The NIS 2 Directive is a key piece of legislation aimed at strengthening cybersecurity across the European Union. Entities covered by its provisions must comply with a range of new obligations, including implementing a cyber risk management system, reporting cybersecurity incidents to relevant authorities, and utilizing encryption technologies in physical access control – a critical element of cybersecurity under the NIS 2 Directive.
Key information about the NIS 2 Directive
In January 2023, the European Union introduced the NIS 2 Directive, a new cybersecurity regulation. This directive is a response to the growing cyber threats and evolving digital landscape. In Poland, businesses are required to comply with its provisions by October 17, 2024. This marks a significant step toward improving cybersecurity both nationally and across the EU.
The updated directive aims to establish a high level of cybersecurity across all EU member states. By introducing new guidelines and rules for network and information security, it seeks to enhance the resilience of IT and network systems across the EU. Additionally, it aims to improve incident response times and safeguard society, the economy, and public security.
NIS 2 significantly expands the scope of regulations compared to the previous directive by the European Parliament and Council. It now encompasses various economic sectors, medium and large enterprises in specific industries, as well as selected small and micro-enterprises.
Who does the NIS 2 Directive apply to?
The NIS 2 Directive applies to a wide range of public and private entities, including:
- Medium and large enterprises (employing at least 50 people or with an annual turnover or balance sheet exceeding €10 million) operating in sectors specified in the directive, such as energy, transport, banking, healthcare, manufacturing of electrical equipment and machinery, and digital service providers.
- Small and micro-enterprises that:
- are trust service providers,
- provide DNS services (excluding primary name server operators),
- manage TLD registries,
- are part of the central public administration,
- are classified as critical entities under the CER directive.
Obligations under the NIS 2 Directive
The NIS 2 Directive imposes several new obligations on covered entities, including:
- implementing systems and measures for cyber risk management to identify, assess, and mitigate attack risks,
- collaborating with relevant authorities to respond to cybersecurity incidents,
- promptly reporting cybersecurity incidents to designated supervisory bodies,
- securing systems through risk analysis, effective procedures, supply chain protection, and business continuity plans,
- utilizing encryption technologies, particularly end-to-end encryption.
Penalties for violating the NIS 2 Directive
The directive introduces strict penalties for non-compliance. Key entities face fines of up to €10 million or 2% of their total annual revenue, while important entities may face fines of up to €7 million or 1.4% of their annual revenue. The NIS 2 Directive also allows for periodic financial penalties to enforce compliance with EU cybersecurity regulations.
Physical access control as part of cybersecurity
When conducting an audit to prepare a company or public institution for compliance with the NIS 2 Directive, special attention should be given to physical access control. While often overlooked in the context of cybersecurity, Article 79 of the NIS 2 Directive emphasizes that threats to network and IT system security can originate from theft, break-ins, or other unauthorized access to information-related infrastructure.
Physical threats significantly impact cybersecurity. For instance, the theft of laptops, smartphones, or other portable devices can compromise sensitive data. Without proper security measures, intruders can access this data or use it to breach digital security systems. Moreover, attackers may attempt to take control of network devices, such as routers, enabling them to intercept traffic or carry out man-in-the-middle attacks, potentially leading to data interception and manipulation.
Attacks on servers, data centers, or power and cooling infrastructure can also result in data loss, system malfunctions, and service interruptions, affecting data availability and security. Additionally, attackers may physically introduce malicious devices or data carriers, such as USB drives, to infect networks or devices.
To meet the requirements of the NIS 2 Directive, organizations should consider implementing robust physical access control systems for zones, buildings, and rooms. These solutions enhance security and enable flexible access management. Integration with other systems and real-time event monitoring accelerates response times in the event of cybersecurity breaches, minimizing the impact of attacks.
Furthermore, the directive highlights the importance of encryption technologies, such as end-to-end encryption, to secure communication between components of the access control system (e.g., card, reader, controller, server). Additional measures, such as key salting, hashing, and secure encryption modes, are recommended to strengthen the system’s resilience to attacks.
Summary
Effective physical access management and advanced encryption technologies are critical for ensuring a high level of cybersecurity and meeting the requirements of the NIS 2 Directive.
