Article 21 of NIS2 states:

"Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational, and organizational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or the provision of their services and to prevent or minimize the impact of incidents on recipients of their services and on other services." 

Article 23 of NIS2 requires that every significant cybersecurity incident "…that has a significant impact on the provision of their services…" be reported, whether or not the attack actually affected the entity's operations. The purpose of this is to help authorities improve monitoring and responses to potential threats. NIS2 maintains the requirement from NIS that every EU member state designates a central point of contact for compliance and a coordinating Computer Security Incident Response Team (CSIRT) for incident reporting or a competent authority.

The most significant change around incident reporting is how the NIS2 Directive details the mandatory multi-stage incident reporting process and the content that must be included:

1. Early Warning: Within 24 hours. 
   An initial report must be submitted to the competent authority or the nationally relevant CSIRT within 24 hours of a cybersecurity incident. The initial report should provide an early warning where there may be cross-border impact or maliciousness involved. This first notification is intended to limit the potential spread of a cyber threat. 
    
2. Follow-up Incident Notification: Within 72 Hours. 
   A more detailed notification report must be communicated within 72 hours. It should contain an assessment of the incident, including its severity, impact, and indicators of compromise. The impacted entity should also report the incident to law enforcement authorities if it was criminal. 
    
3. Final report: Within one month.
   
   A final report must be submitted within one month after the initial notification or first report. This final report must include:

• A detailed description of the incident.
• The severity and consequences.
• The type of threat or cause likely to have led to the incident.
• All applied and ongoing mitigation measures.
  
  Additionally, under the NIS2 Directive, entities must report any major cyber threat they identify that could result in a significant incident. A threat is considered significant if it results in:

- Material operational disruption or financial losses for the entity concerned.
- It may affect natural or legal persons by causing significant material or immaterial damage.

Failure to comply with the NIS2 Directive comes with stricter penalties than NIS. Under the NIS2 Directive, penalties for non-compliance differ for essential entities and important entities.

1. Non-monetary penalties 
   
   NIS 2 gives national supervisory authorities the power to levy: - Compliance orders
   - Binding instructions
   - Security audits
   - Threat notification orders
    
2. Administrative fines  
   
   - For essential entities, administrative fines can be up to €10,000,000 or at least 2% of the total annual worldwide turnover in the previous fiscal year of the company to which the essential entity belongs, whichever amount is higher.
   
   - For important entities, administrative fines can be up to €7,000,000 or at least 1.4% of the total annual worldwide turnover in the previous fiscal year of the company to which the important entity belongs, whichever amount is higher.
    
3. Criminal sanctions on management bodies

Rather than put all the pressure of NIS 2 compliance on IT departments, the Directive includes new sanctions to hold top management bodies personally liable for gross negligence in the event of a cybersecurity incident. For example, a competent authority can temporarily ban executives from holding management positions. It can also order organizations to disclose compliance violations and make a public statement identifying the person(s) responsible for the incident.

The NIS2 Directive came into effect in January 2023. EU Member States have until October 17, 2024, to incorporate its provisions into their national laws and establish criteria for categorizing entities.

After publishing the categorization criteria, member states must create a list of all entities covered by the directive and notify them promptly. Upon receiving categorization notification, essential or important entities must implement all requirements within the timeframe specified in national laws.

Alongside NIS2, EU operators will have to contend with numerous other regulations, including:

1. The Digital Operational Resilience Act (DORA)
2. The Critical Entities Resilience (CER) Directive
3. The Cyber Resilience Act (CRA)

NIS2 vs DORA: Both are cybersecurity regulations, but DORA is specifically focused on the financial sector, whereas NIS2 covers a broader range of organizations. For financial entities, DORA's provisions related to ICT risk management and reporting, digital operational resilience testing, information sharing, and third-party risk shall apply instead of those outlined in NIS2.

NIS2 vs. the CER Directive: The CER Directive applies to critical entities, guiding their defenses against non-cyber-related risks. While NIS2 focuses on cybersecurity, there may be overlaps in terms of the entities covered. In such cases, organizations will need to ensure compliance with both directives, addressing both cyber and physical resilience.

NIS2 vs. CRA: The Cyber Resilience Act focuses on the cybersecurity of hardware and software products with digital elements. Where NIS2 focuses on enhancing the security posture of companies themselves, the CRA requires companies to prioritize the security of the products they manufacture or sell. Generally, the CRA complements NIS2 but doesn't necessarily overlap or supersede it.

Alfatec Group boasts a long-standing presence in the industry. Our enduring collaborations with numerous vendors span several decades, highlighting our commitment and expertise. Among our most valued partnerships are those with Thales and Entrust, relationships that consistently deliver exceptional value to our diverse clientele.
As awarded distributors for the SEE region, we offer a comprehensive suite of services:

1. Expert consultation and support to guide you in selecting optimal solutions tailored to your specific business requirements and compliance needs.
2. Robust technical support to ensure smooth implementation and operation of your chosen solutions.
3. Access to advanced training opportunities through our extensive partner network, enabling your team to maximize the potential of implemented technologies.

These partnerships empower us to provide cutting-edge solutions and unparalleled support, reinforcing our position as a trusted partner.

Contact us at azur.saciragic(at)alfatec.ai or dario.selimagic(at)alfatec.ai 

ENTRUST

"At Entrust, we take the pain out of cybersecurity and data protection." Their portfolio includes all the compliance solutions you need, including:

• Entrust KeyControl

Entrust KeyControl provides precise control over your cryptographic keys and secrets, offering complete visibility, traceability, and an immutable audit trail.

• Hardware Security Modules (HSMs)

Entrust's nShield HSMs provide a secure environment for generating, managing, and protecting cryptographic keys, which are essential for securing sensitive data and ensuring the integrity of digital transactions.

• Identity and Access Management (IAM)

Entrust provides IAM solutions that enable organizations to ensure only authorized users can access sensitive information, providing a firm foundation for Zero Trust security.

THALES

Thales CipherTrust Manager enables compliance with the NIS2 regulation by covering a wide range of requirements:
 

1. 21.2, a: “…policies on risk analysis and information system security;
   
   - CipherTrust Data Discovery and Classification 
   
   Identifies structured and unstructured sensitive data on-premises and in the cloud. Built-in templates enable rapid identification of regulated data, highlight security risks, and help uncover compliance gaps.
    
2. 21. 2, d: supply chain security, … concerning the relationships between each entity and its; direct suppliers or service providers 
   
   - CipherTrust Cloud Key Management  
   
   Reduces third-party risks by maintaining on-premises under the full control of the financial institution the keys that protect sensitive data hosted by third-party cloud providers.  
   
   - CipherTrust Transparent Encryption  
   
   Provides a complete separation of roles where only authorized users and processes can view encrypted data. This keeps third-party cloud provider employees, such as support engineers and DB admins from seeing the data in the clear.
    
3. 21. 2, h: “…policies and procedures regarding the use of cryptography and, where appropriate, encryption”  
   
   - CipherTrust Transparent Encryption  
   
   Delivers data-at-rest encryption for files and folders and privileged user access control with granular policies. Protects data wherever it resides, on-premises, across clouds, and in big data and container environments. 
   
   - CipherTrust Tokenization  
   
   Permits the pseudonymization of sensitive information in databases while maintaining the ability to analyze aggregate data, without exposing sensitive data during the analysis or in reports.  
   
   - CipherTrust Enterprise Key Management 
   
   Streamlines and strengthens key management in cloud and on-premises environments for home-grown encryption, as well as third-party applications.  
   
    
4. 21. 2, i: “…access control policies and asset management; 
   21. 2, j: the use of multi-factor authentication or continuous authentication solutions…” 
   
   - CipherTrust Transparent Encryption
   
   Provides complete separation of roles where only authorized users and processes can view encrypted data through granular access security policies and key management.
   
   - OneWelcome Identity & Access Management 
   
   Limits the access of internal and external users based on their roles and context with granular access and authorization policies that help ensure that the right user is granted access to the right resource at the right time.