EVENTS

CAREERS

REQUEST SUPPORT

+351 219 363 722

Security Managed Services

Cybersecurity: the NIS2 Directive and its Impact on Business

14/08/2024
The NIS2 Directive is an essential tool to protect entities and businesses against an increasingly omnipresent threat – cybercrime. (Article updated on December 17, 2024.)
Diretiva de cibersegurança NIS2

Published at the beginning of 2023, the NIS2 directive brings increased responsibility for organizations of all types, especially companies, regarding cybersecurity and cyber resilience issues in the EU. Which organizations are most impacted? How can they prepare to embrace the change that will take effect in Portugal after the directive is transposed to the Member States? In our article, we explain everything you need to know about the NIS2 Directive and the impact it will have on businesses.

In 2024, we had the opportunity to understand how an IT failure can have consequences on essential infrastructures and public order on a global level. On July 19, the blackout caused by the update of the Falcon Sensor software from Crowdstrike led to dozens of services being paralyzed or severely disrupted, including banks, media companies, airports, and many other institutions worldwide.

What is the NIS2 Directive?

Thus, in a context where the consequences of cyberattacks and IT failures are increasingly harmful, the NIS2 Directive emerges. In force since 2023, the NIS2 Directive (an acronym for Network and Information Security Directive) is a legislative act aimed at strengthening cybersecurity measures and protecting critical infrastructures across the European Union (EU). The new directive expands the scope of application, addresses the gaps of the first version – NIS1 – and increases the responsibility for companies. It is estimated that, compared to NIS1, the number of monitored entities will rise from around 400 to over a thousand, so they must implement measures to strengthen their systems and internal cybersecurity skills.

NIS2 Directive Implementation Timeline

How EU Directives are Applied

Before understanding which sectors and types of companies will be affected by the NIS2 Directive, it is important to clarify what a directive is and how it is applied. As we have seen, a directive is an EU legislative act; however, it is not a regulation – which is directly applicable in Member States without the need for transposition. The directive sets the objectives to be achieved, but the way these are achieved is more flexible, with each Member State responsible for defining the laws and regulations to follow to meet those objectives. Generally, directives establish a transposition deadline so that Member States can adapt the legislation to their reality.

The initially established deadline was October 17, 2024, but neither Portugal nor the majority of EU Member States met this deadline. The draft law for the approval of the new Cybersecurity Legal Framework is available for public consultation until December 31, 2024, and the Government intends to submit the draft law to the Assembly of the Republic in January 2025.

Companies and Sectors Covered by the NIS2 Directive

The question on the minds of many business managers at the moment is, indeed, how their businesses can be affected by the NIS2 Directive.

The new directive classifies competent entities by type and size. Regarding typology, we talk about essential entities and important entities. An essential entity is a company with at least 250 employees, with a turnover of at least 50 million euros/year or an annual balance sheet exceeding 43 million euros. Additionally, an essential entity must operate in a sector considered very critical, such as the following:

  • Energy
  • Transport
  • Banks and financial infrastructure
  • Public administration
  • Healthcare
  • Space exploration
  • Water supply (potable and wastewater)
  • Digital infrastructure*

On the other hand, an important entity must have at least 50 employees, an annual turnover of at least 10 million euros or a balance sheet of 10 million euros, and be part of one of the critical sectors:

  • Postal and courier services
  • Waste management
  • Chemical and pharmaceutical industry
  • Research
  • Food production, processing, and distribution
  • Manufacturing industry
  • Digital service providers*

* Although they may be confused, digital infrastructure companies and digital service providers operate in different areas. The former refers to providers in the cloud, data centers, Trust Service Providers, among others. The latter corresponds to service providers in the digital marketing area, including social networks, online presence, e-commerce, and similar.

However, it is important to mention some exceptions and relevant aspects:

  • There is a set of entities considered essential because they belong to a very critical sector, regardless of their size. These are entities where service interruptions or failures can cause severe consequences on public order. They include providers of public communication networks, top-level domain name registration companies, DNS service providers, among others.
  • Within the very critical sectors, companies are considered essential or important depending on the number of employees or annual turnover/balance sheet.
  • All companies in the critical sectors are considered important, regardless of their size or annual turnover/balance sheet.

Check the infographic below for a summary of this information. NIS2 directive company chart

How to Prepare your Company for the NIS2 Directive

Does your company or organization fall within the criteria we just analyzed? Then, it is essential to start preparing for the changes that the NIS2 Directive will bring. Although the specific regulations for each of the EU Member States have not yet been defined, the directive hints at some aspects that allow companies to start preparing for the changes.

The monitoring of compliance with the rules will differ depending on whether it is an essential or important entity. In the case of the former, supervision will be proactive; this means that essential entities may be subject to audits or inspections to verify if the legislation is being complied with, regardless of the occurrence of incidents.

For important entities, supervision is only conducted if there are indications of an incident (after the fact). In both situations, if the entities (essential or important) do not take the necessary measures, they may face the consequences provided for in case of non-compliance with the law. In Portugal, the entity responsible for supervising the measures arising from the NIS2 Directive is the National Cybersecurity Center (CNCS).

NIS2 Directive Requirements and Measures

Regardless of whether it is an essential or important entity, all organizations under NIS2 must adopt measures related to Risk Management, Corporate Responsibility (Governance), Incident Reporting, and Business Continuity.

Risk Management

Entities must adopt cybersecurity risk management measures to minimize the likelihood and impact of threats. Technical, operational, and risk mitigation protocols that may affect networks and systems must be implemented.

Corporate Responsibility

The NIS2 directive stipulates that the management bodies are responsible for approving and supervising risk management protocols, ensuring their correct implementation. Similarly, and according to article 20 of the directive, members of the management bodies must receive and promote the sharing of knowledge and training among the other teams, so that awareness of the cybersecurity topic is widespread throughout the company.

Incident Reporting

Entities must define procedures that allow for the prompt reporting of security incidents affecting system users or service delivery. Notification to the competent entity (CNCS) must be made within 24 hours of becoming aware of the incident. A complete report must also be sent within a maximum of 72 hours and a final report with conclusions, one month after the first document is sent.

Business Continuity

Ensuring the continuity of business activity after an incident is another pillar of the directive. Entities must create a detailed strategy for incident response scenarios to minimize service interruptions, including data recovery, with cloud backup solutions recommended for this purpose.

EU NIS2 directive

The NIS2 directive was announced by the European Commission at the end of 2022.

 

10 Cybersecurity Measures of the NIS2 Directive

Article 21 of NIS2 presents a set of basic security measures that organizations must implement to support the four axes we mentioned earlier. These measures include:

  1. Definition of risk analysis and IT system security policies
  2. Incident response plans to deal with active threats
  3. Business continuity plans, including backup, disaster recovery, and crisis management procedures
  4. Supply chain security, including measures addressing the relationship between companies and their direct suppliers or service providers
  5. Security in the acquisition, development, and maintenance of networks and information systems, including handling and disclosure of vulnerabilities
  6. Policies and procedures to assess the effectiveness of cybersecurity risk management measures
  7. Training for cybersecurity awareness and best practices
  8. Policies on the use of encryption and coding
  9. Access control procedures, especially for employees with access to confidential data
  10. Multifactor authentication, continuous monitoring, and secure communication systems

More than an obligation to comply with regulations to avoid fines, the NIS2 Directive is an essential tool to protect entities and businesses against an increasingly omnipresent threat – cybercrime. Even if your company is not directly affected by NIS2, cybersecurity should today be a topic on the agenda of all organizations. In a dynamic scenario with constant cyber threats, the risks unfortunately exceed regulatory classifications. And we must not forget that in an interconnected digital world, all organizations – whether or not covered by the NIS2 directive – play a role in global resilience against cybercrime.

How PONTUAL Can Help You

Does your company need to prepare to embrace the changes brought by the NIS2 Directive? Or even if not among the targeted entities, have you not yet invested in cybersecurity measures that will protect your business? PONTUAL is the Security and Managed Services Provider that offers complete and integrated IT services, with an increasing focus on Cybersecurity solutions for SMEs. Our approach starts with diagnosing and assessing business security needs, implementing solutions, monitoring threats, and providing close and constant technical support. If you are not yet familiar with PONTUAL’s ebook Cybersecurity for SMEs, this is an excellent time to download it and learn about all the best practices and IT security measures you should implement in your business. Do you have questions? Would you like to know more about our cybersecurity services? Contact us.

 

 

PONTUAL cybersecurity ebook

PONTUAL

We are a technology consultancy with over 30 years of experience in the market and a presence throughout the Iberian Peninsula. Our team is motivated to help you grow your organization. Let's evolve together!

Our technology

ERP Systems

Sector Solutions

Customer Experience

Innovation & Transformation

Data Management & Automation

Security & Managed Services

menu-solucoes-pontual

Areas of Expertise

We implement technological solutions tailored to the specific needs of each client, with a specialized and experienced team in these business sectors.

Sectors

Industry

Logistics

Services

Accounting

Retail

Horeca

Notaries

menu-setores-pontual

We hold the key to boosting your business growth.

We have a portfolio of 360° solutions to increase productivity and efficiency for businesses across a variety of sectors, thanks to partnerships with the most prestigious software houses in the market.

Products

Cegid XRP

Sage X3

Solutions

Management Software

Production Management Software

Warehouse Management Software

Maintenance Management Software

Human Resources Software

Cibersegurança

Cloud (IaaS)

Productivity Software

Software CRM

solucoes-pontual-menu

Committed to our mission of helping you achieve excellence

We empower our clients with information that helps them make the most of technology in their businesses, increasing results.

Contents

Blog

E-books

Success Stories

Webinars

menu-insights-pontual