specified by each EU Member State.
The deadline for each EU Member State to draw up EE and EI lists is 17 April 2025.
2. Imposing minimum protection requirements
NIS2 obliges EEs and EIs to define their security policies and conduct risk and vulnerability analyses, report vulnerabilities, effectively manage incidents (prevention, detection and response) and constantly test the effectiveness of cybersecurity measures, use encryption technologies and apply procedures for evaluating measures for risk management (testing and auditing).
In addition, the new Directive increases the powers of top management, who will be responsible for implementing security measures and training employees, and will be able to be held accountable. More complex governance and reporting procedures are also emerging: additional reports, focus on business continuity (business impact analysis, continuity plans), internal/external audits, security testing, policy review, etc.
At the same time, NIS2 pays increased attention to the security of the entire supply chain. It requires the identification of vulnerabilities specific to each direct supplier, the accountability of the entire supply chain, and the disclosure of vulnerabilities and procedures for verifying the security of purchased products and services are encouraged.
We invite you to access the solutions proposed by Safetech for the cybersecurity of suppliers and subcontractors, in this article.
NIS2 will also impose a multi-risk approach (all-hazards) based on various protection methods, with a focus on prevention and cyber hygiene (multi-factor authentication, “Zero Trust” principles, threat hunting, honeypot, etc.), and on streamlining cybersecurity activities, including through Artificial Intelligence systems.
Minimum protection measures provided for in the Directive:
- Risk management: Implementing policies and procedures for identifying, assessing and managing cybersecurity risks.
- Security of networks and information systems: Ensuring the protection of networks and information systems against cyber threats through the use of appropriate technical and organisational controls.
- Incident management: Developing and maintaining procedures for detecting, reporting and managing cybersecurity incidents, including notifying competent authorities.
- Business continuity: Implementing plans and measures to ensure business continuity and recovery from cybersecurity incidents.
- Access control: Implementing measures to control access to networks and information systems, including user authentication and authorization.
- Data security: Protecting data privacy, integrity, and availability through the use of appropriate data security measures, such as encryption and regular backup.
- Security of suppliers and partners: Ensuring that suppliers and partners comply with cybersecurity requirements, including through the use of contracts and regular security assessments.
- Employee training and training: Developing and implementing awareness and training programs for employees on cybersecurity and good security practices.
- Audit and testing: Conducting regular audits and security tests to assess the effectiveness of the security measures implemented and identify vulnerabilities.
- Reporting to authorities: Promptly notify competent authorities in case of cybersecurity incidents that significantly affect the continuity of essential services or data security.
3. Reporting deadlines
The NIS2 Directive specifies the procedure for reporting incidents to the competent authorities. In Romania, the National Directorate of Cyber Security (DNSC) has been designated as the competent national authority, with a regulatory role and with the function of a national IT security incident response team (CSIRT), based on Law 362/2018 (which implements the provisions of NIS1 at national level). The list of local CSIRTs for all EU Member States has been published by the European Union Agency for Cybersecurity (ENISA) and can be found here.
The term “significant incident” appears, defined as the cybersecurity incident with a significant impact on the continuity of the business/services activity. More specifically, incidents that “cause serious operational disruption of services or financial losses for the entity concerned” will be reported, but also those that may affect other natural or legal persons (moral/material damage).
As for the reporting itself, it is carried out in four stages. The significant incident must be reported within 24 hours from the date on which it became known (stage 1). More information will be provided within 72 hours of becoming aware of the incident, through a notification of the incident (initial assessment of the incident, includes severity, impact, indicators of compromise) (step 2). At this point, the organization may seek additional guidance and technical assistance from the authorities.
Subsequently, at the request of the competent bodies, an interim report on the relevant update of the situation (3) will be provided, followed by a final report no later than one month after the notification of the incident (4). Depending on the stage, EEs and IAs have specific reporting requirements. For example, in the first step, the security measures taken by the organization in question in response to the threat must be mentioned.
In the event of an ongoing incident, NIS2 also provides for a fifth stage, a report on the evolution/progress of the situation. Entities that are not covered by NIS2 may voluntarily report significant security incidents without additional obligations.
Risks of non-compliance with NIS2
NIS2 introduces strict mechanisms for implementing cybersecurity measures. The competent bodies will have the authority to carry out inspections, surveillance (on-site or off-site, post-event), security audits and security scans. They may also request information, access to data and documents, as well as evidence of compliance. Critical entities will also be subject to ad-hoc/random checks and audits.
If a breach of the provisions of the Directive is discovered, organisations will receive warnings, binding instructions and deadlines for their implementation. Entities may also be obliged to inform the individuals/legal entities affected by the incident. If these indications are not followed, the authorities will impose sanctions such as temporary suspension of services/activities or administrative fines.
NIS2 increases the maximum ceiling of fines, where it distinguishes between essential entities and important entities. Thus, Essential Entities will be subject to fines with an upper limit of at least €10,000,000 or an upper limit of at least 2% of total annual worldwide turnover. Fines for Significant Entities will have an upper limit of at least €7,000,000 or at least 1,4% of the total annual worldwide turnover recorded in the previous financial year. If the reported incident leads to a violation of the GDPR, only non-financial penalties will be applied for NIS2, according to the provisions of the new Directive.
Moreover, executive directors/legal representatives can temporarily lose their positions in the organization, a measure that has the role of making individuals in senior management positions, who are tasked with implementing the new Directive, really responsible.
How Safetch can help you achieve NIS2 compliance
Safetech Innovations has assisted over 50 customers through solutions and services compliant with the provisions of NIS1 (in Romania, Law 362/2018) and has already started collaborations for compliance with NIS2 in the retail and insurance fields. The company provides customers in critical sectors with the expertise and experience gained in this field, providing a complete and customizable package of services and technical solutions for achieving and maintaining compliance.
The Safetech team includes 6 employees accredited by the National Directorate of Cybersecurity (DNSC) as cybersecurity auditors, registered in the National Register of Cybersecurity Auditors.
An important element in the mature portfolio of services for maintaining NIS compliance is the STI CERT® (Safetech Innovations Computer Emergency Response Team) center. It has been operating for over 8 years, provides 24/7 coverage in 3 shifts and manages cybersecurity for over 60,000 employees of our customers. STI-CERT is structured on three levels of competence to ensure effective and timely monitoring of cyber threats.
Safetech has all the necessary skills to deliver NIS2 compliance, within 6 months, providing guidance at every stage of the process, as follows:
- Initial assessment,
- Preparation of the accreditation file,
- Implementation of the action plan resulting from the initial assessment,
- Necessary governance consultancy,
- Implementation of the necessary technical solutions,
- Initiation of security monitoring services with 24/7 coverage.
Safetech’s recommendation is to start the evaluation and compliance process with the NIS2 Directive as early as possible, and in this regard we invite you to contact us by email at sales @ safetech.ro or by phone at +40 21 316 0565.