Blog

On Friday, October 4, 2024, a government bill amending Act No. 69/2018 Coll. on Cybersecurity was submitted to the National Council of the Slovak Republic. This amendment implements the NIS2 Directive, which is considered the most comprehensive European legislative framework in the field of cybersecurity. The NIS2 Directive introduces fundamental changes in the approach to protecting digital infrastructure and sets new standards for managing cyber risks.

The NIS2 Directive, officially known as the second revision of the Network and Information Systems Security Directive, represents the European Union’s comprehensive approach to strengthening cyber resilience. Its main objective is to improve Member States’ ability to prevent cyber threats, manage risks, and respond effectively to incidents. The directive aims to:

• Harmonize cybersecurity requirements: Eliminate differences between member states and establish a uniform set of minimum rules for all EU countries. This will ensure a consistent approach to protecting critical infrastructure and digital services.
• Improve risk management: Organizations will be required to implement systematic procedures for identifying, assessing, and managing cyber risks. This includes regular security audits, vulnerability testing, and updating security protocols.
• Strengthen reporting obligations: Establishing clear rules for reporting cyber incidents will enable rapid response and coordination between organizations and government agencies. This is key to minimizing the impact of incidents on society and the economy.
• Promote effective cooperation: Establishing mechanisms for information sharing and coordinating responses among Member States will strengthen the EU’s ability to address cyber threats at the transnational level.
• Update the list of sectors and activities: The Directive extends its scope to new sectors that are key to the functioning of modern society and the economy.

Extending the scope to new sectors

One of the most significant changes introduced by NIS2 is a significant expansion of the sector of organizations subject to cybersecurity obligations. While the original NIS1 Directive focused on key sectors such as energy, transport, healthcare, finance, water supply, and digital infrastructure, NIS2 also includes other sectors, such as:

• Banking and financial markets: Given the digitization of financial services and the increased risk of cyberattacks on financial institutions, their inclusion in the directive is crucial for protecting economic stability.
• Public administration: Government institutions process large amounts of sensitive data and provide essential services to citizens. Protecting them is essential for maintaining public trust and service continuity.
• Postal and courier services: With the growth of e-commerce and logistics, these services are becoming targets of cyberattacks that can disrupt supply chains.
• Waste management: The digitization of processes in waste management brings new risks that must be effectively managed.
• Food and medical device manufacturing: These sectors are critical to public health and food safety. Cyberattacks can have serious consequences for the entire population.

The expansion of the directive’s scope means that more organizations will have to adapt their procedures and invest in cybersecurity. This measure increases society’s overall resilience to cyber threats. EU member states have 21 months to transpose the directive into their national legislation.

Impact on the Slovak Republic

The implementation of the NIS2 Directive will have a significant impact on the Slovak Republic. According to the National Security Authority (NBÚ), the country already has above-standard legislation in the area of cybersecurity. However, the new directive will expand the NBÚ’s scope of authority and increase the number of entities subject to compliance.

It is expected that the number of obligated entities could rise to nearly 10,000. This means that many organizations that previously did not have to comply with strict cybersecurity standards will now be subject to regulations. For these organizations, this entails the need to:

• Implement security measures: Introduce technical and organizational measures to protect information systems and data.
• Train employees: Raise awareness of cyber threats and ensure that employees know how to respond correctly to incidents.
• Cooperate with the National Security Authority: Comply with reporting obligations and participate in national cybersecurity initiatives.

For the state, this presents a challenge in terms of coordination, supporting organizations, and ensuring sufficient capacity for oversight and incident response.

The Relationship Between GDPR and NIS2

The NIS2 Directive contains provisions relating to the protection of personal data, and it is therefore important to understand its relationship with the GDPR (General Data Protection Regulation). In the event of a breach of obligations resulting in a personal data breach, organizations are required to notify the relevant supervisory authorities in accordance with the GDPR.

If fines are imposed under the GDPR for such a breach, the competent authorities cannot impose additional fines under NIS2 for the same conduct. However, this does not mean that the organization will avoid all consequences. Authorities may take other enforcement measures under NIS2, such as:

• Ordering corrective measures: The organization must remedy deficiencies in its security measures.
• Providing guidance: Authorities may issue recommendations to improve security.
• Monitoring compliance: Increased oversight of the organization to ensure compliance with requirements.

This synergy between GDPR and NIS2 underscores the importance of a comprehensive approach to data protection and cybersecurity.

Benefits of NIS2 for Companies

Implementing the NIS2 Directive brings companies numerous benefits that go beyond mere regulatory compliance:

• Enhanced data security: Better protection of sensitive information safeguards the company against data loss, information leaks, and resulting damages.
• Regulatory compliance: Adhering to legal requirements helps prevent fines and penalties, which can have a significant financial impact.
• Improved reputation: Companies that invest in cybersecurity are perceived as more trustworthy, which can attract new customers and business partners.
• Resilience against threats: Preparedness for cyberattacks reduces the risk of operational disruption and enables faster recovery after an incident.
• Prevention of financial losses: Minimizing security incidents leads to a reduction in costs associated with incident response, legal disputes, and system recovery.
• Government support: Access to national resources, information, and experts can be crucial in addressing complex cyber threats.

These benefits support the long-term sustainability and competitiveness of companies in the market.

Strengthening cyber protection in the EU through NIS2

The NIS2 Directive represents a strategic step by the European Union toward strengthening cyber resilience at both the national and transnational levels. At a time when cyberattacks are becoming increasingly sophisticated and frequent, a coordinated approach to addressing them is essential.

One of the main tools for achieving this goal is the establishment of the European Network of Cyber Crisis Contact Points (EU-CyCLONe). This network:

• Supports cooperation among Member States: Enables the rapid exchange of information on threats and incidents.
• Coordinates responses to cross-border incidents: Ensures a unified and effective response to attacks affecting multiple countries.
• Improves preparedness: Organizes joint exercises and training to enhance the ability to respond to cyber crises.

In addition, NIS2 supports the development of national cybersecurity strategies and strengthens the role of National CSIRTs (Computer Security Incident Response Teams), which are key to resolving incidents at the national level.

Challenges in Implementing NIS2

The implementation of NIS2 also presents several challenges:

• Financial Costs: Organizations will need to invest in new technologies, infrastructure, and training, which can be costly, especially for smaller businesses.
• Human Resources: A shortage of qualified cybersecurity professionals can complicate compliance with new requirements.
• Regulatory Complexity: Navigating the new regulations can be challenging, increasing the need for legal and technical advice.
• Coordination Among Entities: Increased collaboration between various organizations and government institutions requires effective communication and clear processes.

Despite these challenges, it is important for organizations to approach the implementation of NIS2 proactively and make use of available resources and support.

Conclusion

In the era of digital transformation, cybersecurity is an integral part of the functioning of modern societies and economies. The NIS2 Directive represents a significant step in strengthening the European Union’s cyber resilience. Its implementation will help ensure that organizations are better protected against cyber threats, increase trust in digital services, and strengthen the overall security of society.

For the Slovak Republic, this means not only adapting to new requirements but also an opportunity to become a leader in the field of cybersecurity. Companies that invest in security will be better prepared to face the challenges of the digital age and gain a competitive advantage in the global market.

Ultimately, the success of NIS2 implementation depends on cooperation between the state, organizations, and the professional community. Through joint efforts, we can create a safer and more resilient digital space for everyone.