Skip to content

What is BACS?

  • Join BACS
  • International regulation
  • International tribunal
  • Contact
  •   Access
  • Español
  • Join BACS
  • International regulation
  • International tribunal
  • Contact
  •   Access
  • Español
Blockchain Arbitration & Commerce Society
  • About BACS
    • Board of directors and tribunal of arbitration
  • Services
    • Quality seal
    • Crypto complaints
    • Networking
    • Training
    • Events
  • News
  • Members
  • About BACS
    • Board of directors and tribunal of arbitration
  • Services
    • Quality seal
    • Crypto complaints
    • Networking
    • Training
    • Events
  • News
  • Members
Home » International regulation » Preparing for the NIS2 Directive

Author

Picture of Blockchain Arbitration And Commerce Society

Blockchain Arbitration And Commerce Society

Home » International regulation » Preparing for the NIS2 Directive
4 de September de 2023

Preparing for the NIS2 Directive

Cybersecurity Data Protection Directive EU Risks

Share

Sign up for this activity

Discounts on events and training are available to all BACS members.

Your level is STANDARD and you have a 10% discount.

Your level is PREMIUM and you have a 20% discount.

Your level is PREMIUM + and you have a 30% discount.

Send request

The cybersecurity landscape is constantly evolving, and with it, regulatory frameworks are adapting to address the challenges posed by new digital threats. One such development is the Network and Information Security Directive 2 (NIS2 Directive), a significant update to the original NIS Directive. The NIS2 Directive aims to enhance the overall cybersecurity posture of critical infrastructure operators and digital service providers across the European Union.

The NIS2 Directive on measures for a high common level of cybersecurity across the Union, adopted in January 2023, represents a robust framework designed to ensure the security of network and information systems, ultimately safeguarding vital services and digital infrastructure.

The NIS2 Directive builds upon the foundation of its predecessor (NIS), introducing updates such as broader coverage of new sectors, increased focus on incident reporting and response, and the establishment of a Cybersecurity Competence Center.

As EU member states will need to transpose the directive into their national legislation by October 2024, it is important to understand what to expect with this updated directive.

Scope:
As per the scope, NIS2 represents an extension in which it passes from seven sectors to sixteen-eighteen. The new Directive focuses on giving guidance to guarantee uniform transposition across EU member states and expands the areas that are covered. “NIS2 defines two categories for entities in scope: important and essential. Entities in both categories will have to meet the same requirements. However, the distinction will be in the supervisory measures and penalties.”[1]

With the aforementioned, essential entities will be subject to supervisory obligations, while important entities will be under ex-post supervision, which means that if authorities find proof of non-compliance, they will take appropriate action.

To better understand, “The NIS2 has simplified the scoping exercise the competent authorities have to make. A list of sectors was defined and a base rule of any large (headcount over 250 or more than 50 million revenue) or medium (headcount over 50 or more than 10 million revenue) enterprise from those sectors will be directly included in the scope. However, small or micro-organizations are not necessarily excluded; Member States can extend these requirements if an enterprise fulfills specific criteria that indicate a key role for society, the economy or for particular sectors or types of service.”[2]

The Member States are required to list all essential and important organizations covered by the NIS2 Directive by April 17, 2025. Member States may allow organizations to register independently. Entities will therefore need to decide whether their services are covered by NIS2, make a list of the Member States where they offer “in-scope” services, and register before the deadline in each Member State. It’s important to mention that although NIS2 sets a number of ‘minimum requirements’ that must be met, Member States may choose to set greater standards.

Key points:

The new Directive’s goal of enhancing EU Member States’ cooperation with relation to cyber incidents and threats is another crucial component. To encourage knowledge exchange among the Member States, the European Union Agency for Cybersecurity (ENISA) will be tasked with creating a European Vulnerability Disclosure Database.

“In that regard, the Directive encourages Member States to simplify the incident reporting process by implementing a single entry point for incidents to reduce the administrative burden, including for cross-Member State incidents.”[3]

The NIS2 has included a key element regarding the focus on key supply chains in which individual businesses will be in charge of handling cybersecurity risks inside supplier partnerships as well as in their own supply chains. In that way, suppliers who are not within the scope of NIS2 might be impacted as although not being supervised by the national authorities regarding NIS2, they will be by their customer.

“It will be obligatory for management to take responsibility regarding their cybersecurity maturity. This will include having risk assessments conducted and approving risk treatment plans to be implemented, among other tasks”.[4] Having said that, NIS2 provides for an enhanced accountability that is assigned to the management of the organizations within the scope of the directive. In order to achieve that, management of the organisations must follow cybersecurity training. Furthermore, it is recommended to provide cybersecurity awareness training to employees at all levels to promote a culture of security, as for example, encouraging the adoption of good cybersecurity practices among employees, emphasizing password management, software updates, and safe browsing habits, among others.

Jurisdiction & penalties:

According to the NIS2 Directive, vital and significant entities are thought to fall under the authority of the Member State in which they carry out their functions.

If the entity offers services in more than one Member State, each of these Member States should have authority over it. Furthermore, “For entities where the service is provided or is dependent on operations outside the EU, they should ensure the continuity of their EU services in case of disruption of their non-EU operations.”[5]

Greater sanctions for non-compliance are introduced by NIS2, including fines of up to 10% of an entity’s yearly sales. Those sanctions vary depending on whether it’s an essential entity or an important one. “Fines of up to €10,000,000 or 2% of total international turnover can be imposed on companies in the first category. For the second category, fines can be up to €7,000,000 or 1.4% of total international turnover.”[6]

Preparation:

Knowing all the abovementioned, member states and entities themselves should start preparing to transpose the NIS2 directive into their systems. For that, it’s important to start identifying the “organization’s critical services, processes, and assets that provide the essential service as defined in NIS2. A method to achieve the above is an organization-wide Business Impact Assessment to highlight the organization’s critical processes and their reliance on network and information systems.”[7]

Moreover, entities should start having a control over their information security risks in order to implement a management system regarding the information and their risks. In the same way, an analysis of the entity’s supply chain it’s important to Initiate the supply chain security management process.

As the NIS2 Directive brings about a new era of cybersecurity regulation in the European Union, organizations must proactively prepare to meet its requirements. By understanding the directive’s scope, implementing robust security measures, fostering a cybersecurity-conscious culture, and collaborating with competent authorities, organizations can effectively enhance their cybersecurity posture and contribute to a more secure digital landscape. Embracing these steps will not only ensure compliance but also strengthen an organization’s resilience against evolving cyber threats.

 

 

________________
[1] https://www.ey.com/en_be/cybersecurity/how-to-prepare-for-the-nis2-directive
[2] https://www.ey.com/en_be/cybersecurity/how-to-prepare-for-the-nis2-directive
[3] https://www.ey.com/en_be/cybersecurity/how-to-prepare-for-the-nis2-directive
[4] https://www.ey.com/en_be/cybersecurity/how-to-prepare-for-the-nis2-directive
[5] https://www.ey.com/en_be/cybersecurity/how-to-prepare-for-the-nis2-directive
[6]https://www.nnit.com/our-solutions/cybersecurity/compliance-privacy/cybersecurity-how-to-prepare-for-the-nis2-directive/
[7] https://www.ey.com/en_be/cybersecurity/how-to-prepare-for-the-nis2-directive

Share your crypto thoughts

All BACS members have access to this section to share their reports, narratives, and other thoughts related to their professional sector and the blockchain technology environment.

If you wish to submit your publication, please email info@bacsociety.com or use the form.

Submit article

Previous PayPal launches PYUSD, its own stablecoin linked to the dollar. Next   Australian regulator sues eToro

Newsletter

Crypto industry news, international regulation, training and professional events

Contact

  • SPAIN
  • C/ Antonio Acuña 9, 2º izq. - Madrid (Spain)
  • DUBAI
  • Innovation Hub Gate Avenue- South Zone Unit GA-00-SZ-G0-RT-147 DUBAI
  • info@bacsociety.com
  • +34 91 018 29 46
  • Web form

Communication area

  • Crypto industry news
  • Events and networking
  • Blockchain training
  • International regulation

Social media

Twitter Telegram

© The Blockchain Arbitration. All Rights Reserved 2023

Legal Notice  |  Privacy policy  |  Cookies Policy
Manage cookie consent
Our website uses cookies to improve your user experience by analyzing your browsing habits and in compliance with Law 34/2002, of July 11, 2002, on information society services and electronic commerce (LSSICE). The information about the cookies we use is what will ensure that the user can make their decision consciously and freely when giving their consent or, on the contrary, not to accept the installation of cookies on your device under the terms of Article 22 of Law 34/2002 of July 11, Services of the Information Society and Electronic Commerce (LSSICE).
Functional Always active
The storage or technical access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferencias
El almacenamiento o acceso técnico es necesario para la finalidad legítima de almacenar preferencias no solicitadas por el abonado o usuario.
Statistics
Technical storage or access that is used exclusively for statistical purposes. El almacenamiento o acceso técnico que se utiliza exclusivamente con fines estadísticos anónimos. Sin un requerimiento, el cumplimiento voluntario por parte de tu Proveedor de servicios de Internet, o los registros adicionales de un tercero, la información almacenada o recuperada sólo para este propósito no se puede utilizar para identificarte.
Marketing
The storage or technical access is necessary to create user profiles to send advertising, or to track the user on a website or multiple websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
See preferences
{title} {title} {title}

Your level is STANDARD and you have a 10% discount.

Your level is PREMIUM and you have a 20% discount.

Use the form below to apply for registration for the activity. We will confirm your registration by email after checking the availability of places.

Basic information about your data protection:

Responsible party: Blockchain Arbitration Society (hereinafter BACS)

Purpose: Manage your request for inscription +info

Rights: You have the right to access, rectify and delete the data, as well as other rights, as explained in the additional information. +info

Additional information: You can here consult additional and detailed information on Data Protection

Idioma ES

.

.