In an effort to more effectively counter increasing cyber attacks, methods of controlling digital environments are constantly modernizing. To this end, a new cybersecurity directive was approved by the EU Council and the European Parliament on November 10, 2022.
FOR WHOM?
This new directive – NIS2 – replaces the current directive on measures for a high common level of cybersecurity across the European Union adopted in 2016. NIS is designed to ensure transparency and better security of network and information systems in the EU, unifying actions to prevent and respond to threats for all participating states. According to NIS, Critical Service Operators (OES) and associated digital service providers (DSP) are required to take appropriate measures to manage security risks and report incidents to national authorities (Computer Security Incident Response Teams (CSIRT)).
The NSC Directive entrusted the determination of organizations qualified as OES and DSP on the Member States. NIS2 strictly unifies identification at the standard level and expands the scope of the areas involved, extending to areas of application such as: healthcare, energy, transport, digital infrastructure, water supply, financial services, electronic communications, the Internet, social networking platforms or data centers, waste disposal, space, production of critical products (e.g. pharmaceuticals or the chemical industry), postal and courier services, food and beverage and public administration. This updated Directive is one of the most important components of the overall EU information security strategy.
The industries covered by NIS2 are crucial not only for the development of the economy, but also for the daily lives of European citizens. The Directive is intended to encourage more organizations to adopt requirements that enhance security and harmonize their reporting process. With NIS2, it is now necessary to notify authorities of a cyber threat no later than 24 hours after its detection — not just the vague « without delay,” as outlined in the previous NIS Directive. This approach should make governments and society more resistant to criminal cyber operations.
WHAT ACTIONS?
NIS2 sets out seven key risk management measures that should be taken by all involved organizations. Penalties are given for violations.
-
- Risk analysis and information system security rules
- Incident handling (prevention, detection and response)
- Business operations continuity and crisis management
- Supply chain security — security-related aspects of the relationship between departments and their suppliers or service providers (such as data storage and processing or security services). Organizations outside the direct scope of NIS2 may still fall under the new directive. For example, if the organization provides certain IT-related services to clients, they are now subject to NIS2 regulation
- Security in the acquisition, development and maintenance of Internet networks and information systems, including vulnerability management and information disclosure
- Procedures for assessing the effectiveness of risk management measures
- Using Cryptography and Encryption
WHEN?
There are deadlines for NIS2 protocol implementation. Member States will have 21 months to incorporate NIS2 into national legislation. In the meantime, organizations should study the areas of application of the directive and determine whether their business falls within them, then plan organizational, financial and technical steps to prepare for compliance with new requirements.
DORA
NIS2 has been brought in line with PSD2 and GDPR industry legislation, and in particular with the Regulation on Digital Operational Resilience Act in the financial sector (DORA) approved on November 28, 2022 for organizations such as banks, insurance companies, crypto asset service companies, financial institutions and their suppliers.
Considering the number of technological systems in large financial organizations, operational infrastructure providers are considered critical for the financial sector. DORA solves the cross-cutting problem of security standards for the entire financial system and will be applied to a large number of parties.
Solanteq will help you adhere to new requirements regulating the quality of incident management, and take timely organizational and technological measures. SOLAR Fraud Prevention is a reliable element in building an effective strategy to counter cyber threats, increasing the operational reliability of critical processes.
Global digitalization of the financial (and in particular, banking) sectors, customer expectations on services’ availability and the increasing level of risk creates a need for a unified incident response mode.
Strengthening operational sustainability is one of the main goals for financial institutions. Ensuring uninterrupted operation reduces losses from downtime and strengthens competitiveness and customer trust. According to DORA, businesses have 24 months for organizational steps, infrastructure transformation and implementation.