NIS 2 Directive

Introduction
The European Parliament and Commission have recently updated the Directive on Network and Information Security (NIS). The new revision, known as NIS 2, introduces substantial enhancements over the original NIS Directive enacted in 2016. Its primary aim is to bolster cybersecurity risk management capabilities across the European Union.

Impact of the NIS 2 Directive
NIS 2 is set to impact approximately 160,000 entities across various public and private sectors. It is vital for organizations to ascertain their applicability under this directive to comply seamlessly with the new requirements.

Targeted Organizations
The directive broadens its scope, categorizing entities into two types:

– Essential Entities: Encompassing 11 sectors such as energy, transport, banking, health, water supply, and digital infrastructure. Additional subsectors include energy production, oil, natural gas, and transport.
– Important Entities: Covering 7 sectors including postal services, waste management, manufacturing, and digital services. Added subsectors are medical equipment and motor vehicles.

Compliance
Organizations are required to implement suitable technical and organizational measures to manage cybersecurity risks, including:

– Risk analysis and security strategies
– Standardized incident management
– Business continuity plans
– Cybersecurity testing and auditing
– Supply chain security

Incident Reporting
Entities must promptly report any significant cybersecurity incidents to both national data protection authorities and relevant NIS authorities.

Sanctions
Violations of the directive can result in fines up to 10 million euros or 2% of the global annual turnover for essential entities, and 7 million euros or 1.4% of the turnover for important entities.

Implementation
Member states have until September 2024 to transpose the NIS 2 Directive into national law. In Romania, the transposition process is already underway, with legislative priorities set by the National Directorate for Cybersecurity.

For further information and support in aligning with the new requirements, TOPSYS is at your disposal.