The new EU Cyber Security Directive NIS2

and what it means for you.

The new EU Cyber Security Directive NIS2

and what it means for you.

 

WHAT IS NIS2?

Europe-wide legislation

This is a pan-European piece of legislation on cyber security. It aims to achieve a high level of cyber security in all EU Member States.

Final text approved

27.12.2022 Final text approved by the Council of the European Union

New obligations

Stricter obligations under the NIS Directive Introduction of new obligations in the Czech Republic by 16.10.2024 at the latest.

Stricter obligations

Tightens the requirements for cyber security.

Stricter obligations under the NIS2 Directive

  • Obligation to carry out your own security risk assessment
  • Technical and organisational measures to increase cyber resilience
  • Obligation to log cyber data and events (storage for at least 18 months)
  • Security Incident Reporting Obligation

Who is affected by the new directive

  • The new directive applies to more than 6000 entities in the Czech Republic. The entities that will be subject to the regulation are divided into 2 parts – essential (higher obligations) and important (lower obligations) regimes. For more information, see the annex to the NÚKIB
  • It applies to medium-sized and larger enterprises (i.e. employing 50 or more employees or having an annual turnover of at least €10 million or an annual balance sheet total of at least €10 million)
  • After the self-assessment, the provider of the regulated service must report the registration data to the NÚKIB via a new communication tool, the NÚKIB portal.

Obligation to carry out self-assessment

  • The basic obligation is to carry out your own risk assessment.

    • Technical and organisational measures

    • The principle of the arrangements is that the organisation, if it has not already done so, should map its environment, identify what it needs to ensure the operation of its regulated service, assess the risks to the service and put in place appropriate measures to reduce those risks to an acceptable level.
    • One of the measures is the handling and reporting of cyber security incidents.

    Obligation to store logs of all systems and IT infrastructure

    • The directive also requires the storage of logs from all systems and IT infrastructure and their subsequent storage in an unalterable form for at least 18 months.

    Allocation of financial resources

    • Under the new Directive, the funding needed to meet these obligations in the future needs to be secured. There are 3 steps to planning the cost of security in an organisation:
      • Identify the needs within your organisation
      • Incorporate the need within budgeting
      • Spread the costs over time in the budget

    Personal responsibility

    • Specific persons are newly held accountable, they are the leaders in the organization, e.g. Owners, Managing Directors, Directors, IT Managers, Network Administrators, Cyber Security Department, IT Specialists

    Cyber incident reporting

    • Upon discovery of an incident, give an early warning
      within 24 hours at the latest
    • Initial assessment of the incident, including severity and impact, within 72 hours
    • Within 1 month, a final report containing a detailed description of the incident

    Sanctions

    • Monetary – up to 10M EUR or 2% of global turnover
    • Sanctioning penalties – temporary suspension of certification and/or barring of any manager
    • Sanctions can be given repeatedly until remediation is achieved.

    Method of control

    • Varies according to essential (higher duties) x important (lower obligations)
    • The group with higher responsibilities will be controlled by the NÚKIB and its staff
    • The group with lower responsibilities will be controlled as well

    New EU Directive on Network and Information Security (nukib.cz)

    Go to NÚKIB

    WHY IS LOG MANAGEMENT IMPORTANT?

    Compliance with legislation and the NIS2 Directive

    Compliance with regulations and laws provides detailed documentation in the event of a critical incident ZoKb Sb. no. 82/2018, GDPR and ČSN ISO 27001:2013.

    Operational reasons

    In the event of a critical incident, use the collected logs to find the origin of the incidentRecords all events in the IT infrastructure for later review.

     

    Security reasons

    It records all events in the IT infrastructure for later review.

    Visibility

    Full overview (visibility) of all data from the IT infrastructure and what is happening in the company.

    Contact us

    Interested in more information about NIS2 directive? How will TeskaLabs or Teskalabs LogMan.io help you to meet the requirements in your country? Contact us and ask for a DEMO.

    Souhlas se zpracováním údajů

    10 + 2 =