Businesses face tougher cybersecurity requirements under new EU regulations

PwC Cyprus’ Michael Solon Kassinis has outlined the critical importance of the European Union’s updated Network and Information Security Directive (NIS2), set to take effect on October 17, 2024.

Kassinis, who serves as Pwc Cyprus’ Director of Assurance Services – Digital Trust, highlighted the directive’s role in strengthening cybersecurity measures across the EU in response to the rising threat of cyberattacks.

“This new directive aims to create a robust cybersecurity framework, addressing the urgent need for stronger defences in an era where cyberattacks have surged dramatically,” Kassinis explained.

Set to take effect on October 17, 2024, NIS2 significantly strengthens the original NIS1 by expanding its scope and imposing stricter security requirements on both EU-based and external entities, ensuring comprehensive protection for digital infrastructure. 

Unlike its predecessor, NIS2 casts a wider net. It not only focuses on vital organisations within the EU but also extends its coverage to external entities doing business with the EU.  

Kassinis points out, “The enhanced NIS2 directive covers a broader range of entities and enforces more stringent security requirements.” He added that in this scope, “it not only focuses on vital organisations within the EU but also includes external entities doing business with the EU, ensuring comprehensive protection and resilience.”  

The directive divides sectors into two main categories, the Highly-Critical and the Other-Critical, ensuring that industries crucial for societal functioning meet strict security obligations. 

The Highly-Critical sectors include energy, transport, banking, and financial market infrastructure, along with health services.  

Additionally, sectors responsible for essential utilities, such as drinking water (which covers the provision and distribution of water) and wastewater management (involving the treatment and disposal of wastewater), are also included.  

Furthermore, digital infrastructure—such as internet exchange points, domain name system service providers, and cloud computing services—falls under this category, alongside ICT service management (business-to-business services), public administration, and space. 

On the other hand, Other-Critical sectors, such as postal and courier services, waste management, the production and distribution of chemicals, food production and processing, manufacturing (including essential goods), digital providers (like online marketplaces, search engines, and social networking platforms), and research, are also bound by the directive. 

The directive also introduces a new classification system for organisations, dividing them into Essential and Important entities.  

Kassinis explained that “An organisation is considered “Essential” if it belongs to a highly critical sector and exceeds the ceilings for medium-sized enterprises.” 

Medium-sized enterprises are defined as having fewer than 250 employees, an annual turnover not exceeding €50 million, or an annual balance sheet total not exceeding €43 million.  Kassinis added that, “This classification determines how organisations must meet security requirements and how they will be supervised and penalised for non-compliance.” 

NIS2 mandates an all-hazards approach to safeguard network and information systems, alongside their physical environments. 

“Measures include policies on risk analysis and information system security, incident handling, business continuity, such as backup management and disaster recovery, and crisis management,” Kassinis explained. 

Furthermore, he highlighted that the directive also requires enhanced supply chain security. “Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers, is a major focus,” he added. 

Kassinis emphasised that the directive also addresses other critical areas, such as security in network and information systems acquisition, development, and maintenance. 

He said, “Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure,” is a key requirement under NIS2. 

Additionally, organisations must ensure they have appropriate policies and procedures for assessing the effectiveness of their cybersecurity risk management measures. 

In terms of human resources, Kassinis pointed out that NIS2 requires “basic cyber hygiene practices and cybersecurity training,” alongside policies for human resources security, access control, and asset management.  

The directive also demands the use of multi-factor authentication, secured communications, and secured emergency communication systems, where appropriate.  

Furthermore, Kassinis highlighted, “policies and procedures regarding the use of cryptography and, where appropriate, encryption” are also necessary to ensure data security and integrity. 

Kassinis stressed the significance of the directive’s new reporting obligations. In the event of significant incidents, organisations must inform their national CSIRT (Computer Security Incident Response Team) or the relevant authority.  

He said, “An early warning should indicate whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact.” 

In terms of compliance, Kassinis mentioned  that  “organisations should also anticipate regular audits, security scans, on-site and off-site inspections, and data/documentation requests.” 

The NIS2 Directive represents a significant shift from the more voluntary approach of its predecessor and non-compliance can result in penalties such as compliance orders and binding instructions, criminal sanctions for management, and financial penalties, akin to those under the GDPR, on organisations that fail to comply within the specified timeframe. 

“Essential entities face fines up to at least 10 million euros or 2 per cent of total worldwide annual turnover, whichever is higher. Important entities face fines up to at least 7 million euros or 1.4 per cent of total worldwide annual turnover, whichever is higher,” Kassinis explained.  

He also noted that C-level executives could face personal consequences, including restrictions on holding board positions. 

To prepare for NIS2, Kassinis advised organisations to act swiftly. Among the actions organisations should take, he first suggested determining the need to comply with the directive.

In addition, he suggested performing a risk assessment to identify security gaps, put in place the necessary security measures, verify the security compliance of suppliers, test and evaluate the measures to ensure they work as intended, and make changes where necessary.

Finally, he also emphasised the importance of promoting security awareness among employees.