The NIS2 Directive Implementation: How to Effectively Mitigate the Risk of Cyber Attacks

A few weeks ago, at Vercom, we began the process of implementing the  NIS2 Directive and preparing to meet the requirements of the Digital Operational Resilience Act (DORA).

What Benefits Do NIS 2 Cybersecurity Changes Bring, and What Do They Mean for the Safety of Our Clients?

According to the European Commission, the NIS2 Directive aims to establish a minimum level of regulations and requirements among member states to mitigate the risk of cybersecurity incidents effectively. At the same time, the Digital Operational Resilience Act (DORA) has been adopted, effectively tightening European cybersecurity requirements, particularly in the financial sector. Thus, it can be said that DORA provides more specific (and overarching) regulations to NIS2.

Already published in the Official Journal of the European Union, this new directive introduces comprehensive measures for a high common standard of cybersecurity across the Union, focusing on strengthening the cyber resilience of essential and important entities.

Compliance with NIS2 focuses on three key areas: securing network and information systems, handling security incidents, and monitoring the supply chain in the context of countries of origin. Moving forward, organizations must prepare to define what constitutes a cybersecurity incident and what qualifies as a major incident that must be reported to the relevant authority (CSIRT, short for Computer Security Incident Response Team).

These reports will follow a three-step procedure (initial notification – interim report – final report). Additionally, at the end of incident handling, there may be a need to address and remove the vulnerability that led to the major incident.

The announced changes are just an evolution of the original NIS Directive that was introduced in 2016. However, as revealed through various audits and inspections, enforcing these requirements in individual member states left much to be desired.

This highlighted the need for a more uniform and decisive approach to boosting the level of cybersecurity, especially since we are increasingly reliant on various online services, including government platforms. New cloud solutions and SaaS have also been developed, and we have embraced IoT solutions more readily. Consequently, the number of cyberattacks, including ransomware, has also increased.

Why Is NIS 2 Implementation Necessary in the EU Member States?

Now that we understand that NIS2 will significantly impact the high common level of cybersecurity across many companies (according to PwC, it will affect over 6,000 entities operating across 18 different sectors of the economy), it’s worth considering the reasons behind these measures.

Chief among them is the continuously increasing trend of ransomware attacks, which affect various organizations almost daily. For example, according to the M-Trends report created by Mandiant in 2023, the number of investigations related to ransomware attacks increased by 5% (from 18% to 23%). In 2024 alone, there have already been over 3,000 victims of such malicious software (including 15 companies in Poland).

The main vectors of these incidents include the exploitation of vulnerabilities in various public services or phishing attacks. In its M-Trends report, Mandiant highlighted that it is tracking the activities of over 4,000 groups, nearly a quarter of which were identified in 2023. These insights highlight the ongoing evolution of cybercrime and the importance of securing systems in advance.

The NIS2 Directive emphasizes the importance of proactive cybersecurity risk management to address evolving threats effectively.

The most important points include:

• Cyber Hygiene and Employee Training: Every employee, from customer service representatives to administrators, should undergo regular cybersecurity and incident response training. Daily cyber hygiene practices are crucial for all staff members. This is particularly important because phishing attacks and the execution of malicious software often provide attackers with their initial access to the targeted network.
• Supply Chain Security: Modern systems often rely on software and integrations from third-party companies. What if one of these elements is hacked, leading to the download of a malicious update? This is why NIS2 compliance requires proper security across the entire supply chain.
• Procedures: Whether it’s a Business Continuity Plan (BCP), Disaster Recovery Plan (DRP), or incident handling procedure, it’s crucial to prepare and have appropriate security measures in place well in advance. Besides being useful for various audits, these procedures enable a swift response in the event of a security incident. Conducting tabletop exercises can be particularly beneficial for practising swift response and ensuring everyone knows their role in mitigating the impact.
• Security Systems: This is a critical aspect, especially in the modern world. Without well-chosen security measures, we cannot consider a company to be mature in this domain. Proper cybersecurity capabilities are essential for detecting, preventing, and responding to threats effectively. For more information on security systems, you can read the article:
  CyberLabs #9: Cyber Security for Business – How to Secure Your Network from Cyber-Attacks?

Consequences of Not Complying with NIS2 Requirements

It’s important to note that non-compliance or infringement of this directive can result in significant financial penalties. Therefore, it is crucial to verify in advance whether your organization is subject to it before it enters into force and if you are part of a supply chain that falls under NIS2.

Even if it turns out that the directive does not apply to you, it is still beneficial to take steps to enhance cybersecurity.

When Will the New NIS2 Directive Come Into Effect in Poland?

The deadline for implementing NIS2 into national legal frameworks across the European Union is October 17th, 2024. While this timeline may seem tight, it’s important to note that NIS2 isn’t regulating a new issue but rather evolving an existing system.

Our legal team has been proactively preparing our organization for these changes. As an organization certified in ISO 27001 and 27018, we aim to be a model of excellence in information security processes in our industry.

We are familiar with the NIS2 Directive, the current ANSC – the Act on the National Cybersecurity System (which includes regulations concerning operators of essential services, the predecessors of “key entities”), the first draft of the act implementing NIS2 (i.e., the draft amendment of the NSC), and various ENISA (European Union Agency for Cybersecurity) guidelines on topics such as risk management.

The draft NSC amendment suggests that cybersecurity obligations, previously limited to operators of essential services, will now extend to all key and important entities, aligning with the NIS2 Directive’s requirements.

Given the above, we can assume that there shouldn’t be any major surprises regarding obligations that will burden key and important entities. It can be argued that the biggest change is the inclusion of entirely new sectors under the NSC, with obligations related to risk management and incident reporting.

The Polish legislative process is still in its early stages, as we are currently in the public consultation phase of the draft. Our lawyers are actively engaged in the work within the chambers. The draft amendment of the NSC may change compared to the current draft, although it is unlikely to result in stricter obligations. Rather, any changes will likely aim at liberalizing these obligations, as this is the direction that businesses are advocating for.

Stages of Implementing NIS2

NIS2 significantly expands the scope of requirements to additional sectors and entities. The directive applies to all entities with more than 50 employees and an annual turnover exceeding 10 million euros. NIS2 defines two categories or entities: key entities and important entities, each with its own guidelines. It’s important to note that the financial sector doesn’t have to comply with the NIS 2 directive; instead, the DORA regulation applies to this sector.

At Vercom, we have divided the implementation of NIS2 and DORA into stages:

1. Classification: Determining which category our entity falls under.
2. Scope Identification: Defining the scope of Vercom’s services that fall under the services specified in NIS2.
3. Implementation Scope: Determining the scope of implementation actions within the organization, including changes to procedures and instructions.

We will keep you informed of any changes.

Certification for the Updated ISO 27001:2022 Standard

Meanwhile, in August, we have an ISO 27001 audit, where we will be certifying ourselves for the new ISO/IEC 27001:2022 standard – Information Security, Cybersecurity, and Privacy Protection.

The update to the standard that took place in October 2022 concerns:

• Personnel Security: Relates to individuals (e.g., remote work).
• Organizational Security: Pertains to organizational policies, information policies, and the use of cloud data storage.
• Physical Security: Involves physical facilities, data storage media, securing premises and offices, and electronic equipment.
• Technological Security: Covers the technology used within the organization, information removal, leakage prevention, and authentication.

The ISO 27001:2022 structure also includes several new elements, such as threat analysis, IT readiness for ensuring business continuity, data masking, network filtering, data leakage prevention, and secure coding principles.