On Friday, October 4, 2024, a government bill amending Act No. 69/2018 Coll. on cybersecurity was submitted to the National Council of the Slovak Republic. This amendment implements the NIS2 Directive, which is considered the most comprehensive European legislative framework in the field of cybersecurity. The NIS2 Directive brings fundamental changes to the approach to digital infrastructure protection and sets new standards for cyber risk management.
The NIS2 Directive, officially known as the second revision of the Network and Information Systems Security Directive, represents the European Union's comprehensive approach to strengthening cyber resilience. Its main objective is to improve the ability of Member States to prevent cyber threats, manage risks, and respond effectively to incidents. The directive aims to:
- Harmonize cybersecurity requirements: Remove differences between member states and create a single set of minimum rules for all EU countries. This will ensure a consistent approach to protecting critical infrastructure and digital services.
- Improve risk management: Organizations will be required to implement systematic procedures to identify, assess, and manage cyber risks. This includes regular security audits, vulnerability testing, and updating security protocols.
- Strengthen reporting obligations: Introducing clear rules for reporting cyber incidents will enable rapid response and coordination between organizations and public authorities. This is key to minimizing the impact of incidents on society and the economy.
- Promote effective cooperation: Creating mechanisms for information exchange and coordination of responses between Member States will strengthen the EU's ability to address cyber threats at a transnational level.
- Update the list of sectors and activities: The Directive extends its scope to new sectors that are key to the functioning of modern society and the economy.
Extension of scope to new sectors
One of the most significant changes introduced by NIS2 is the significant extension of the sector of organizations subject to cybersecurity obligations. While the original NIS1 focused on key sectors such as energy, transport, healthcare, finance, water supply, and digital infrastructure, NIS2 also includes other sectors such as:
- Banking and financial markets: Given the digitization of financial services and the increased risk of cyber attacks on financial institutions, their inclusion in the directive is key to protecting economic stability.
- Public administration: State institutions process large amounts of sensitive data and provide key services to citizens. Their protection is essential to maintain public trust and continuity of services.
- Postal and courier services: With the growth of e-commerce and logistics, these services are becoming targets for cyber attacks that can disrupt supply chains.
- Waste management: The digitization of waste management processes brings new risks that need to be managed effectively.
- Food and medical device manufacturing: These sectors are critical to public health and food safety. Cyber attacks can have serious consequences for the entire population.
The extension of the scope of the Directive means that more organizations will have to adapt their practices and invest in cybersecurity. This measure increases the overall resilience of society to cyber threats. EU Member States have 21 months to transpose the Directive into their national legislation.
Impact on the Slovak Republic
The implementation of the NIS2 Directive will have a significant impact on the Slovak Republic. According to the National Security Authority (NBÚ), the country already has above-standard legislation in the field of cybersecurity. However, the new directive will extend the scope of the NBÚ and increase the number of obligated entities.
It is expected that the number of obligated entities could increase to almost 10,000. This means that many organizations that have not had to comply with strict cyber standards will now be subject to regulation. For these organizations, this means the need to:
- Implement security measures: Introduce technical and organizational measures to protect information systems and data.
- Train employees: Raise awareness of cyber threats and ensure that employees know how to respond to incidents.
- Cooperate with the NSA: Comply with reporting obligations and participate in national cybersecurity initiatives.
This poses a challenge for the state in terms of coordination, support for organizations, and ensuring sufficient capacity for oversight and incident response.
Relationship between the GDPR and NIS2
The NIS2 Directive contains provisions relating to the protection of personal data, and it is therefore important to understand its relationship with the GDPR (General Data Protection Regulation). In the event of a breach of obligations resulting in a personal data breach, organizations are required to notify the relevant supervisory authorities in accordance with the GDPR.
If fines are imposed under the GDPR for such a breach, the competent authorities cannot impose additional fines under NIS2 for the same conduct. However, this does not mean that the organization will avoid all consequences. The authorities may take other enforcement measures under NIS2, such as:
- Order corrective measures: The organization must remedy the deficiencies in its security measures.
- Provide guidance: Authorities may provide recommendations to improve security.
- Monitor compliance: Increased supervision of the organization to ensure compliance with requirements.
This synergy between the GDPR and NIS2 highlights the importance of a comprehensive approach to data protection and cybersecurity.
Benefits of NIS2 for companies
The implementation of the NIS2 Directive brings a number of benefits for companies that go beyond mere compliance with the law:
- Enhanced data security: Better protection of sensitive information protects the company from data loss, information leaks, and subsequent damage.
- Regulatory compliance: Compliance with legal requirements helps prevent fines and penalties, which can have a significant financial impact.
- Improved reputation: Companies that invest in cybersecurity are perceived as more trustworthy, which can attract new customers and business partners.
- Resilience to threats: Preparedness for cyber attacks reduces the risk of operational disruption and enables faster recovery after an incident.
- Prevention of financial losses: Minimizing security incidents reduces the costs associated with incident response, legal disputes, and system recovery.
- Government support: Access to national resources, information, and experts can be crucial in addressing complex cyber threats.
These benefits support the long-term sustainability and competitiveness of companies in the market.
Strengthening cyber protection in the EU through NIS2
The NIS2 Directive is a strategic step by the European Union towards strengthening cyber resilience at both national and transnational levels. At a time when cyber attacks are becoming increasingly sophisticated and frequent, a coordinated approach to addressing them is essential.
One of the main tools for achieving this goal is the establishment of the European Network of Cyber Crisis Response Organizations (EU-CyCLONe). This network:
- Promotes cooperation between Member States: Enables the rapid exchange of information on threats and incidents.
- Coordinates responses to cross-border incidents: Ensures a unified and effective response to attacks affecting several countries.
- Improves preparedness: Organizes joint exercises and training to enhance cyber crisis response capabilities.
In addition, NIS2 supports the development of national cybersecurity strategies and strengthens the role of National CSIRTs (Computer Security Incident Response Teams), which are key to responding to incidents at the national level.
Challenges in implementing NIS2
The implementation of NIS2 also brings several challenges:
- Financial costs: Organizations will need to invest in new technologies, infrastructure, and training, which can be costly, especially for smaller businesses.
- Human resources: A shortage of qualified cybersecurity professionals may complicate the implementation of new requirements.
- Complexity of regulations: Navigating the new legislation can be challenging, increasing the need for legal and technical advice.
- Coordination between entities: Increased cooperation between different organizations and government agencies requires effective communication and clear processes.
Despite these challenges, it is important that organizations take a proactive approach to implementing NIS2 and make use of available resources and support.
Conclusion
In the era of digital transformation, cybersecurity is an integral part of the functioning of modern societies and economies. The NIS2 Directive represents a significant step in strengthening the cyber resilience of the European Union. Its implementation will help ensure that organizations are better protected against cyber threats, increase trust in digital services, and strengthen the overall security of society.
For the Slovak Republic, this means not only adapting to new requirements, but also an opportunity to become a leader in the field of cybersecurity. Companies that invest in security will be better prepared to face the challenges of the digital age and gain a competitive advantage in the global market.
Ultimately, the success of NIS2 implementation depends on cooperation between the state, organizations, and the professional public. Through joint efforts, we can create a safer and more resilient digital space for everyone.
