It entered into force on January 16, 2023. Directive on measures for a high common level of cybersecurity in the European Union (NIS2 Directive). The NIS2 Directive repeals the current Directive (EU) 2016/1148 (NISD). The scope is extended to cover a wider range of economic sectors, thus ensuring the inclusion of key societal and economic activities of vital importance for the Union's internal market.
Изискванията за киберсигурност, наложени на субектите, предоставящи икономически значими услуги или дейности, се различават значително в държавите членки. Настоящата директива има за цел да премахне тези различия.
What's different about NIS2?
NIS2 applies to a wider range of sectors and services than those in the original directive. While the NISD applied primarily to operators of essential services and digital service providers, NIS2 removes this distinction and introduces the broader concept of “essential” and “important” entities, effectively expanding the types of organisations that fall into these categories.
Съществените субекти (напр. енергийни предприятия, телекоми и доставчици на облачни услуги) вече ще подлежат на всеобхватен предварителен и последващ контрол от компетентните органи, защото осъществяват дейности, които имат по-голяма степен на важност и критичност за обществото. Важни субекти (напр. пощенски и куриерски услуги, производители на химикали и храни) ще подлежат единствено на последващ надзор.
The scope of NIS2 includes: each medium and large enterprise – companies with more than 50 employees or with an annual turnover of over 10 million euros from the listed sectors. This practically means that every company in these sectors with over 50 employees will have to comply with a set of technical, operational and organizational measures.
- access control policies,
- incident response procedures,
- supply chain security, including the relationships between each entity and its direct suppliers or service providers,
- implementing multi-factor authentication, secure voice, video and text messaging, and secure emergency communication systems within the entity, where appropriate,
- good practices and cybersecurity training on zero-trust principles, software updates, device configuration, etc.
- initial notification within 24 hours;
- re-notification within 72 hours;
- interim report in some cases (upon request);
- a final report with additional information about the incident within one month;
- in some cases, notification of potentially affected consumers may also be required.
Предвид санкциите, компаниите следва да са наясно с това, тъй като и наглед малки инциденти биха могли да се окажат значителни, които подлежат на докладване. Съгласно Директивата NIS2 компетентните органи ще могат да разчитат на солиден набор от правомощия за правоприлагане и разследване, като например извършване на одити на сигурността и изискване на данни, информация и документи, както и да налагат глоби:
- for significant entities, at least up to EUR 10 million or 2% of worldwide annual turnover;
- for significant entities, at least up to €7 million or 1.4% of global annual turnover.
What's next?
As EU directives do not have direct effect in the Member States, they must transpose the requirements of the NIS2 Directive into national law before they become applicable. Transposition must be completed by 17 October 2024 and the relevant regulatory documents must be published and applied from 18 October 2024. Follow the news on our page. We will inform you about the measures you need to take. We can also be helpful with assessing whether your organization falls within the scope of NIS2, consulting on measures for a common level of cybersecurity, introducing minimum cybersecurity requirements, conducting training, etc.