Introduction
The update of the Network and Information Systems Security Directive, known as NIS 2, is about to become effective.
This assessment was approved in November 2022 and published in the EU Official Journal on December 27 of the same year.
It was stipulated that states would have to adopt the necessary measures for its implementation by October 17, 2024 at the latest.
What is NIS 2 and what is its purpose?
NIS is an EU directive applicable to member states that was created to provide a harmonized framework for promoting cybersecurity measures. NIS identified a number of critical sectors whose organizations, entities and companies had to comply with the provisions of the text.
As has been the case with other directives and regulations, the EU has evolved the standard to adapt to new times and situations.
Thus, NIS 2 expands the areas of application and requires the implementation of more robust and sophisticated measures to reduce the number and severity of cyberattacks that occur in both the private and public spheres. Its application will also result in the optimization of risk assessments and internal and external audits and, therefore, expertise in organizations or their partners.
It is also intended to foster collaboration in the industry.
Does this regulation affect my company?
With NIS 2, the scope of application of the regulations has been expanded to 18 sectors, divided as follows:
- High criticality: energy, banking, financial market infrastructures, healthcare, transportation, digital infrastructure, drinking water, wastewater, public administration, ICT service management and space.
- Other critical sectors: research, chemicals, food, postal services, digital suppliers, manufacturing and waste management.
In addition, it divides the entities into 2 types:
- Essential: those working in high criticality sectors and other types of organizations such as, for example, qualified trustworthy service providers, as we are in MailComms Group.
- Significant entities: those organizations that belong to the identified sectors, but cannot be considered essential entities.
In addition, if we consider the size of the companies, medium-sized and large companies would be particularly affected:
- Medium-sized company: a company that employs between 50 and 250 people and whose annual turnover does not exceed 50 million euros or whose annual balance sheet total does not exceed 43 million euros.
- Large company: a company that employs more than 250 people and whose annual turnover or annual balance sheet total exceeds 43 million euros.
However, there are also a number of SMEs that must comply with the standard.
They are those included in the indicated sectors and that comply with some characteristics that you can learn about here. you can learn about here.
Main new features of this update
This document from the National Cryptologic Center summarizes in a very clear way the main aspects to be taken into account in relation to the NIS 2 evolution. Among the new features, it reflects three sets in which they can be included:
- Supply chain security.
- Relationship with suppliers.
- Liability of senior management for non-compliance with obligations.
Our positive contribution in these three categories is clearly identifiable. As our CISO Sonia Lasheras summarizes, “as qualified trust service providers, we are obliged to comply with this directive and we can affirm that we are prepared.
And, in addition, as we are in possession of the National Security Scheme certification, at the highest level, we can prove that we comply with the NIS 2 Directive.
Ultimately, we assure our customers that our services meet the necessary requirements to be part of their supply chain.” As suppliers, at MailComms Group we actively participate in the supply chain of the companies we work with and in this way we bring part or all of our compliance to our customers’ activities.
Thus, inaddition to avoiding penalties and offering a better service (through compliance with the new features of NIS 2), we also contribute to the protection of the people who are part of the senior management of the companies, whose responsibility is very directly indicated in the new text. The summary document of the CCN also explains how entities that have the ENS certificate in its high level automatically comply with NIS 2.
And this is our case. This development also introduces novelties regarding the mandatorynotification of incidents to the competent authorityin each Member State, when these incidents can be considered significant.
In other words, when they have caused or may cause serious operational or financial damage or may affect other natural or legal persons.
The evolution of the directive provides for the following notification scheme:
- Initial notification: within 24 hours after the incident.
- Intermediate notification: update and evaluation of the incident within 72 hours of detection.
- Final notification: final report including data on severity, impact and measures implemented or in progress.
It must be submitted no later than one month after the incident.
Technology as an ally
At MailComms Group we offer a series of applications and technological solutions developed in-house, as well as others from trusted partners, of high value both for their functionality and their ability to ensure regulatory compliance.
To our technological proposal we add our status as a qualified trusted service provider, accredited by the Ministry for Digital Transformation and the Civil Service, to maximize our usefulness when designing, implementing and monitoring the implementation of an effective cybersecurity strategy, aligned with the provisions of NIS 2 and other regulations. As we explained in this article recently published in our blogour contribution as specialists and as technology providers can be summarized in terms such as responsibility (cybersecurity is everyone’s business: companies, client companies, suppliers, end users…), trust and agility.
This last concept is understood as the speed to adapt our solutions to regulatory changes and to make them robust in the face of advances by cybercriminals. Having a qualified service provider such as MailComms Group will help you to work under high standards of IT security and information security and privacy.
This will be reflected in many ways in your day-to-day work and in your bottom line.
It will help you offer a better service to your customers (new sign-ups, loyalty, low abandonment rate…), avoid cyber risks and associated costs and allow you to comply with regulations such as NIS 2, which will keep you away from the penalties provided for in the text, which can reach 10 million euros or 2% of annual turnover in the most serious cases.