While many EU countries are still working out the specifics of implementing the NIS2 Directive, we know there are some key elements that will be included in each national implementation. Here we’ll focus on two of them: Article 21 and Article 23.
NIS2 Article 21: The Duty of Care and Cybersecurity Risk Management Measures
Article 21 outlines key cybersecurity practices that every business under the NIS2 regulations must have in place. You’ll probably already have thought of many of these, and taken some steps towards implementing them for the health and future of your business. As for the others – Eye Security is here to help.
Essential and important entities are required to implement specific technical, operational, and organizational measures under Article 21 to enhance their cybersecurity resilience and prevent potential incidents impacting their services.
Mandatory cybersecurity measures under Article 21 include:
-
Risk Analysis and Information System Security Policies
-
Incident Handling - This is an integral part of Eye’s CyberGuard service.
-
Business Continuity, such as Backup Management and Contingency Planning, and Crisis Management - In the event of a cyber incident, Eye Security guarantees support as part of its CyberGuard service. Crisis management is included in this Incident Response support.
-
Supply Chain Security - This includes security aspects related to the relationships between each entity and its direct suppliers or service providers, such as cloud computing service providers and data centre service providers. Additionally, dns service providers play a crucial role in ensuring cybersecurity.
-
Security in the Acquisition, Development, and Maintenance of Network and Information Systems - Vulnerability scanning (including newly identified vulnerabilities) is part of Eye’s CyberGuard service.
-
Policies and Procedures for Assessing the Effectiveness of Cybersecurity Risk Management Measures
-
Basic Cyber Hygiene Practices and Training - Eye Security’s optional Awareness service includes regular phishing simulations and training for employees who fall for such phishing emails.
-
Policies and Procedures Regarding the Use of Cryptography and, where applicable, Encryption
-
Personnel Security, Access Policies, and Asset Management
-
Where Appropriate, the Use of Multi-Factor Authentication or Continuous Authentication Solutions, Secure Communication for Voice, Video, and Text, and Secure Emergency Communication Systems Within the Entity - the Eye portal indicates security measures such as MFA usage, providing customers with visibility into the actual application of security measures.
NIS2 Article 23: Incident Reporting and Network and Information Systems
Article 23 of the NIS2 Directive lays out the requirements for incident reporting. It defines what constitutes an incident, the mandatory reports, and the content required in these reports.
A cyber incident is defined as:
-
A severe operational disruption of the organisation's services.
-
An incident that could lead to financial damage.
-
An incident that could cause material or immaterial harm to other natural or legal persons.
The exact criteria for these thresholds are yet to be determined, but we're keeping an eye on developments.
No one wants an incident – but if one happens to your business, under NIS2 you'll be required to report it as follows:
Within 24 hours of an incident, report it to the supervisory authority and the CSIRT designated for your sector. This report must state whether the incident was caused by unlawful or malicious actions and whether it could have cross-border implications.
After 72 hours, a follow-up report must be submitted. This report should update the information from the initial report and provide an initial assessment of the incident's severity and impact.
One month after the incident, a final report must be submitted. This report should provide a detailed description of the incident, including its severity and impact, the type of threat or root cause likely leading to the incident, applied and ongoing risk mitigation measures, and, if applicable, the cross-border impacts of the incident.
During an incident, the CSIRT or the competent authority/supervisory authority can request an interim report. This report should provide relevant updates on the situation.
Remember, improving your cybersecurity isn't just about meeting regulations – it's about you, your customers, and the safety of your business. Access our NIS2 resource hub to learn more.
We're with you on this journey, essential and important entities.
Eye Security offers round-the-clock protection, prompt and skilled incident response, and even insurance coverage. Our comprehensive cyber protection is tailored for small to medium-sized businesses. Book a demo to learn more.