The new European Union Directive should be implemented within 2025
More than 2,000 public and private sector entities will be required by 2025 to comply with the regulations brought by the implementation of NIS 2, the European Union’s latest cybersecurity directive.
Otherwise, as the commander of the National Cybersecurity Authority (NCA), Michalis Bletsas, pointed out in an informal briefing yesterday, sanctions can be imposed, such as administrative fines to private sector entities, administrative fines to public administration bodies, temporary suspension of certification that concerns part or all of the relevant services, a temporary ban on any natural person responsible for the exercise of managerial duties.
As he explained, the new directive that Greece incorporates into its national law, adopts the obligation to report cyber security incidents. The obligation of the first report must be made by businesses and agencies within 24 hours of detecting the case, but now the responsibility for digital security is transferred to the highest levels. “Until now, the responsibility rested with the security managers of the information systems. Now, this responsibility is transferred to the management of a company”, explained officials of the National Cybersecurity Authority in an informal information meeting. “Cybersecurity is a team sport and requires the cooperation of all stakeholders. The planning includes the cooperation with the GRETHA and the EYP for the creation of a national incident response team, which is expected to be ready in 2025″, stressed Bletsas.
It should be mentioned that the relevant bill is in the phase of public consultation and is expected to be passed by the end of the year, although it will take some time until the decisions regarding the specifications for the cyber security systems of companies are formed, which will be determined according to the particularities of the branches concerned by the specific directive.
The new directive
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022, known as the NIS 2 Directive (Network and Information Security Directive) is the revised version of the original NIS Directive, which was enacted in 2016 with the aim of strengthening of cybersecurity in the European Union. NIS 2, adopted in 2022, is about protecting critical networks and IT systems against cyber threats and ensures a coherent approach to cybersecurity across the EU.
Which organizations does it concern?
The list of organizations, agencies and businesses that are required to comply is quite long as, as it was pointed out, it includes all those whose shutdown would create a problem in society.
In particular, the list includes all companies, which employ between 50 and 250 employees and have a turnover of between 10 and 250 million euros, or even large companies active in sectors such as:
• Public Administration
• ICT Service Management (Information and Communication Technologies)
• Space
• Sewage
• Postal services
• Waste management
• Food
• Chemical products (preparation, production, distribution)
• Construction sector
Basic obligations
Regarding obligations, public sector organizations and private sector companies will have:
1. Obligations to take cyber security measures
Public sector organizations and private sector enterprises take detailed risk management measures based on a holistic approach to risk and aim to protect network and information systems and the physical environment of these systems from incidents.
2. Obligations to report cyber security incidents to EAK
Agencies must report cyber security incidents to EAK ensuring timely communication and response to threats
We should mention that these incidents will be made public
What are the penalties for non-compliance?
An effective and dissuasive sanctioning mechanism is established, which ensures the implementation of the relevant regulations. The sanctions are effective and fully respect the principle of proportionality. Mr. Bletsas said that the point that the EAK will focus on will be the reporting of cyber security incidents, as only in this way will there be a complete picture of the cyber attacks that occur in Greece and it will be possible to take measures to deal with them. Failure to report may result in penalties in the form of fines provided for in the bill, which can reach €10 million or 2% of a company’s global turnover.
As highlighted, the legislation will strengthen control mechanisms and ensure that organizations comply with security standards, reducing the risk of cyber-attacks and safeguarding the rights of citizens and the security of businesses.
The measures to be taken by agencies and businesses
Indicative:
a. Policies and procedures for risk analysis and information systems security
b. Incident management
c. Business continuity, such as backup and disaster recovery management, as well as cyber incident management
d. Supply chain security to adequately manage the risks arising from the relationships between each entity and its direct suppliers or service providers
e. Security in the acquisition, development and maintenance of network and information systems, including the handling and disclosure of vulnerabilities
f. Policies and procedures for evaluating the effectiveness of cybersecurity risk management measures.
