{"id":23793,"date":"2022-12-20T08:53:16","date_gmt":"2022-12-20T07:53:16","guid":{"rendered":"https:\/\/stage-fp.webenv.pl\/blog\/?p=23793"},"modified":"2025-01-30T16:51:23","modified_gmt":"2025-01-30T15:51:23","slug":"cybersecurity-in-the-eu-tighter-regulations-are-coming-are-you-ready","status":"publish","type":"post","link":"https:\/\/www.future-processing.com\/blog\/cybersecurity-in-the-eu-tighter-regulations-are-coming-are-you-ready\/","title":{"rendered":"Cybersecurity in the EU: tighter regulations are coming &#8211; are you ready?"},"content":{"rendered":"\n<p>The directive called <strong><a href=\"https:\/\/www.consilium.europa.eu\/en\/press\/press-releases\/2022\/11\/28\/eu-decides-to-strengthen-cybersecurity-and-resilience-across-the-union-council-adopts-new-legislation\/\" target=\"_blank\" rel=\"noreferrer noopener\">NIS2<\/a> \u2014 the Network and Information Security Directive 2<\/strong> has to be transposed into the national law for each member state, which should happen <strong>by September 2024<\/strong>. The NIS2 will replace, as well as strengthen, the current <a href=\"https:\/\/www.enisa.europa.eu\/topics\/cybersecurity-policy\/nis-directive-new\" target=\"_blank\" rel=\"noreferrer noopener\">NIS Directive<\/a> (adopted in 2016), which places a number of cybersecurity requirements on:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>operators of essential services<\/strong> (critical to the national infrastructure, economy, and society)\u00a0\u00a0<\/li>\n\n\n\n<li><strong>relevant digital service providers<\/strong> (such as cloud computer services, online search engines, and online marketplaces) across the EU.\u00a0\u00a0<\/li>\n<\/ul>\n\n\n<div class=\"o-cta\">\n    <div class=\"o-cta__pill-container\">\n                    <img decoding=\"async\" width=\"120\" height=\"260\" src=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2025\/01\/pill-security-1.jpg\" class=\"attachment-full size-full\" alt=\"\" \/>            <\/div>\n    <div class=\"o-cta__text-container\">\n                                    <div class=\"f-paragraph\"><p><strong>Are you concerned about the impact of EU cybersecurity regulations \u2028on your business?<\/strong><\/p>\n<p>Leverage our AI-powered chatbot to answer all your questions about EU cybersecurity regulations. Understand and verify your compliance \u2028with DORA, NIS 2, and CRA using our AI assistant.<\/p>\n<\/div>\n                                    <div class=\"o-cta__buttons-container\">\n                                    <a class=\"o-button o-button--primary o-button--xs o-button--arrow o-button--icon-right\" href=\"https:\/\/www.dora-cra-nis2.com\/?utm_source=blogbanner\" target=\"\" rel=\"noopener\">\n                        <span>Start a conversation now!<\/span>\n                        <svg class='o-icon o-icon--10 o-icon--arrow '>\n            <use xlink:href='#icon-10_arrow'><\/use>\n          <\/svg>                        <svg class='o-icon o-icon--16 o-icon--arrow '>\n            <use xlink:href='#icon-16_arrow'><\/use>\n          <\/svg>                    <\/a>\n                                            <\/div>\n            <\/div>\n<\/div>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why is the existing law going to be replaced?<\/h2>\n\n\n\n<p>First and foremost, this is because the EU wants to actually enforce the requirements, and not just have them listed on paper as a set of options that you can choose to (or choose<em> not <\/em>to) follow. <strong>That\u2019s why the new law also includes penalties for those that do not obey the rules.<\/strong> <\/p>\n\n\n\n<p><meta charset=\"utf-8\"><\/meta>Another reason to replace the existing law is due to <strong>significant differences in the perception of \u201cessential\u201d or \u201crelevant\u201d services across EU member states<\/strong>. As a result, there are organisations that don\u2019t need to comply with the NIS regulations in some countries, while they must adhere to them in others. This fragmentation has pushed the European Commission to fully clarify the matter.\u00a0That\u2019s how this can be explained in the most general sense. Now, let\u2019s get into the details.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What\u2019s all the fuss about \u2014 3 essential questions&nbsp;<\/h2>\n\n\n\n<p><strong><span class=\"has-inline-color has-luminous-vivid-amber-color\">QUESTION 1:<\/span> What are the new NIS2 obligations?<\/strong><\/p>\n\n\n\n<p>The<strong> <\/strong>NIS2 is mostly about risk management and reporting obligations. <\/p>\n\n\n\n<p><strong>Risk management <\/strong>measures include:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>back-up management and data recovery,\u00a0<\/li>\n\n\n\n<li>incident handling,\u00a0<\/li>\n\n\n\n<li>risk analysis,\u00a0<\/li>\n\n\n\n<li>human resource, supply chain and system security,\u00a0<\/li>\n\n\n\n<li>encryption,\u00a0<\/li>\n\n\n\n<li>cybersecurity training, etc.\u00a0\u00a0<\/li>\n<\/ul>\n\n\n\n<p><strong>Reporting obligations<\/strong> include faster incident reporting timelines:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>a warning must be given <strong>within 24 hours<\/strong> <strong>after noticing a \u201csignificant\u201d incident <\/strong>(the European Commission will define what is considered to be a significant incident later on),\u00a0<\/li>\n\n\n\n<li>full notification must be provided with a preliminary assessment <strong>within 72 hours after the incident<\/strong>,\u00a0<\/li>\n\n\n\n<li>a detailed final report must be given <strong>within 30 days after the incident<\/strong>, including a description of its impact, both on a national and an international level.\u00a0\u00a0<\/li>\n<\/ul>\n\n\n\n<p>For reference, as it is vaguely stated in the present NIS Directive, the notification of a threat should simply be given <strong>\u201cwithout undue delay\u201d<\/strong>.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Also, the NIS2 aims to <strong>improve collaboration in terms of managing serious incidents that occur within the EU<\/strong>. To support these efforts and help with information sharing, they\u2019ve established the <a href=\"https:\/\/www.enisa.europa.eu\/topics\/incident-response\/cyclone\" target=\"_blank\" rel=\"noreferrer noopener\">EU CyCLONe<\/a> (The European Cyber Crisis Liaison Organization Network). <\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><br><\/p>\n\n\n\n<p><strong><span class=\"has-inline-color has-luminous-vivid-amber-color\">QUESTION 2:<\/span> What sectors will be affected?<\/strong><\/p>\n\n\n\n<p>There are many more sectors that fall under the scope of the NIS2, as compared to the NIS. <\/p>\n\n\n\n<p>The broader list not only includes <strong>healthcare, water supply, energy, and communication infrastructure<\/strong>, but also <strong>data centres, postal services, food production, the space sector, chemical manufacturing<\/strong>, and more. Public central and local administrative entities will be affected as well (excluding parliaments and central banks).<\/p>\n\n\n\n<p>However, there is a size and revenue threshold for organisations operating within the above-mentioned industries \u2014 they will <strong>automatically fall under the NIS2<\/strong> if they have <strong>at least 250 employees <\/strong>and their <strong>annual turnover reaches more than 50 million euros<\/strong> (or their annual balance sheet is <strong>more than 43 million euros<\/strong>). <\/p>\n\n\n\n<p>Each EU member state can also add some smaller organisations to the national list, if they consider them to be critical to the country, e.g., educational institutions.<\/p>\n\n\n\n<p><br><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong><span class=\"has-inline-color has-luminous-vivid-amber-color\">QUESTION 3:<\/span> What penalties does the NIS2 Directive impose? <\/strong><\/p>\n\n\n\n<p>In terms of penalties, the NIS2 Directive is quite similar to the <a href=\"https:\/\/gdpr-info.eu\/\" target=\"_blank\" rel=\"noreferrer noopener\">GDPR<\/a> and is just as serious. There will be no place for pretending;\u202fif a company doesn\u2019t comply with the new regulations, it will have to pay \u2014 and pay a lot. Each member state will have to set <strong>\u201ceffective, proportionate, and dissuasive <a href=\"https:\/\/www.mayerbrown.com\/en\/perspectives-events\/publications\/2022\/10\/nis2-directive-new-cybersecurity-rules-expected-in-the-eu\" target=\"_blank\" rel=\"noreferrer noopener\">penalties<\/a>\u201d<\/strong> for breaches of the NIS2. <\/p>\n\n\n\n<p>In addition, member states will be able to implement administrative fines of <strong>up to 10 million euros<\/strong> or <strong>2% of the total worldwide turnover <\/strong>of an entity, whichever is higher. This will pertain to breaches of the reporting obligation as well as risk management measures.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to prepare?<\/h2>\n\n\n\n<p>As I\u2019ve already mentioned, the governments of the EU member states <strong>each have 21 months to adopt the new law<\/strong> and formally introduce it within their national legislations \u2014 and by then, companies that this applies to should be as well-prepared for it as possible.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Even the UK, which formally doesn\u2019t have to obey the new law, has expressed a <a href=\"https:\/\/www.gov.uk\/government\/consultations\/proposal-for-legislation-to-improve-the-uks-cyber-resilience\/proposal-for-legislation-to-improve-the-uks-cyber-resilience\" target=\"_blank\" rel=\"noreferrer noopener\">desire to follow the EU<\/a> in launching their reform since cybersecurity is one of the most critical issues for the country these days. <\/p>\n\n\n\n<p>This is especially important to companies that either fully or partially operate in the UK, so that they can begin to take the appropriate steps well in advance.\u00a0\u00a0<\/p>\n\n\n\n<p><strong>But what steps are we talking about, exactly? <\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Step #1: <\/strong>Stay informed. Read the <a href=\"https:\/\/www.consilium.europa.eu\/en\/press\/press-releases\/2022\/11\/28\/eu-decides-to-strengthen-cybersecurity-and-resilience-across-the-union-council-adopts-new-legislation\/\" target=\"_blank\" rel=\"noreferrer noopener\">official announcement<\/a> and don\u2019t panic \u2014 you have plenty of time to prepare, just don\u2019t put things off until the last minute.\u00a0\u00a0<br><br><\/li>\n\n\n\n<li><strong>Step #2: <\/strong>Choose the right cybersecurity partner who will be able to guide you through the process when the time comes, and also help you introduce necessary innovations to your organisation. You can start talking to your short list of IT companies right now, in order to familiarise yourself with everything that they have to offer.\u00a0\u00a0<\/li>\n<\/ul>\n\n\n\n<p>At Future Processing, <strong>we will be helping our existing customers with all of this<\/strong> \u2014 and we will be happy to help any other organisations that reach out for assistance as well. We are at your disposal and more than willing to answer any cybersecurity-related questions that you may have.<\/p>\n\n\n<div class=\"b-cta-banner m-gradient-light\">\n            <a href=\"https:\/\/www.future-processing.com\/services\/cybersecurity\/\" class=\"b-cta-banner__image-container\" data-elementclick=\"article-banner\" data-elementname=\"Does NIS2 feel confusing?\">\n            <img fetchpriority=\"high\" decoding=\"async\" width=\"450\" height=\"450\" src=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2021\/08\/Software-Audits.png\" class=\"attachment-full size-full\" alt=\"\" srcset=\"https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2021\/08\/Software-Audits.png 450w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2021\/08\/Software-Audits-300x300.png 300w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2021\/08\/Software-Audits-150x150.png 150w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2021\/08\/Software-Audits-400x400.png 400w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2021\/08\/Software-Audits-24x24.png 24w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2021\/08\/Software-Audits-48x48.png 48w, https:\/\/www.future-processing.com\/blog\/wp-content\/uploads\/2021\/08\/Software-Audits-96x96.png 96w\" sizes=\"(max-width: 450px) 100vw, 450px\" \/>        <\/a>\n    \n        <a href=\"https:\/\/www.future-processing.com\/services\/cybersecurity\/\" class=\"b-cta-banner__url b-cta-banner__text-container\" data-elementclick=\"article-banner\" data-elementname=\"Does NIS2 feel confusing?\">\n                    <div class=\"b-cta-banner__text\">\n                                                    <h3 class=\"f-headline-extra-big b-cta-banner__header\">\n                        Does NIS2 feel confusing?                    <\/h3>\n                \n                                    <div class=\"f-paragraph\">\n                        <p>Don&#8217;t hesitate to <strong>reach out<\/strong> and find out everything you want to know with the support of our <strong>security specialists.<\/strong><\/p>\n                    <\/div>\n                \n                                    <div class=\"o-button o-button--primary o-button--s o-button--icon-right o-button--arrow\">\n                        <span> Let&#039;s talk!<\/span>\n                        <svg class='o-icon o-icon--16 o-icon--arrow '>\n            <use xlink:href='#icon-16_arrow'><\/use>\n          <\/svg>                    <\/div>\n                            <\/div>\n                <\/a>\n    <\/div>\n","protected":false},"excerpt":{"rendered":"<p>The European Council and European Parliament have recently reached an agreement regarding the minimum cybersecurity standards that will be coming into effect by the end of the year. \u00a0<\/p>\n","protected":false},"author":182,"featured_media":9537,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2110],"tags":[],"coauthors":[2010],"class_list":["post-23793","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"acf":{"reading-time":"5 min","show-toc-sublists":false,"image":null,"logo":null,"button1":{"button1_type":"","button":null},"button2":{"button2_type":"","button":null},"person":{"person_photo":null,"person_name":"","person_position":""}},"_links":{"self":[{"href":"https:\/\/www.future-processing.com\/blog\/wp-json\/wp\/v2\/posts\/23793","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.future-processing.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.future-processing.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.future-processing.com\/blog\/wp-json\/wp\/v2\/users\/182"}],"replies":[{"embeddable":true,"href":"https:\/\/www.future-processing.com\/blog\/wp-json\/wp\/v2\/comments?post=23793"}],"version-history":[{"count":0,"href":"https:\/\/www.future-processing.com\/blog\/wp-json\/wp\/v2\/posts\/23793\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.future-processing.com\/blog\/wp-json\/wp\/v2\/media\/9537"}],"wp:attachment":[{"href":"https:\/\/www.future-processing.com\/blog\/wp-json\/wp\/v2\/media?parent=23793"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.future-processing.com\/blog\/wp-json\/wp\/v2\/categories?post=23793"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.future-processing.com\/blog\/wp-json\/wp\/v2\/tags?post=23793"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.future-processing.com\/blog\/wp-json\/wp\/v2\/coauthors?post=23793"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}