Firms are expecting stricter cybersecurity rules. The European Parliament’s Network and Information Security Directive – NIS 2 will soon be in force in Slovakia*, mandating greater scrutiny and vigilance.
Relevance and importance of the NIS 2 Directive
The new directive is currently the topic of many professional conferences, webinars, advertisements on the web and social networks. Companies will have to comply with it from January 2025. This means aligning their security measures, documentation, processes and technologies with its wording. What specific requirements need to be met? The draft law transposing the NIS 2 directive into our legislation has been in the inter-ministerial comment procedure since 31 May 2024, and was subsequently discussed and recommended to the government for approval at the meeting of the government’s legislative council on 24 September 2024. Who will be bound by the new rules and what is their purpose? When should companies start preparing at all and by when do they need to get everything done? We will try to provide some answers.
Who is affected by NIS Directive 2
At this point, it is certain that the Slovak regulation cannot be softer than the rules laid down in the text of the directive itself. However, it is unlikely to be a revolution in our country as in those countries where the initial NIS Directive was only pragmatically and minimally incorporated, such as Slovenia. According to expert estimates, approximately 4,600 entities in Slovakia will fall under the obligations of the new NIS 2 Directive, compared to 1,600 entities under the original Directive. The numbers will change mainly due to the growth in the number of sectors that will have to adopt the measures specified in the new law and the subsequent decree. These include companies in waste management, chemical production, food processing, postal and courier services, electrical manufacturing and automotive companies. Similarly, obligations will be extended to the IT sector. All telecommunications operators, managed IT service providers, and digital infrastructure firms will be subject to the new regulation. Moreover, in addition to the IT service providers listed in the annexes to the law, the requirements of the law will also be binding on all suppliers whose activities are directly related to the availability, confidentiality and integrity of the operation of networks and information systems at the customer’s premises.
Obligations of entities covered by NIS 2
It can be stated with certainty that all companies falling under NIS 2 will be obliged to protect the security of IT systems through a combination of several types of measures, not only at the technological level, but also at the personal, physical and organisational level. The advantage will be given to those who have already been certified according to ISO 27001 – Information Security, Cybersecurity, and Privacy Information Security Management Systems. The requirements arising from NIS 2 will be similar in many respects.
The first step in a company’s alignment with NIS 2 should be an “internal inventory” of information systems. Many companies build and add applications incrementally and not everything is always under IT control. Employees often choose to use popular cloud and online solutions without consulting or even knowing the IT department. Therefore, the catalog of information assets that the inventory creates is an essential first step in figuring out what the company actually needs to protect. In addition to software solutions and cloud services, information assets also include personal data, data containing company know-how, trade secrets and, last but not least, the premises – the server room and the places where network elements are stored outside it.
If a company already knows what it needs to protect, it should also prioritise and determine the strength of the measures it wants to use to secure its information assets. Existing cybersecurity law said that every piece of information, information system and network should be classified and categorized. Only by classifying these information assets according to their security attributes could it be decided what measures were mandatory and what were recommended. The NIS 2 and the Bill require security measures to be implemented based on the risk analysis carried out and in accordance with cybersecurity standards. Regardless, the strength of the measures taken should be adequate to the importance of both the risks and the assets. Again, the cost of mitigating a risk cannot be greater than the potential impact of that risk.
NIS 2 from a risk management perspective
Rigorous risk analysis and risk management in relation to information assets was already part of the existing Cybersecurity Act But under the NIS 2 Directive, it is becoming a key activity for deciding what measures to take and what risks to treat. However, the decision of what is still an acceptable risk remains in the hands of the management of each company. For those that have not yet addressed risk management, this will require setting up an internal collaboration between management, risk owners, and the cybersecurity manager. It is the responsibility of management to determine the “risk appetite” – that is, the level that the company can still accept for a particular risk, process, or project. All risks that are higher than this represent a critical threat. These are the ones that management should address and also dedicate the resources necessary to treat.
Ultimately, it is the management of the company that will be responsible for how the company manages not only risks, but also cyber threats and potential incidents, according to the new NIS 2 directive. While the appointment of a cyber security manager is already mandatory today, the statutory responsibility does not transfer to the manager by this appointment. He or she may be responsible for the documentation received, the implementation of preventive or operational measures. The IT manager, on the other hand, is responsible for the operation of systems without disruption, including the performance of activities required from a cybersecurity perspective. However, if a threat emerges that is beyond the “risk appetite”, the cybersecurity manager or IT manager will request resources from management to address it. And it will be the role of management that must be able to make the decision to allocate or not allocate resources to treat the risk at the time.
Quick fixes or a real cybersecurity manager
Here, management will rely on the cybersecurity manager to ensure that the resources are legitimately requested by the cybersecurity manager and have been incurred based on an honest and professionally conducted risk analysis. It should not be the case that a company makes a decision based on unreliable information. However, these are the ones that abound nowadays, when a multitude of subjects and articles are devoted to NIS 2. And until the draft amendment to the law on cybersecurity was available, it was only possible to talk about the sectors or the range of companies covered by the obligations of the law resulting from the new directive. If someone offers a company that they can analyse its readiness for NIS 2 at the present time (June 2024), or prepare it for the directive straight away, they are also not telling the truth. It is not a problem to find an offer of a free cyber security audit on the internet that takes 5 minutes, and there are even offers available on social media that promise, in the form of an 11-question questionnaire, to show a company’s readiness for the NIS 2 directive. All you have to do, they say, is enter an ID number and the result is instantly available. Would you rely on such an “analysis” with a supposedly tailor-made offer? Or would you rather rely on a cybersecurity manager who knows the company, knows what information assets it uses, how important they are, and what risks they are exposed to? The difference in approach is obvious at a glance.
Addressing cyber security in preparation for NIS 2
NIS 2 is therefore not a revolution. Responsible companies already see cybersecurity as important and are gradually improving their protection against threats without the need for a law. Intuitively taking steps towards greater security is better than waiting for a law, the details of which we do not yet know much about, or relying on simplifications and “analysis” provided for free.
What are the key requirements of the new legislation and what is the role of the cybersecurity manager in all this can be found in the next article.
*Networkand Information Security – NIS 2, Directive of the EP and the Council of 14 December 2022 on measures to ensure a high common level of cybersecurity in the European Union.
