A few weeks ago, at Vercom, we began the process of implementing the NIS2 Directive and preparing to meet the requirements of the Digital Operational Resilience Act (DORA).
According to the European Commission, the NIS2 Directive aims to establish a minimum level of regulations and requirements among member states to mitigate the risk of cybersecurity incidents effectively. At the same time, the Digital Operational Resilience Act (DORA) has been adopted, effectively tightening European cybersecurity requirements, particularly in the financial sector. Thus, it can be said that DORA provides more specific (and overarching) regulations to NIS2.
Already published in the Official Journal of the European Union, this new directive introduces comprehensive measures for a high common standard of cybersecurity across the Union, focusing on strengthening the cyber resilience of essential and important entities.
Compliance with NIS2 focuses on three key areas: securing network and information systems, handling security incidents, and monitoring the supply chain in the context of countries of origin. Moving forward, organizations must prepare to define what constitutes a cybersecurity incident and what qualifies as a major incident that must be reported to the relevant authority (CSIRT, short for Computer Security Incident Response Team).
These reports will follow a three-step procedure (initial notification – interim report – final report). Additionally, at the end of incident handling, there may be a need to address and remove the vulnerability that led to the major incident.
The announced changes are just an evolution of the original NIS Directive that was introduced in 2016. However, as revealed through various audits and inspections, enforcing these requirements in individual member states left much to be desired.
This highlighted the need for a more uniform and decisive approach to boosting the level of cybersecurity, especially since we are increasingly reliant on various online services, including government platforms. New cloud solutions and SaaS have also been developed, and we have embraced IoT solutions more readily. Consequently, the number of cyberattacks, including ransomware, has also increased.
Now that we understand that NIS2 will significantly impact the high common level of cybersecurity across many companies (according to PwC, it will affect over 6,000 entities operating across 18 different sectors of the economy), it’s worth considering the reasons behind these measures.
Chief among them is the continuously increasing trend of ransomware attacks, which affect various organizations almost daily. For example, according to the M-Trends report created by Mandiant in 2023, the number of investigations related to ransomware attacks increased by 5% (from 18% to 23%). In 2024 alone, there have already been over 3,000 victims of such malicious software (including 15 companies in Poland).
The main vectors of these incidents include the exploitation of vulnerabilities in various public services or phishing attacks. In its M-Trends report, Mandiant highlighted that it is tracking the activities of over 4,000 groups, nearly a quarter of which were identified in 2023. These insights highlight the ongoing evolution of cybercrime and the importance of securing systems in advance.
The NIS2 Directive emphasizes the importance of proactive cybersecurity risk management to address evolving threats effectively.
The most important points include:
It’s important to note that non-compliance or infringement of this directive can result in significant financial penalties. Therefore, it is crucial to verify in advance whether your organization is subject to it before it enters into force and if you are part of a supply chain that falls under NIS2.
Even if it turns out that the directive does not apply to you, it is still beneficial to take steps to enhance cybersecurity.
The deadline for implementing NIS2 into national legal frameworks across the European Union is October 17th, 2024. While this timeline may seem tight, it’s important to note that NIS2 isn’t regulating a new issue but rather evolving an existing system.
Our legal team has been proactively preparing our organization for these changes. As an organization certified in ISO 27001 and 27018, we aim to be a model of excellence in information security processes in our industry.
We are familiar with the NIS2 Directive, the current ANSC – the Act on the National Cybersecurity System (which includes regulations concerning operators of essential services, the predecessors of “key entities”), the first draft of the act implementing NIS2 (i.e., the draft amendment of the NSC), and various ENISA (European Union Agency for Cybersecurity) guidelines on topics such as risk management.
The draft NSC amendment suggests that cybersecurity obligations, previously limited to operators of essential services, will now extend to all key and important entities, aligning with the NIS2 Directive’s requirements.
Given the above, we can assume that there shouldn’t be any major surprises regarding obligations that will burden key and important entities. It can be argued that the biggest change is the inclusion of entirely new sectors under the NSC, with obligations related to risk management and incident reporting.
The Polish legislative process is still in its early stages, as we are currently in the public consultation phase of the draft. Our lawyers are actively engaged in the work within the chambers. The draft amendment of the NSC may change compared to the current draft, although it is unlikely to result in stricter obligations. Rather, any changes will likely aim at liberalizing these obligations, as this is the direction that businesses are advocating for.
NIS2 significantly expands the scope of requirements to additional sectors and entities. The directive applies to all entities with more than 50 employees and an annual turnover exceeding 10 million euros. NIS2 defines two categories or entities: key entities and important entities, each with its own guidelines. It’s important to note that the financial sector doesn’t have to comply with the NIS 2 directive; instead, the DORA regulation applies to this sector.
At Vercom, we have divided the implementation of NIS2 and DORA into stages:
We will keep you informed of any changes.
Meanwhile, in August, we have an ISO 27001 audit, where we will be certifying ourselves for the new ISO/IEC 27001:2022 standard – Information Security, Cybersecurity, and Privacy Protection.
The update to the standard that took place in October 2022 concerns:
The ISO 27001:2022 structure also includes several new elements, such as threat analysis, IT readiness for ensuring business continuity, data masking, network filtering, data leakage prevention, and secure coding principles.
We are pleased to announce that MessageFlow, a product from the Vercom S.A. group, has received the prestigious CSA (Certified Senders Alliance) Certification. This recognition not only underscores the...
We are proud to announce that Vercom S.A., the company behind the EmailLabs project, successfully passed an audit for compliance with the latest ISO/IEC 27001:2022 and ISO/IEC 27018:2019 standards....
The increasing number of phishing attacks each year, and the projection that this trend will continue to escalate, aren’t likely to astonish anyone. This can be attributed, in part,...
Out of all the things that can go wrong when sending out marketing emails, having your emails end up in the recipient’s spam folder is arguably the most dreaded...
Email Authentication, Security
DMARC is an email authentication protocol that is designed to give domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. Spoofing occurs...
With the emergence of the Covid-19 pandemic, many brands have been challenged to adapt in a short period to the changed reality and new consumer attitudes. That meant reorganizing...
Deliverability, Sending Reputation
Are you just starting to send emails, transitioning to dedicated infrastructure, or switching your sending domain? Don’t overlook a key step – the warm-up process! Warming up an IP...
Best practices, Email Marketing
Email marketing is a powerful tool for businesses to connect with their audience, promote products, and drive conversions. However, simply sending out an email campaign is not enough to...
Deliverability, Sending Reputation
Are you just starting to send emails, transitioning to dedicated infrastructure, or switching your sending domain? Don’t overlook a key step – the warm-up process! Warming up an IP...
We are pleased to announce that MessageFlow, a product from the Vercom S.A. group, has received the prestigious CSA (Certified Senders Alliance) Certification. This recognition not only underscores the...
Best practices, Email Marketing
Email marketing is a powerful tool for businesses to connect with their audience, promote products, and drive conversions. However, simply sending out an email campaign is not enough to...
With the release of iOS 18 on September 16, 2024, Apple has introduced a long-anticipated update to Apple Mail: tabbed inboxes. While this feature isn’t a novelty – Gmail...
Gmail users may soon benefit from a game-changing feature called Shielded Email, designed to enhance privacy and combat spam. While the feature has not yet been officially launched, recent...
Are you frustrated with the constant struggle of your emails getting blocked by Gmail? Have you ever wondered about the reasons behind this issue and, more importantly, how to...
In the ever-evolving landscape of email management, Google has announced an exciting upgrade to Gmail’s summary cards, aimed at improving user experience and streamlining inbox navigation. The latest enhancements,...
Entering the world of email communication, you’ll encounter many terms that initially seem straightforward and intuitive. However, some of these can be pretty challenging. Accurately distinguishing between them is...
Attaching a folder to an email may seem complicated at first glance, especially if you’re trying to send multiple files or an entire project’s documents to a colleague or...