What does the directive represent?
The NIS2 Directive (NIS = Network and Information System) follows on from the currently effective NIS Directive (on measures to ensure a high common level of security of networks and information systems in the EU) and expands its scope in view of increasingly intensive digitization. The NIS2 directive was adopted in December 2022 and requires Slovenia, as well as other EU member states, to amend their national legislation by October 17, 2024.
The fundamental change compared to NIS is mainly in the perception of risk and cyber threats. The interconnectedness of the functioning of society as a whole and the organizations (companies) within it is already so great that there is practically no industry where information systems do not play a significant role. For this reason, even the NIS2 directive no longer looks for systems important to the company but demands to secure everything related to the provision of services necessary for its functioning.
The NIS2 directive therefore brings many changes in cyber security and significantly expands the number of organizations that will be newly regulated.
What are the goals of NIS2?
Extend regulation to entities providing services important for the functioning of the state
Increase the level of cyber security and resilience
Joint communication and coordination in dealing with cyber security across the EU
Improve the ability of obliged entities to respond to cyber security incidents
Improve the capabilities of obliged entities to prepare and respond in the event of a large-scale incident or crisis
When does NIS2 apply to your organization?
An organization falls under the regulation of the NIS2 directive if it meets the following 2 conditions:
- It provides at least one regulated service listed in the Annexes to the NIS2 Directive.
- It is a medium or large enterprise. Depending on the size of the organization and the importance of the regulated service, they will be subject to higher or lower obligations.
The new regulation will therefore affect a wide range of subjects, to whom it will bring a significant financial and administrative burden. It is therefore certainly appropriate to start dealing with financial planning as soon as possible, which will consider the fulfillment of the obligations given by the proposed law on cyber security.
Obliged entities will have to take technical and organizational measures to manage security risks. Technical measures can consist, for example, in the use of appropriate software (e.g. antivirus), vulnerability monitoring and network segmentation, introduction of multi-factor authentication. Organizational measures then mean the creation of documentation - rules for internal procedures (e.g. the process of onboarding a new employee, setting up accounts, managing security incidents, etc.).
Obliged entities must fulfill the criteria established by the proposed decree. Companies must newly perform the so-called self-identification = find out whether they are a mandatory subject of regulated services and what category of obligations they newly fall into.
New responsibilities for your organization
Mandatory entities will have to focus on:
- Mandatory education of the top management of the organization and greater management responsibility for ensuring cyber security in the organization. If the top management of a regulated organization consistently avoids fulfilling its legal obligations arising from the draft law on cyber security and its implementing regulations, the regulator can order the suspension of the management function.
- The obligation to approve measures to manage cyber security risks.
- Risk analysis and information security policy.
- Incident management.
- Continuity of activities (i.e. business continuity), while the directive further elaborates this area with the example of backup, recovery (disaster recovery) and crisis management.
- Supply chain security.
- Security within the procurement, development and maintenance of systems.
- Policies and procedures for evaluating the effectiveness of security measures (i.e. auditing).
- Basic computer hygiene practices and cyber security education.
- Policies and procedures regarding the use of cryptography and, where appropriate, encryption.
- Human resource security, access and asset management, and the use of multi-factor authentication.
- Entities will be subject to fines for failure to comply with imposed obligations
The principle of implementing these security measures is to guide the organization to map its environment, identify everything it needs to ensure the operation of its regulated service, evaluate the risks (not only the cyber ones) that can endanger the service and implement appropriate measures by which these risks will reduce to an acceptable level.
How can we help you?
- By monitoring upcoming changes to Slovenia’s legislation in the field of cyber security and explaining the changes and obligations that result from them
- By explaining the resulting obligations in key areas such as business continuity plan, supply chain management, risk management, incident management
- Revision of security documentation, internal regulations and affected processes
- Risk management and assistance in inspections and representation in proceedings before supervisory authorities
Prepare early to increase your preparedness and competitiveness
Whether you are affected by the NIS2 legislation or not, the investment in the security of your organization is lower than the losses from the impact of a possible cyber incident on the operation and reputation of the company.
Contact us and we'll talk about it!
Why SoftwareOne?
- We are experts in organizational and technical security.
- We help you with process security and recommend suitable technologies to your organization.
- Our portfolio considers the Cyber Security Act, NIS2, DORA, GDPR, ISO standards, cloud standards and others.
- We know what's coming – be it legislation updates or latest technology trends.
- No one-trick pony! We deliver solutions you´ll benefit from for a long time.
- We provide services in easy-to-understand manner tailored to your team´s needs.
Discover our services for comprehensive cyber security solutions.
Do not hesitate to contact us
We will be happy to help you.
Do not hesitate to contact us
We will be happy to help you.