Cybersecurity is becoming an integral part of the daily functioning of modern societies. The European Union’s NIS 2 (Network and Information Security) Directive is a response to the rapidly evolving cyber threats, the implications of which transcend national and sectoral boundaries.
The transposition of the NIS 2 Directive into Slovak law is aimed at strengthening the protection of critical infrastructure, economic entities and a wide range of companies against the growing risks of cyber attacks. The amended Directive responds to new challenges and risks brought about by previous practice.
The original framework was often limited to only the largest companies and critical sectors, creating weaknesses in the protection of smaller entities, which are increasingly the target of cyber-attacks. Existing threats such as ransomware attacks, phishing campaigns or the exploitation of vulnerabilities in software do not recognise the differences between small and large organisations. Attacks often target smaller entities that do not have sufficient security measures in place, and these incidents can trigger a chain reaction affecting entire sectors.
Extension of scope: who will be affected?
One of the most significant changes introduced by the Directive is the extension of the range of entities covered by the new rules. While the original legislation focused on so-called essential service providers (ESPs) in areas such as energy, transport, healthcare and banking, NIS 2 significantly expands this list. Organisations in manufacturing, food distribution, waste, but also digital service providers will now be included among the full-fledged PSPs under the scope of the law.
The NSA has made available on its website an indicative aid for determining whether a company should be included in the register of providers of basic services pursuant to Section 17 of Act No. 69/2018 Coll. on cybersecurity and to determine whether it is obliged to comply with the NIS 2 regulations.
In addition, clear criteria are set for the size and importance of organisations. Entities with more than 50 employees or an annual turnover exceeding EUR 10 million, and the object of their business is defined in the Annex to the Act, automatically fall within its scope. “However, this definition is not universal. Some services that are particularly sensitive from a security point of view, such as the provision of DNS services or a TLD administrator, will be covered regardless of their size. This move is necessary as an attack on these types of services can have a major impact on thousands of customers, including large corporations,” explains Zuzana Holý Omelková, CCO of GAMO (pictured), explaining the reasons.
At the same time, the extension of the scope brings new challenges for businesses that have not had to deal with cybersecurity issues at this level until now. For example, smaller manufacturers or food distributors, underestimating the possibility of cyber-attacks and especially their impact, must now be prepared to protect their IT systems, analyse potential risks or raise the level of security awareness among their employees.
Risk analysis: the basis for effective protection
One of the key requirements of the new legislation is the introduction of systematic risk analysis. This is a proactive approach to risk identification and management, going beyond traditional models of protection. Risk analysis is no longer just about protecting specific systems or data. Organisations need to consider their entire operating environment, including interactions with external vendors, software in use and physical infrastructure.
“For example, a logistics services company must consider the risks associated not only with its own IT system, but also with integration with its partners’ systems. A vulnerability on one side of the supply chain can pose a security risk to the entire system,” confirms Zuzana Holý Omelková.
For effective risk analysis, it is necessary to regularly update security policies, test systems for resistance to attacks, and work with specialist consultants or security teams.
Implementation of security measures
The results of the risk analysis are the basis for the implementation of technical, organisational and personnel measures, which must be tailored to the specific needs of the organisation. “At the technical level, this includes, for example, deploying firewalls, encrypting communications, monitoring traffic and regular software updates. At the organisational level, educating employees, implementing security policies and developing incident response plans are key,” says a sales director and cybersecurity expert from GAMO.
Some organisations need to go further and put in place specialised measures. For example, businesses that store sensitive data such as medical records must ensure not only access rights but also auditability of the management of that data. Cloud providers are bound to guarantee the high availability of their services and at the same time the security of their infrastructure from attacks by hackers.
Cybersecurity manager: a key role
The position is essential to coordinate all security measures. The manager must be qualified and independent of other departments to effectively oversee security processes. “For many smaller organisations this is a challenge, as they do not have the internal capacity to fill such a position,” points out Zuzana Holý Omelková, offering an alternative, which may be outsourcing the service to an external provider: “This solution is often even more cost-effective.”
Incident reporting and prevention
NIS Directive 2 places a strong emphasis on prevention and early response. Organisations are obliged to report not only incidents that have already caused damage, but also potential threats and averted attacks. This proactive approach can create a broader picture of current risks at a national level and share important information between actors. Reporting must be done within 72 hours of the incident being detected, with a time limit of only 24 hours for significant threats.
Economic and reputational challenges
The implementation of NIS 2 will require significant investment, which can be particularly challenging for smaller businesses. These costs include the purchase of technology, staff training, auditing of security measures and potential fines for non-compliance. On the other hand, in the long term, these investments are significantly less than the damage caused by cyber-attacks.
In addition to the financial aspects, reputation is also important. “Companies that demonstrate a high level of protection of their systems and data gain the trust of customers and business partners. Conversely, poor security can lead to a loss of trust and a decline in competitiveness,” warns Zuzana Holý Omelková from GAMO.
The introduction of the NIS 2 Directive in Slovakia represents a breakthrough moment for the field of cyber security. It is a challenge but also an opportunity to modernise, increase resilience and improve cooperation between the private and public sectors.
