Cybersecurity Act – NIS2

The new Cybersecurity Law must be approved by October 17, 2024 at the latest, in Spain and in all European Union Member States, as established in Article 41 of the European Directive 2022/2555, better known as NIS2, which will adopt and publish the necessary measures to comply with the provisions of said Directive.

Every 36 months thereafter, the Commission shall review the operation of this Directive and report to the European Parliament and the Council.

What is NIS2?

The NIS2 is a Directive that establishes the measures necessary for a common level of cybersecurity in all EU Member States and thus a national Cybersecurity Act.

Prior to this Directive, in 2016, the Commission adopted the NIS Directive as the first EU cybersecurity law, the same which was also aimed at improving the resilience of European networks and information systems against the multiple risks of suffering cybersecurity attacks.

However, the pandemic in 2020 caused the use of technologies to increase immeasurably, so that control over them was often difficult, leading to increased exposure to threats and the risks that this entails.

Key points of the future Cybersecurity Law

The key points we identified from this new Directive are as follows:

1.- Requirement for Member States to adopt a national cybersecurity strategy.

To this end, the following actions will be applied:

-National Computer Security Incident Response Teams (CSIRTs) will be appointed.

–Creationof a national cybersecurity authority.

–Creationof a single point of contact, called SPOC. Its function will be to be the liaison to ensure cooperation between the different cybersecurity authorities of the Member States, as well as cooperation with other authorities.

–Creationof a Strategic Cooperation and Information Exchange Group between the Member States and the CSIRT Network.

Adoption of security measures in essential sectors.

Security measures are required in sectors classified as “essential” and “important”, which include entities identified as critical, based on their activity in different sectors, such as energy, transportation, banking, financial markets, healthcare, drinking water and wastewater, digital infrastructure, business-to-business ICT service management, public administration, space, postal and courier services, waste management, chemical manufacturing and production, food production and processing, healthcare manufacturing, IT, electronics, optical, electrical, digital service providers and research.

3.- Digital companies

Providers of digital services, such as search engines, cloud computing and online marketplaces, will also have to adopt the relevant security measures to comply with the Directive.

4.- Security Breach Notification

In the same way that the GDPR requires notification of data protection security breaches, the NIS2 will make it mandatory to notify the relevant authority of serious cybersecurity incidents.

To whom does NIS2 apply?

There are two criteria to determine its scope of application:

1.- Size of the company

This Directive applies to large and medium-sized companies, whether public or private, as referred to in Article 2 of the Annex to Recommendation 2003/361/EC.

Therefore, it will not apply to companies employing less than 250 people and whose annual turnover does not exceed EUR 50 million or whose annual balance sheet total does not exceed EUR 43 million.

2.- Regardless of size, according to their activity:

2.1.- The Public Administration

2.2.- Entities that provide domain name registration services.

2.3.- Entities related to the above mentioned sectors (essential and important) when:

-services are provided byproviders of public electronic communications networks or publicly available electronic communications services;

Trusted service providers; top-level domain name registries and domain name system service providers;

– theentity is the sole provider in a Member State of a service essential for the maintenance of critical social or economic activities;

– adisruption of the service provided by the entity could have a significant impact on public safety, public order or public health;

– adisruption of the service provided by the entity could induce significant systemic risks, in particular for the sectors in which such a disruption could have a significant impact.

cross-border implications;

– theentity is critical in light of its specific importance at the national or regional level for the particular sector or type of service or for other interdependent sectors in the State

member;

Liability for non-compliance with NIS2

Art. 20.1 of the Directive states that Member States shall ensure that the management bodies of critical and important institutions approve cybersecurity risk management measures, monitor their implementation and be held accountable for non-compliance by the institutions.

Penalties for non-compliance with NIS2

The Directive establishes administrative sanctions for non-compliance with the obligations set forth in the Directive itself, such as binding instructions, implementation of recommendations following a security audit, adoption of security measures that have not been contemplated and the application of administrative fines.

The administrative fines will be differentiated if they will be applied to essential entities or important entities:

–Ifit is an essential entity, the fines shall be a maximum of at least EUR 10 million or a maximum of at least 2% of the total annual worldwide turnover of the company to which the essential entity belongs during the preceding financial year, whichever is higher.

–Ifit is a significant entity, the fines shall be a maximum of at least EUR 7 million or a maximum of at least 1.4% of the total annual worldwide turnover of the company to which the significant entity belongs during the preceding financial year, whichever is higher.

Mandatory training in the content of the NIS2

Article 20.2 of the Directive stipulates that Member States must ensure that the management bodies of key and important institutions attend training courses on the subject and offer similar training to their employees.

Business Adapter® gets you a FREE Cybersecurity Audit

If you want to know the situation of your company in terms of cybersecurity, request your FREE audit by email: info@businessadapter.es, you can also call 96 131 88 04, or leave your message in this form:

[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us, we will be pleased to help you.[/su_button]