NX and coming Network and Information Security Directive ( NIS-2 / NIS2 )
AnsweredHi there
For all customers and NX users in European Union, I would like to open this important topic for discussion, so anyone can contribute and share information about NX compliance with Network and Information Security Directive ( NIS-2 / NIS2 ).
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (Text with EEA relevance)Text with EEA relevance
https://eur-lex.europa.eu/eli/dir/2022/2555
Some deadlines (more in below docs):
- By 17 October 2024, Member States (all EU countries) must adopt and publish the measures necessary to comply with the NIS 2 Directive.
- By 17 April 2025, Member States shall establish a list of essential and important entities as well as entities providing domain name registration services. Member States shall review and, where appropriate, update that list on a regular basis and at least every two years thereafter.
- By 17 October 2027 and every 36 months thereafter, the Commission shall review the functioning of this Directive, and report to the European Parliament and to the Council.
Medium size enterprise means > 10M REVENUE OR > 50 EMPLOYEES
Large size enterprise means > 50M REVENUE OR > 249 EMPLOYEES
Maximum fines for non-compliance
ORGANISATIONS CLASSED AS ESSENTIAL
2.0% TURNOVER OR €10M
ORGANISATIONS CLASSED AS IMPORTANT
1.4% TURNOVER OR €7M
Depending on the classification of a given critical entity as a key or important entity, different procedures related to the supervision of the level of cybersecurity will apply, and, above all, to point out that audits carried out by the competent authority or certification body will be the basic an action verifying the entity's ability to meet the provisions of the NIS2 directive. The legal basis for the types of audits and the method of conducting them will be determined in the process of implementing the NIS2 directive in relation to the relevant standards and regulations. Failure of entities to comply with the requirements contained in the directive will result in the imposition of a financial penalty. The amounts of penalties are mentioned above.
Sectors covered by the NIS2 Directive
- Energy
- Healthcare
- Water supply
- Transport
- Digital infrastructures
- Banking and financial market infrastructure
- Digital service providers
- Public sector
- Postal and courier services
- Wastewater and waste management
- Chemicals
- Food
- Manufacturing of critical products (including medical, computing and transportation)
- Digital providers (such as social networking services and data centres)
- Research
- Space
Please feel free to share your opinions, thoughts, comments. Any information can be helpful. This topic was specially created for this and I hope it will start to grow up. Maybe not immediately, but in the upcoming months.
If you are interested in this topic, I also recommend reading below PDF guides about NIS-2 from other VMS manufacturers. I know this is currently just a bunch of marketing BS, not some real certificates, because it is still not possible to clearly determine which certificates obtained by producers will have legal force in the context of these directives and which certification bodies will be entitled to carry out, among others, audits regarding the level of cybersecurity.
But anyway the directive is coming and I think and it would be nice to get ready and create proper documentation with similar marketing whitepapers from Network Optix.
<REMOVED_LINKS_TO_OTHER_VENDORS>
-
Hi Tomasz Polus,
Thank you for taking the initiative to start this discussion. We have removed the links to other vendors, as this is the Nx community.
I'm genuinely curious to see what insights and perspectives others will bring to this conversation.
Regarding the status of our NIS2 compliance, we believe we are in alignment with the majority of the NIS2 legislation. However, due to the absence of an auditing mechanism, we are hesitant to assert full compliance at this stage.
At the moment, we don't have any public documentation on NIS2, as it would likely be filled with unnecessary language without much substance.
As soon as the legislation is finalized and clearly defined for each country, and there is an opportunity for a third-party audit of our processes, we will certainly proceed with creating and publishing the necessary documentation in the appropriate format. This will ensure that the information we provide is both comprehensive and meaningful.
Best regards.
Please sign in to leave a comment.
Comments
1 comment