How (not) to start with NIS2 - cetin.cz
How (not) to start with NIS2
Increasingly, headlines such as "Scare and invoice" are appearing on the internet. Still, the validity of the Directive does not mean that those covered by it must immediately start complying with all its obligations. The mandatory harmonisation deadline of October 2024 is likely to be noticed and there is talk of early 2025.
However, it is understandable that the concept of NIS2 is a "sexy" business bogeyman given the current situation. On the other hand, it is necessary to be truly honest and say that those who start from scratch or are at the beginning with information and cyber security can expect impacts on the technical and operational processes of the organization and thus expose themselves to problems with meeting the future legislative requirements of the amended law on cyber security, given that NIS2 will impact 6,000 to 10,000 entities, and this is only an estimate by the National Cyber Security Authority (NCSA), i.e. where the Authority can oversee.
The draft amended law on cyber security provides for only a one-year time limit for the implementation of non-trivial security measures.
The amendment to the Cyber Security Act will result in an oversupply of demand over supply of cybersecurity services and thus a shortage of all available expert and knowledgeable resources on the market.
It is necessary to approach the "NIS2 problem" not in the sense of "we have to do something again", but in the sense of "by introducing cyber security I am protecting my business, my ability to provide services, and especially my ability to make a profit", that is what it is all about, i.e. the well-known rule “Who is prepared is not surprised" applies.
But you don't have to be afraid of NIS2, we'll spare you the fear or worry, and in the following article, we'll advise you on which obligations are the most important and how to start addressing them in advance.
How NOT to start!
In case you are unsure and choose external help and need advice, be very cautious and always choose only a strong and trustworthy partner who you can rely on and who you can guarantee will still be there after the "scare and invoice" period is over.
How to do it?
- Obligation to self-identify
The basic step before embarking on anything is to first of all find out whether the obligations set out in the law apply to you at all, or to what extent.
As the Cyber Security Amendment Law is not yet in force, you will not be 100% certain that the law applies to you as the definitions of obliged entities may be refined.
Do you know how big your company is? The size of the company (medium or large) is one of the mandatory criteria due to the impact of the obligations, other criteria include the number of employees or turnover, and last but not least it is the type and area of services you provide.
Verify whether you fall under NIS2. Use a simple questionnaire to find out where you stand. It won't take you five minutes to complete!
If you find out if you fall under NIS2, you can get on with preparing for NIS2 implementation, BUT be aware that the specific shape of the legal obligations may change.
- Crucial is the scope
Within one year you are obliged to define the regulated services you provide, by law these are primary assets, and what is used for their operation, i.e. suppliers, facilities, technology, software, etc.
Failure to define the regulated services you provide results in the entire business being considered a regulated service and this can be inefficient in the early stages and thus become significantly more expensive.
A well-defined scope has the added value of ensuring that you are purposefully planning and investing resources to implement all technical and security measures.
- Revise resources
Before any activity, it is always a good idea to review the current situation and the resources needed for subsequent implementation, in the context of the amendment of the law, i.e. human, financial, technical, and possibly other resources.
Whether by self-identification you fall under the regime of lower or higher responsibilities, you will always need to clearly identify the responsible persons. So you need to identify who is responsible for the individual assets, most commonly hardware and software, i.e. specifically applications, information systems or servers, etc.
If you fall into a higher duty mode, you will have to provide many more staff roles. Specifically, this will include the obligation to appoint a cyber security manager, a cyber security architect, a cyber security auditor, and the aforementioned responsible persons for assets, i.e. asset guarantors. In addition, these persons must meet the legal requirements in terms of education, professional competence, and demonstrable experience in the field of cyber security.
Unfortunately, the situation in the labor market with cyber security experts is not optimal, and the situation will not be any better with the advent of the amended law. By simple math, namely multiplying the number of mandatory entities, according to the NCIB it is 6 to 10 000 entities, and the above mandatory roles, you will arrive at the number of persons (experts) who are not currently on the labor market and will not be available in such required numbers in the coming years.
- For your own sake, analyze the current situation so that you know where to direct your funds. Prepare for cybersecurity costs to be higher in the coming years.
Find out what your current state of readiness is for the obligations imposed by NIS2.
If you come under the regulated regime and analyse your current state of preparedness, you will know where and in what area to invest your funds in a meaningful way.
Once the final law is known, it will be time for a Cyber Security Audit. With a Security Audit, you will identify any technical or organisational gaps and thus the clear costs that the introduction of NIS2 will bring to your company in terms of changing your security strategy, setting new security objectives, adequate professional capacity, purchasing hardware, software or other operational assets to ensure compliance with the new obligations.
A cyber security audit provides an assessment of the current state of IT security and serves as a strategic document for subsequent NIS2 compliance.
What can you expect after the law comes into force?
After the law takes effect, several steps await you. The current form of the law sets out the following obligations:
Performing self-identification, i.e. fulfilling the criteria for identifying a regulated service.
Within 30 days of the law coming into force, you must register on the NÚKIB portal.
Within 30 days of notification of registration, you must report the contact details of responsible persons.
You will have 1 year from the date of registration to identify technical or operational security deficiencies and to take technical and organisational security measures yourself, including remediation within the organisation and thus to meet compliance with the NIS2 or future nZKB Act.
You will be required to report cyber security incidents no later than 1 year after enrolment.
Read the article on how CETIN will help companies with their cyber security and preparation for NIS2, and at the same time you can listen to a podcast with Luboš Řádek about cyber security and CETIN X.
Checklist of key NIS2 obligations
The main NIS2 obligations that each company or public institution must perform in the first step are the requirements represented in the following checklist containing the main obligations to be performed.
- Self-identification
Registration with the NICIB
Reporting contact and other data
Determining the scope of cyber security management
Implementing security measures
Cyber security incident reporting
Informing customers about incidents and threats
Implementing countermeasures issued by the NCIB
Implementation of supply chain security mechanism for selected strategically important services
Ensuring availability from the CR for selected strategically important services