Once again, we are faced with additional tasks following registration: the companies concerned must apply the cyber security measures from 18 October 2024 and then conclude the contract with the cyber security auditor by 31 December 2024.
Our summary aims to make companies aware of what to focus on in the upcoming months:
- Establishing a cyber security risk management framework
The purpose of establishing the framework is to provide an appropriate framework for the roles, responsibilities, competences and strategies for the protection of electronic information systems, in order to ensure that the tasks involved can be managed on an ongoing basis. This includes, in addition to the organisational risk assessment, a security risk assessment of IT systems and the documentation of the elements related to the systems (e.g. business functions, assets involved, responsible persons, organisational and technological constraints of the IT system, the data scope involved, place of the system in the organisational architecture, etc.). One important task for the development of a future risk management framework is to ensure that the organisation concerned has a complete mapping of its current processes. - Security risk classification
The security risk classification is key, as it determines the required strength of the security measures that will need to be associated with the information system.
Incorrect classification may result in the application of excessive or insufficient cyber securty measures. In an optimal classification, the expenditure on the protection of information systems should be proportionate to the risks involved. - Selection of cyber security measures
The security classification should be used to select the appropriate security measures. The number of security measures under the regulation can range from 164 to 385, depending on the security risk classification. However, if the organisation has already implemented ISO27001 or NIST800-53 internationally-standardised measures, only the missing areas will need to be identified.
At this stage, the companies concerned should prepare an action plan to identify shortcomings and work out proposals for improvements and new security measures to be introduced. - Contracting with an auditor
The companies concerned must conclude the contract with the selected auditor by 31 December 2024 at the latest. The auditor must be the one that is listed on the cybersecurity regulator’s website and their certification must be in line with the security classification level of the company (“basic”, “significant” or “high”), i.e. the auditor must be certified to that security risk level.
In summary, the following homework tasks include the design of the cybersecurity framework, the security classification and the selection of security measures. In addition, it is worth keeping an eye on the registry of the cybersecurity auditor to ensure that the contract with the audito can be concluded as soon as possible.
The details of the regulation are now known, and the authority published a detailed application guide to the cyber security control families in August 2024.
It is worth starting to prepare as soon as possible, as there is much to do, deadlines are tight and market capacity is limited.
How can we help?
The NIS2 compliance project requires legal support in addition to information security support. Our legal support covers the entire NIS2 compliance process:
- Providing general advice on legal requirements for cybersecurity
- Providing regular updates on new legal developments
- Conducting a review of supplier contracts for information systems
- Preparing the rules for the new processes
- Holding training on legal requirements
- Providing advice on choosing an auditor
- We ensure the coordination of the checklists
Where necessary, we provide support to meet the requirements of other EU countries through our network of international cooperation.
