Overview
The Network and Information Security Directive (“NIS Directive”) is the first EU regulation on cybersecurity that aims to establish a common level of security for network and information systems by addressing the threats posed to those critical systems that play an important role in the proper functioning of the society.
The NIS Directive created national capabilities for the Member States through national CSIRT (e.g.,in Romania, Directoratul National de Securitate Cibernetica), offered support for cooperation and information exchange between Member States and it imposed national supervision of the cybersecurity and measures to be taken by critical infrastructure operators.
Romania has fully transposed the directive requirements into national Law no. 362/2018.
To respond to the growing threats posed with digitalization and the surge in cyber-attacks, the European Commission has submitted a proposal for a revised NIS Directive, known as NIS2.
The revised Directive may bring significant changes, such as the improved cooperation, expansion of sectors covered and stricter supervision and enforcement. The proposed expansion of the scope covered by the NIS2, would assist in increasing the level of cybersecurity in Europe in the longer term, by effectively obliging more entities and sectors to take measures.
The proposal for NIS2 is still under negotiations between the co-legislators, however it may soon be adopted and then transposed in every Member State.
NIS Directive and Law no. 362/2018 applies to:
- Operators of Essential Services (OES) from 7 sectors of economic activity: Energy, Transport, Banking, Financial markets infrastructures, Health, Drinking water supply and distribution and Digital infrastructures;
- Digital Service Providers (DSP) from three categories: online markets, online search engines and cloud computing services.
*The regulations do not apply to DSPs that are considered a ‘micro or small enterprise’ (organizations employing less than 50 people, whose annual turnover and/or balance sheet total is less than €10 million).
An important change that may be brought by NIS2 in the near future is the extension of the scope by adding new sectors. In addition to the sectors already covered by NIS Directive, NIS2 proposal includes: public administration, food, postal and courier services, manufacturing of certain critical products (e.g. pharmaceuticals, chemicals, medical devices), space, waste water and waste management, digital services (e.g. social networking platforms and data center services) and providers of electronic communications network services.
Entities that are active in the sectors covered by NIS2 proposal should keep a close eye on the updates of this proposal and start taking steps into ensuring their readiness to comply with the law.
Non-application of rules within OES/DSP registered companies may result in fines of between 3,000 RON and 5% of the turnover.
OES and DSPs must:
- Secure their network and information systems by taking technical and organizational measures appropriate to the risk;
- Ensure service continuity by taking appropriate measures to prevent and minimize the impact of any incidents;
- Notify the regulator of any security incident that has a significant impact;
Best approach to achieve compliance is by implementing a cyber resilience program that encompasses robust cybersecurity defenses and appropriate tools and systems for managing incident reporting efficiently.
Cyber incident response management, business continuity management and penetration testing help organizations to achieve a higher level of cyber resilience and facilitate compliance with the NIS Regulations. Also, international standards such as ISO 27001 and ISO 27035 serve as ideal frameworks for achieving NIS Regulations compliance.
We can offer a variety of services related to NIS compliance:
- Audit services to assess the level of compliance of the companies with the European NIS Directive (Law no. 362/2018) on ensuring a high common level of security of IT networks and systems, and services for testing and evaluating the security of IT networks and systems.
- Networks and systems Penetration Testing as required by the NIS regulation;
- Consultancy on the implementation of the cyber security requirements;
- Custom training for your teams and executive expertise to brief your board;
- Appropriate tools for developing suitable risk mitigation programs.
isec‘s professionals technical expertise and rich background in securing information systems will ensure the delivery of complete solutions for NIS compliance and support your organization through this process from start to finish.
We work with organizations in all industries, we deliver practical guidance and work according to your budget and business needs.
isec is certified by DNSC to perform cyber security audits and penetration tests for the compliance with Law no. 362/2018 through the CLE certificate no. 17049 from 28.10.2021.
- Regulatory compliance assessment against the principles of the NIS Directive;
- Audit Report delivered by certified NIS auditors, accredited by DNSC;
- Consulting services that will help your organization to respond efficiently to the requirements of the NIS Directive;
- Detection of cyber threats and vulnerabilities;
- Protection against all types of security threats;