Application of the NIS 2 directive and the Cybersecurity Act in essential and important entities
Published 2024-05-21
Keywords
- cybersecurity,
- NIS 2,
- safety measures,
- cybersecurity risks
How to Cite
Copyright (c) 2024 Silvana Tomić Rotim, Katarina Landeka
This work is licensed under a Creative Commons Attribution 4.0 International License.
Abstract
Introduction
The NIS 2 Directive and the Cybersecurity Act are key components of the EU's regulatory framework designed to strengthen the cybersecurity of essential and important entities. The Directive on measures for a high common level of security of network and information systems (NIS 2) is an upgrade of the previous directive (NIS), aimed at enhancing the EU's cyber resilience. NIS 2 covers a broader range of sectors, including digital services, energy, transport, healthcare, and financial services, and adds new sectors such as postal and courier services, waste management, and chemical production.
This paper will focus on describing the directive and law, their application, and the obligations and challenges that entities face. Additionally, it aims to provide an effective methodology that can assist essential and important entities in implementing this directive and law. This will create the prerequisites for more successful implementation of cybersecurity measures in these entities, thereby raising the level of cybersecurity at the EU level.
NIS 2 distinguishes between essential and important entities. Essential entities are those whose interruption or disruption of service could have a significant impact on public welfare, health, safety, or economic stability. Important entities, although having a lesser impact, are still vital for societal and economic activities.
Methodology
NIS 2 requires entities to take specific technical and organizational measures to manage cyber risks, regularly assess and improve their security policies, and report incidents to competent authorities. To successfully implement this, the paper will present a possible methodology for compliance with the directive and law, by defining methods and techniques for:
- Initial assessment and analysis: Analyzing existing security measures, policies, and procedures in relation to the requirements of NIS 2.
- Asset inventory and risk assessment: Entities must regularly conduct risk assessments and vulnerability testing.
- Development of security policy: It is necessary to establish and implement security policies and procedures.
- Incident reporting: Entities are obliged to report significant incidents to the competent national authorities.
- Incident management: It is necessary to establish and maintain the ability to manage incidents.
- Awareness and training: Organizations must ensure awareness and training for employees about cybersecurity.
- Continuous monitoring and improvement: Applying the principles of continuous improvement (e.g., PDCA cycle) to regularly update and upgrade security measures and policies. The paper will also consider possible challenges in applying the methodology and implementing the measures proposed by the directive and law. Some of the challenges are:
- Technical complexity: The use of advanced technologies and complex information systems can make the implementation of appropriate security measures difficult.
- Continuous compliance: The dynamic nature of cyber threats requires constant updates and adjustments to security practices.
- Resources: Ensuring sufficient financial and human resources to establish and maintain high security standards can be challenging, especially for smaller organizations.
- International cooperation: As cyber incidents often cross borders, international cooperation and information exchange are key to effective risk management.
Results
The expected result is a defined methodology for implementing the obligations defined by the NIS 2 Directive and the Cybersecurity Act in essential and important entities. Also, as a result, clearly identified methods and techniques can be expected at each stage of implementing the directive and law, from initial assessment to continuous monitoring. Although the implementation of these measures presents certain challenges, it is crucial for protecting critical infrastructure and ensuring society's resilience to cyber threats. Successful implementation requires the engagement of all stakeholders, continuous investment in security capacities, and international cooperation.
References
- Direktiva (EU) 2022/2555 Europskog parlamenta i Vijeća od 14. prosinca 2022.
- Zakon o kibernetičkoj sigurnosti od 26.1.2024.
- ISO/IEC 27001:2022 Informacijska i kibernetička sigurnost i zaštita privatnosti, Sustav upravljanja informacijskom sigurnošću – Zahtjevi
- ISO/IEC 27002:2022 Informacijska i kibernetička sigurnost i zaštita privatnosti – Kontrole informacijske sigurnosti
- ISO/IEC 27032:2023 Kibernetička sigurnost – Uputstva za sigurnost na Internetu
- ISO/IEC 27017:2015 IT – Sigurnosne tehnike – Kodeks prakse za kontrole informacijske sigurnosti temeljen na ISO/IEC 27002 za usluge u oblaku
- Uredba (EU) 2022/2554 o digitalnoj operativnoj otpornosti za financijski sektor (DORA - Regulation on digital operational resilience for the financial sector)
- The NIST Cybersecurity Framework (CSF) 2.0, 26.2.2024.