How can ALFA-CON Advisory and Training Centre help?

• NIS-2 (NIS2) or NIS2 survey, report.
• Preparation: development, implementation and control of NIS-2 (NIS2) controls.
• Establish compliance with ISO 27001:2022.
• Conducting NIS-2 (NIS2) audits
• Conduct ISO 27001:2022 audits
• ISO 27001:2022 Certificate Acquisition

What does the acronym NIS mean?
Network and Information Systems

NIS-2 (NIS2) regulation
The Network and Information Systems (NIS) Directive, which came into force in 2016, imposed security and reporting obligations on national critical infrastructure organisations within the European Union. The NIS 2 Directive keeps pace with evolving cybersecurity threats and aims to further improve cybersecurity in the EU. The directive identifies sectors that are critical, such as energy, water, transport and health, extends the obligation to report and respond to cyber incidents to companies operating in these sectors and requires targeted cybersecurity measures. NIS2  foresees harsher fines and penalties for non-compliance.

Who does NIS-2 (NIS2) apply to?
Medium and large companies operating in one of the following sectors employing more than 50 people and having an annual turnover of more than EUR 10 million.

The rules do not apply to micro and small enterprises under the Small and Medium-sized Enterprises and Development Support Act, unless the entity concerned is an electronic communications service provider, a trust service provider, a DNS service provider, a top-level domain name registrar or a domain name registrar (which is regulated without a size limit).

The sectors concerned, NIS2 obliged:

• Public administration
• Power engineering (electricity, district heating, cooling, oil, natural gas, hydrogen)
• Transport (air, rail, road, waterborne and public transport)
• Health
• Drinking water, wastewater
• Communications services
• Digital infrastructure
• ICT outsourced services
• Space-based service
• Postal and courier services
• Production, processing and distribution of food
• Waste management
• Production and distribution of chemicals
• Manufacture
• Digital service providers (e.g. Online marketplace, search provider, domain provider)
• Research
• Financial sector

What are the requirements of NIS-2 (NIS2)?
Risk-proportionate protection measures need  to be implemented on a much wider scale than hitherto for organisations and systems throughout their lifecycle.

Protection measures  should be implemented for the organisation as a whole and for electronic information systems (e.g. mail system, web server, data storage system).

It is also a priority task to prevent, manage and reduce the impact of incidents, and to introduce measures that serve this purpose.

NIS2 extends incident reporting obligations to the entire customer base listed above.
Records of customers and their systems shall be kept by public authorities.

Risk-proportionate security measures are checked by authorities at specified intervals or commissioned by organisations to third parties.

Managers are faced with the following tasks:

• A person responsible for security shall be designated
• Organizational regulations must be implemented
• Awareness-raising trainings should be provided, and knowledge should be maintained
• Encouraging the sharing of information on threats and vulnerabilities is also an essential element of the regulation aimed at improving responsiveness across organizations.

Where should I report an incident?
The incident must be reported to the national CSIRT within the National Cyber Defence Institute.

Who should you contact in terms of authority?
The Supervisory Authority for Regulated Activities (SZTOPA) has been designated as an authority, the sectors are subject to the provisions of Act XXIII of 2023 on Cybersecurity Certification and Cybersecurity Supervision and other regulations (Cyber Security Regulation.)

WHO can be responsible for cybersecurity?
In the case of clients falling within its scope, based on the current legal environment, the role is not tied to qualifications and competencies

The new Information Security Regulation (Information Security Regulation (Ibtv.)). According to its design, the role is linked to relevant competence and experience.

What concrete steps should be taken?
In the case of clients falling within its scope, they must submit an application for registration to the IPO, they must start meeting the expectations detailed above (e.g., assessing systems, defining security measures, appointing responsibility, preparing for and scheduling audits, paying supervisory fees, etc.)

The new Information Security Regulation (Ibtv.) Based on its plan, the clientele will have to continue the activities already started: the classification of systems (identification and classification of security needs) will have to be reviewed, and new controls will have to be implemented in the case of systems.

What standard or domestic legislation must be complied with? What new controls should be introduced?

Cybersecurity regulation. and the new Information Security Regulation (Ibtv.) will define a common set of requirements in the form of a ministerial decree intended to replace BM Decree 41/2015 currently in force. The new system of requirements is an adaptation of NIST 800-53 rev. 5 to domestic conditions, simplification of the previous regulation, updating and updating of the current control family. An organisation that has already dealt with compliance with BM Regulation 41/2015 (e.g. most entities covered by the new Information Security Regulation (Ibtv.)) will have a significantly simpler task in establishing new controls than an actor who is now coming under the regulation.

When do NIS-2 (NIS2) requirements need to be met?
The new Information Security Regulation (Ibtv.) According to plans, customers should gradually transition from the current system of expectations to the new system of expectations from October 18, 2024.

Who performs NIS-2 (NIS2) inspection?
In the case of its clients, audit activities are carried out every two years by organizations included in the list of auditors maintained by the SZTFH.

In the case of new customers, the inspection is carried out by the authority with its own apparatus, therefore inspections are carried out at regular intervals (maximum every 2-3 years) depending on capacity, following a risk assessment.

What are the consequences of non-compliance with the law?
At present, the legislation does not indicate that the customer claiming this is exempted from the sanctions set out in NIS2. Under NIS2, the maximum fine for high-risk clients is at least EUR 10 000 000 and at least 2% of their annual turnover.

• Next