In order to strengthen the security of the networks and information systems of critical and sensitive infrastructures within all its member states, last December, the European Union published the NIS2 directive, which replaces the current Network and Information Security (NIS) directive. NIS2 is part of the Union's overall cybersecurity strategy and brings important new innovations, including those relating to the responsibility of management bodies and their members. Each Member State must transpose it into national law by October 15, 2024.
The scope of NIS2 has been greatly expanded and will now be 'limited' to medium and large companies within the sectors it identifies as essential (11 sectors) and important (seven), but not only those that it affects. In the case of communications providers, trust service providers or domain name providers, size of the company will not matter.
The management bodies of critical and important entities must approve the cybersecurity risk management measures adopted by their entities, supervise the implementation and be accountable for non-compliance. The lack of specific cybersecurity knowledge won't be an excuse, since the members of the management bodies of critical and important entities are also required to attend training courses in order to acquire sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk management practices, as well as their impact on the services provided by the entity. Similar training should also be provided to their employees on a regular basis.
There are sanctions for both, the company and the members of its management body.
For the company, the amount of the penalties has been increased. While in the current regulations the upper limit of the fines was one million euros, the NIS2 establishes that non-compliance can lead to a penalty that could reach two percent of the annual global billing or 10 million euros, in the case of essential companies, or 7 million euros or 1.4% of the annual global billing, for important companies (the greater of the two amounts in each case).
On the other hand, the members of the managing bodies of these entities may be sanctioned at a personal level, in the event of a proven serious failure to comply with their obligations in the reporting and management of incidents, with penalties that may involve their public exposure and temporary suspension from holding managerial positions.
Evidence of the implementation of cybersecurity policies may be requests by the competent authorities. Results from security audits by a qualified third party and the corresponding underlying evidence will serve as proof of compliance.
Cybersecurity rating offers a solution to three essential aspects:
For the management bodies, the rating of the services provided by the organization accredits their due diligence in the control and monitoring of the effective implementation of the security measures to be implemented for proper risk management.
For the organization itself, it can use it before competent authorities as proof of implementation of cybersecurity policies and to show the result of audits, carried out by a qualified auditor.
To manage supply chain risks, by requesting, to the organizations involved, the appropriate level of rating for their own services, and thus ensure compliance with the same cybersecurity policies.
All you need is LEET!
Suscribe to receive our newsletter