The year 2024 challenges responsible companies to demonstrably adopt both technical and operational measures in the area of cyber and information security. These stem from the legislation of the European NIS 2 Directive. They may well apply to your business. These include requirements for risk management, personnel security and access control, network security and the operation of information systems, and, in time, the obligation to undergo a cyber security audit.
What exactly is it about?
The decree (362/2018), effective from September 2023, defines a list of required security measures that will be mandatory for companies falling under the NIS 2 directive.
Although the exact sectors and size of the company obliged to comply with this decree have not yet been listed, the recommendation of cybersecurity specialists is that entities should at least carry out a risk analysis in their own interest and in advance. Doing so will provide important identification of the company’s processes and systems, and will also give them time to address vulnerabilities that could impact the functioning and operation of the company as a result of cyber incidents.
For basic information on which entities will be covered by the NIS 2 Directive, see for example: https://digital-strategy.ec.europa.eu/sk/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs
NIS2 applies to entities in the following sectors:
High criticality sectors: Energy (electricity, district heating and cooling, oil, gas and hydrogen); transport (air, rail, water and road); banking; financial market infrastructures; health, including the manufacture of pharmaceuticals, including vaccines; drinking water; wastewater; digital infrastructure (internet exchange points; DNS service providers; TLD name registries; cloud computing service providers; data centre service providers; content delivery networks; trust service providers; providers of public electronic communications networks and publicly available electronic communications services); ICT service management (managed service providers and managed security service providers), public administration and space.
Other critical sectors are: postal and courier services; waste management; chemicals; food; manufacturing of medical devices, computers and electronics, machinery and equipment, motor vehicles, trailers and semi-trailers and other transport equipment; digital service providers (online marketplaces, internet search engines and social networking service platforms), and research organisations.
Cybersecurity affects every organisation or business. You should not address the requirements of the Directive because they are set by decree and non-compliance may result in fines. But because the danger of attack is ever present.
