2024: Crisis Management Days Conference Proceedings
Security and Protection (National and International Security, Corporate and Information Security, Disaster Risk Reduction)

Application of the NIS 2 directive and the Cybersecurity Act in essential and important entities

PDF
  • Silvana Tomić Rotim,
  • Katarina Landeka
Silvana Tomić Rotim
University of Applied Sciences Velika Gorica, Zavod za informatičku djelatnost Hrvatske
Katarina Landeka
University of Applied Sciences Velika Gorica

Published 2024-05-21 — Updated on 2024-12-01

Keywords

  • cybersecurity,
  • NIS 2,
  • safety measures,
  • cybersecurity risks

How to Cite

Tomić Rotim, S., & Landeka, K. (2024). Application of the NIS 2 directive and the Cybersecurity Act in essential and important entities. Crisis Management Days. Retrieved from https://ojs.vvg.hr/index.php/DKU/article/view/617

Copyright (c) 2024 Silvana Tomić Rotim, Katarina Landeka

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Abstract

Introduction

The NIS 2 Directive and the Cybersecurity Act are key components of the EU's regulatory framework designed to strengthen the cybersecurity of essential and important entities. The Directive on measures for a high common level of security of network and information systems (NIS 2) is an upgrade of the previous directive (NIS), aimed at enhancing the EU's cyber resilience. NIS 2 covers a broader range of sectors, including digital services, energy, transport, healthcare, and financial services, and adds new sectors such as postal and courier services, waste management, and chemical production.

This paper will focus on describing the directive and law, their application, and the obligations and challenges that entities face. Additionally, it aims to provide an effective methodology that can assist essential and important entities in implementing this directive and law. This will create the prerequisites for more successful implementation of cybersecurity measures in these entities, thereby raising the level of cybersecurity at the EU level.

NIS 2 distinguishes between essential and important entities. Essential entities are those whose interruption or disruption of service could have a significant impact on public welfare, health, safety, or economic stability. Important entities, although having a lesser impact, are still vital for societal and economic activities.

Methodology

NIS 2 requires entities to take specific technical and organizational measures to manage cyber risks, regularly assess and improve their security policies, and report incidents to competent authorities. To successfully implement this, the paper will present a possible methodology for compliance with the directive and law, by defining methods and techniques for:

  • Initial assessment and analysis: Analyzing existing security measures, policies, and procedures in relation to the requirements of NIS 2.
  • Asset inventory and risk assessment: Entities must regularly conduct risk assessments and vulnerability testing.
  • Development of security policy: It is necessary to establish and implement security policies and procedures.
  • Incident reporting: Entities are obliged to report significant incidents to the competent national authorities.
  • Incident management: It is necessary to establish and maintain the ability to manage incidents.
  • Awareness and training: Organizations must ensure awareness and training for employees about cybersecurity.
  • Continuous monitoring and improvement: Applying the principles of continuous improvement (e.g., PDCA cycle) to regularly update and upgrade security measures and policies. The paper will also consider possible challenges in applying the methodology and implementing the measures proposed by the directive and law. Some of the challenges are:
  • Technical complexity: The use of advanced technologies and complex information systems can make the implementation of appropriate security measures difficult.
  • Continuous compliance: The dynamic nature of cyber threats requires constant updates and adjustments to security practices.
  • Resources: Ensuring sufficient financial and human resources to establish and maintain high security standards can be challenging, especially for smaller organizations.
  • International cooperation: As cyber incidents often cross borders, international cooperation and information exchange are key to effective risk management.

Results

The expected result is a defined methodology for implementing the obligations defined by the NIS 2 Directive and the Cybersecurity Act in essential and important entities. Also, as a result, clearly identified methods and techniques can be expected at each stage of implementing the directive and law, from initial assessment to continuous monitoring. Although the implementation of these measures presents certain challenges, it is crucial for protecting critical infrastructure and ensuring society's resilience to cyber threats. Successful implementation requires the engagement of all stakeholders, continuous investment in security capacities, and international cooperation.

PDF

References

  1. Bada, M., Sasse, M. A., Nurse, J. R., Cybersecurity Awareness Campaigns: Why Do They Fail? Journal of Cybersecurity, 7(1), tyab001, 2021.
  2. Chertoff, M., Simon, A., Cybersecurity Regulatory Frameworks in the EU: Balancing Innovation and Protection. Journal of Cybersecurity Policy, 3(2), 45–62., 2021.
  3. Croatian Parliament, Information Security Act, 18 July 2007.
  4. Croatian Parliament, Critical Infrastructures Act, 2 May 2013.
  5. Croatian Parliament, Act on the Implementation of Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market, 19 June 2017.
  6. Croatian Parliament, Act on the Implementation of the General Regulation on Data Protection, 3 May 2018.
  7. Croatian Parliament, Electronic Communications Act, 1 July 2022.
  8. Croatian Parliament, Cybersecurity Act, 26 January 2024.
  9. European Parliament and Council, Regulation (EU) on electronic identification and trust services for electronic transactions in the internal market, 23 July 2014.
  10. European Parliament and Council, Regulation (EU) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), 27 April 2016.
  11. European Parliament and Council, Regulation (EU) on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification (Cybersecurity Act), 17 April 2019.
  12. European Parliament and Council, Regulation (EU) on contestable and fair markets in the digital sector (Digital Markets Act), 14 September 2022 a.
  13. European Parliament and Council, Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS 2 Directive), 14 December 2022 b.
  14. European Parliament and Council, Regulation (EU) on digital operational resilience for the financial sector (DORA), 14 December 2022 c.
  15. Government of the Republic of Croatia, The National Cyber Security Strategy of the Republic of Croatia, 7 October 2015.