More than 2,000 public and private sector entities will be required by 2025 to comply with the regulations brought by the implementation of NIS 2, the most recent directive of the European Union on cyber security.
Otherwise, as he pointed out yesterday in an informal briefing, commander of the National Cyber Security Authority (NCA), Michalis Bletsas can be imposed sanctionslike administrative fines to private sector entities, administrative fines and to public administration bodies, temporary suspension of certification concerning part or all of the relevant services, temporary ban on any natural person responsible for the exercise of managerial duties.
As he explained, the new directive, which Greece incorporates into its national law, adopts the obligation to report cyber security incidents. The obligation of the first report must be made by businesses and agencies within 24 hours of detecting the case, but now the responsibility for digital security is transferred to the highest levels.
“Until now, the responsibility rested with the security managers of the information systems. Now, this responsibility is transferred to the management of a company”, officials of the National Cyber Security Authority explained in an informal information meeting. “Cybersecurity is a team sport and requires the cooperation of all stakeholders. The planning includes the cooperation with the GRETHA and the EYP for the creation of a national incident response team, which is expected to be ready in 2025″, stressed Bletsas.
The relevant bill is in the public consultation phase and is expected to be passed by the end of the year, although it will take some time until the decisions regarding the specifications for the cyber security systems of the companies are formed, which will be determined according to the specificities of the sectors concerned by the specific directive.
What does the new directive provide?
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022, known as the NIS 2 Directive (Network and Information Security Directive) is the revised version of the original NIS Directive, which was enacted in 2016 with the aim of strengthening of cybersecurity in the European Union. NIS 2, adopted in 2022, is about protecting critical networks and IT systems against cyber threats and ensures a coherent approach to cybersecurity across the EU.
Which organizations does it concern?
The list of organizations, agencies and businesses that are required to comply is quite long as, as was pointed out, it includes all those whose shutdown would create a problem in society.
In particular, the list includes all companies, which employ between 50 and 250 employees and have a turnover of between 10 and 250 million euros, or even large companies active in sectors such as:
- Public Administration
- ICT Service Management (Information and Communications Technologies)
- Space
- Effluent
- Postal services
- Waste management
- Food
- Chemical products (manufacture, production, distribution)
- Construction sector
Basic obligations
Regarding obligations, public sector organizations and private sector companies will have:
1. Obligations to take cyber security measures
Public sector organizations and private sector enterprises take detailed risk management measures based on a holistic approach to risk and aim to protect network and information systems and the physical environment of these systems from incidents.
2. Obligations to report cyber security incidents to EAK
Agencies must report cyber security incidents to EAK ensuring timely communication and response to threats
We should mention that these incidents will be made public
What are the penalties for non-compliance?
An effective and dissuasive sanctioning mechanism is established, which ensures the implementation of the relevant regulations. The sanctions are effective and fully respect the principle of proportionality. Mr. Bletsas said that the point that the EAK will focus on will be the reporting of cyber security incidents, as only in this way will there be a complete picture of the cyber attacks occurring in Greece and it will be possible to take measures to deal with them. Failure to report can result in penalties in the form of fines provided for in the bill, which can reach €10 million or 2% of a company’s global turnover.
As highlighted, the legislation will strengthen control mechanisms and ensure that organizations comply with security standards, reducing the risk of cyber-attacks and safeguarding the rights of citizens and the security of businesses.
What measures should institutions and businesses take?
Indicative:
a. Policies and procedures for risk analysis and information systems security
b. Incident management
c. Business continuity, such as backup and disaster recovery management, as well as cyber incident management
d. Supply chain security to adequately manage the risks arising from the relationships between each entity and its direct suppliers or service providers
e. Security in the acquisition, development and maintenance of network and information systems, including the handling and disclosure of vulnerabilities
f. Policies and procedures for evaluating the effectiveness of cybersecurity risk management measures
#regulation #consultation #provide
