.

Date:
24.01.2024
Author:
Inventia Team

There are hefty fines for non-compliance with the NIS2 Directive, which can be up to €10 million or 2% of a company’s total annual turnover.

Find out:

• What is the NIS2 Directive?

• Deadline for the implementation of the NIS2 Directive

• Criteria to be met to implement the NIS2 Directive

• What does the NIS2 Directive change from the first version?

• Powers of the supervisory authorities

• Penalties for non-compliance with the NIS2 Directive

   

In the digital age, when information technology plays a key role in the functioning of the economy and society, cyber security has become one of the priority challenges of the modern world. The increasing number of cyber-attacks, their complexity and potential consequences for critical infrastructure, call for coordinated action. In response to these challenges, the European Union has introduced the NIS2 Directive (Directive 2022/2555oD) to improve the level of security within the community. This article presents key information about the NIS2 Directive, its meaning, scope of application and implications for companies and institutions in the European Union). aimed at increasing the level of security in the community. This e-book presents the most important information about the NIS2 Directive, its meaning, scope of application and consequences for companies and institutions in the European Union.

The NIS2 Directive (Network and Information Security Directive 2) is an updated version of the 2016 NIS Directive, which aims to increase cyber resilience in European Union member states. The Directive aims to ensure a high, common level of security for networks and information systems across the European Union, covering both the public and private sectors. It introduces more stringent requirements for cyber risk management and cooperation between Member States in the event of cyber incidents. The directive focuses on protecting critical infrastructure and services that are essential to the functioning of the economy and ensuring public safety. By increasing the level of protection, NIS2 seeks to minimise the risk of disruption to key services and assets and protect against a growing number of cyber threats.

EU member states are required to implement the provisions of the NIS2 Directive by 17 October 2024. By that date, all member states were obliged to adopt and publish national legislation to ensure compliance with NIS2. By 17 April 2025, each Member State should develop a list of key and important entities that will be covered by the requirements of the Directive.

In Poland, the NIS2 Directive has not been implemented by this deadline and work on the draft law is still ongoing. National implementation may have a significant impact on the requirements, as well as how they are met.

Entities required to implement the NIS2 Directive must meet certain criteria (some of the following areas will depend on implementation in individual member states):

Scope of sectors covered: NIS2 applies to companies and institutions that operate in sectors deemed to be ‘critical’ or ‘important’ to the functioning of the economy and public safety. These sectors include, among others, energy, transport, banking, healthcare, drinking water supply and wastewater treatment. These entities must comply with a range of security requirements, including the implementation of appropriate risk management and incident reporting measures,

Size of the organisation: The Directive distinguishes between large, medium and small organisations. The new rules apply to both medium-sized enterprises (employing min. The new rules apply to both medium-sized enterprises (with min. 50 employees and an annual turnover or annual balance sheet total of min. 10 million euro) and large enterprises (with at least 250 employees and an annual turnover of more than 50 million euro or an annual balance sheet total of more than 43 million euro).
In particular, large and medium-sized enterprises operating in the aforementioned sectors are affected, while small organisations are covered by the regulations only in exceptional cases if they provide services of particular importance for the functioning of the EU internal market,

Relevance to the EU internal market: entities must demonstrate that they are relevant to the functioning of the EU internal market, which may include the provision of key services, the ownership of critical infrastructure or relevance to public security,

Risk management capability: organisations must be able to put in place appropriate risk management measures, such as regular risk assessments, implementation of a risk management strategy, and use of appropriate technical and organisational measures to ensure the security of their systems and data.

The NIS2 Directive introduces a number of significant changes from the 2016 NIS Directive:

Broadening the scope of regulation: NIS2 increases the number of sectors considered critical and important for the internal security of the European Union.

Stricter security requirements: The Directive requires regulated entities to put in place more stringent technical and organisational measures.

Strengthened oversight and enforcement: The Directive extends the powers of supervisory authorities, including the power to impose financial and other penalties for non-compliance with the requirements of the Directive (up to €10 million). Supervisory authorities can also require detailed incident reporting and carry out on-site inspections.

Increased international cooperation: the NIS2 Directive aims to strengthen cooperation and information sharing between Member States in order to manage cyber threats more effectively. The new legislation also promotes coordination within the EU cyber incident response system. Thus, it should be seen as a harmonised standard for handling security,

in particular that of cyber security.

Under NIS2, supervisory authorities have extended powers, which include:

• The requirement for regulated entities to provide information on the state of their safeguards and preventive actions taken.
• The ability to conduct audits and inspections, both on-site and remotely, to verify compliance.
• Imposing sanctions, including financial penalties, for non-compliance, failure to report incidents or failure to comply with specified procedures.
• Carry out close cooperation with other authorities at national and EU level to coordinate prevention and incident response.

There are heavy penalties for non-compliance with the NIS2 Directive, which can be up to €10 million or 2% of a company’s total annual turnover, whichever is higher. Penalties may also include an order to cease operations in a specific market or the implementation of additional security measures.

With the introduction of new advanced security measures, NIS2 provides a solid foundation for building cyber resilience across the European Union. The implementation of these rules is key to protecting critical infrastructure and ensuring the continuity of services that are vital to the economy and public safety.

🔗Discover new security challenges in IoT! Read our article and learn how to protect your devices.

Switching off 2G/3G technology
5 hints on how to safely deploy LTE/5G to telemetry systems without process downtime

CODESYS® – the modern PLC programming environment
Explore the state-of-the-art PLC programming environment and HMI panels