Reinforcement of security measures: The new NIS Directive
In an increasingly connected and technology-dependent world, cybersecurity has become a top concern. The European Union has responded to this challenge by approving the NIS2 Directive. This new directive follows in the footsteps of the NIS1 Directive, which was enacted in 2016, and seeks to strengthen security measures and response to cyber incidents across Europe, promoting the implementation of a uniform regime in this area among all Member States.
In this article, we will explore the key aspects of the NIS2 Directive, focusing on security measures, the innovations it presents, and its implementation in Spain.
Security measures of the NIS2 Directive:
The NIS2 Directive establishes a set of cybersecurity measures aimed at protecting information systems and ensuring the operational continuity of essential and digital services. These measures include system security policies and risk assessment, the implementation of preventive measures and the adoption of incident management plans, the implementation of systems to assess the effectiveness of implemented risk management measures, vulnerability disclosure, and encryption. Organizations must implement measures that are proportionate to the identified risks and adapted to their size and nature.
One of the main security measures is risk assessment. Organizations must identify and assess potential cyber risks they are exposed to by analyzing associated threats and vulnerabilities. With this assessment, informed decisions can be made about which controls and security measures to implement to mitigate the identified risks.
Another key measure is the implementation of detection and response systems. These systems allow for the identification and quick response to potential cyber incidents, minimizing impact and reducing downtime. This involves constant monitoring of systems and networks, early detection of intrusions or anomalous behavior, and the implementation of effective response mechanisms. Implementing detection and response plans in this area involves defining the roles and responsibilities of response teams, establishing clear communication channels, and describing procedures for incident containment, mitigation, and recovery. Rapid incident response and management can reduce the impact and minimize the consequences for organizations and users.
Furthermore, the directive emphasizes the importance of prevention, urging organizations to implement technical and organizational measures to prevent potential cyber incidents. These measures may include network segmentation, multi-factor authentication, data encryption, cybersecurity training for staff, and the implementation of clear security policies.
What’s new in the NIS2 Directive:
The NIS2 Directive introduces some significant innovations compared to its predecessor, the NIS Directive. One of the main changes is the expanded scope, which now includes digital services such as online platforms, search engines, and cloud services. This recognizes the growing importance of these services in our digital society and aims to ensure their security and operational continuity. It also includes entities in the manufacturing sector of pharmaceuticals, medical devices, chemical devices, and entities in the food sector, among others.
The scope is also expanded in terms of company size. While previously only large entities (more than 250 employees and/or 50 million euros in annual turnover) were considered, medium-sized companies (more than 50 employees or 10 million euros in annual turnover) gain importance in this new directive due to Article 2, which includes them within the scope. However, it should be noted that the level of compliance required will not be the same for all entities, with a more demanding regime foreseen for entities classified as “essential” compared to “important” entities.
In general, except for specifically provided exceptions, “important” entities will be those that are not considered large companies in terms of numbers or those engaged in sectors included in NIS2 but not in NIS1, regardless of their size. On the other hand, “essential” entities will be large entities operating in sectors already included in NIS1.
The directive also introduces clear requirements regarding the notification of cyber incidents. Organizations must notify the competent authorities of significant incidents within a maximum period of 24 hours. This allows for a faster and coordinated response to incidents, facilitating the exchange of information and the adoption of appropriate measures to mitigate risks.
Additionally, the NIS2 Directive states that both members of governing bodies and employees must attend periodic cybersecurity training sessions to acquire the necessary knowledge and skills to detect risks and assess risk management practices in this area and their impact on the services provided by the entity.
Another significant change introduced by NIS2 is the increased responsibility of corporate management bodies in this regard, as this new directive holds them accountable for supervising and ensuring compliance with cybersecurity risk management measures.
The NIS Directive in Spain:
In Spain, the NIS2 Directive must be transposed by October 17, 2024, at the latest. On the other hand, NIS1 was transposed through RD-Law 12/2018 of September on the security of networks and information systems, which establishes the requirements and obligations for operators of essential services and digital service providers in terms of cybersecurity. It also establishes the functions and responsibilities of the competent national authority, the National Center for the Protection of Infrastructure and Cybersecurity (CNPIC), in supervising and coordinating cybersecurity in Spain.
RD-Law 12/2018 sets out cybersecurity obligations for operators of essential services and digital service providers in Spain. These organizations must implement appropriate cybersecurity measures and have incident management plans in place. They must also notify significant incidents to the CNPIC and collaborate with the competent authorities in incident management.
In conclusion, the NIS2 Directive represents a significant step forward in protecting and strengthening cybersecurity in Europe and Spain. With clear and robust security measures, it aims to safeguard information systems and ensure the continuity of essential and digital services.
While awaiting the transposition of this directive in Spain, the best way to prepare for compliance with the new regulations is to conduct a cybersecurity risk assessment to identify strengths and weaknesses.
At Letslaw by RSM, we have professionals specialized in cybersecurity. Therefore, we will be happy to assist you with adapting your company’s activities to the new regulations and address any concerns you may have in this regard.
Letslaw es una firma de abogados internacionales especializada en el derecho de los negocios.
More from my site
Omnibus directive and implications for consumers
The mandatory nature of the complaints channel under the Whistleblowing Directive
How the Omnibus Directive affects influencer advertising
The Whistleblowing directive is approved: What you should take into account
The commission approves the NLP for the right to erasure
Personal data and digital advertising