NX and coming Network and Information Security Directive ( NIS-2 / NIS2 )

Answered
Follow
Avatar
Tomasz Polus

Hi there

For all customers and NX users in European Union, I would like to open this important topic for discussion, so anyone can contribute and share information about NX compliance with Network and Information Security Directive ( NIS-2 / NIS2 ).

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (Text with EEA relevance)Text with EEA relevance
https://eur-lex.europa.eu/eli/dir/2022/2555

Some deadlines (more in below docs):
- By 17 October 2024, Member States (all EU countries) must adopt and publish the measures necessary to comply with the NIS 2 Directive.
- By 17 April 2025, Member States shall establish a list of essential and important entities as well as entities providing domain name registration services. Member States shall review and, where appropriate, update that list on a regular basis and at least every two years thereafter.
- By 17 October 2027 and every 36 months thereafter, the Commission shall review the functioning of this Directive, and report to the European Parliament and to the Council.

Medium size enterprise means > 10M REVENUE OR > 50 EMPLOYEES
Large size enterprise means > 50M REVENUE OR > 249 EMPLOYEES

Maximum fines for non-compliance

 ORGANISATIONS CLASSED AS ESSENTIAL 
2.0% TURNOVER OR €10M

 ORGANISATIONS CLASSED AS IMPORTANT 
1.4% TURNOVER OR €7M

Depending on the classification of a given critical entity as a key or important entity, different procedures related to the supervision of the level of cybersecurity will apply, and, above all, to point out that audits carried out by the competent authority or certification body will be the basic an action verifying the entity's ability to meet the provisions of the NIS2 directive. The legal basis for the types of audits and the method of conducting them will be determined in the process of implementing the NIS2 directive in relation to the relevant standards and regulations. Failure of entities to comply with the requirements contained in the directive will result in the imposition of a financial penalty. The amounts of penalties are mentioned above.

Sectors covered by the NIS2 Directive

- Energy
- Healthcare
- Water supply
- Transport
- Digital infrastructures
- Banking and financial market infrastructure
- Digital service providers
- Public sector
- Postal and courier services
-  Wastewater and waste management
- Chemicals 
- Food 
- Manufacturing of critical products (including medical, computing and transportation)
- Digital providers (such as social networking services and data centres)
- Research
- Space

Please feel free to share your opinions, thoughts, comments. Any information can be helpful. This topic was specially created for this and I hope it will start to grow up. Maybe not immediately, but in the upcoming months.

If you are interested in this topic, I also recommend reading below PDF guides about NIS-2 from other VMS manufacturers. I know this is currently just a bunch of marketing BS, not some real certificates, because it is still not possible to clearly determine which certificates obtained by producers will have legal force in the context of these directives and which certification bodies will be entitled to carry out, among others, audits regarding the level of cybersecurity.

But anyway the directive is coming and I think and it would be nice to get ready and create proper documentation with similar marketing whitepapers from Network Optix.

<REMOVED_LINKS_TO_OTHER_VENDORS>

 

5

Comments

4 comments

Sort by Date Votes
  • Avatar
    Norman - Nx Support

    Hi Tomasz Polus,

    Thank you for taking the initiative to start this discussion. We have removed the links to other vendors, as this is the Nx community.

    I'm genuinely curious to see what insights and perspectives others will bring to this conversation.

    Regarding the status of our NIS2 compliance, we believe we are in alignment with the majority of the NIS2 legislation. However, due to the absence of an auditing mechanism, we are hesitant to assert full compliance at this stage.

    At the moment, we don't have any public documentation on NIS2, as it would likely be filled with unnecessary language without much substance.

    As soon as the legislation is finalized and clearly defined for each country, and there is an opportunity for a third-party audit of our processes, we will certainly proceed with creating and publishing the necessary documentation in the appropriate format. This will ensure that the information we provide is both comprehensive and meaningful. 

    Best regards.

    0
    Comment actions Permalink
  • Avatar
    Guilhem Decoux

    Hello Norman - Nx Support and Tomasz Polus,

    Did you heard about anything new on this topic ?

    Regards

     

    0
    Comment actions Permalink
  • Avatar
    Norman - Nx Support

    Hi Guilhem Decoux,

    Subject: Update on NIS2 Compliance

    Dear [Customer's Name],

    Thank you for reaching out regarding NIS2 compliance. At this time, we do not have any updates to share.

    We believe that our security and compliance practices align with the majority of the NIS2 legislation. However, due to the absence of an official auditing mechanism, we are hesitant to assert full compliance at this stage.

    That said, we remain committed to maintaining the highest security standards and are already compliant with ISO 27001 and SOC 2 Type II, demonstrating our dedication to robust information security and risk management.

    Please let us know if you have any further questions.

    0
    Comment actions Permalink
  • Avatar
    Tomasz Polus

    Unfortunately, in Poland we have a significant delay in the legislation of the NIS2 directive, let alone its implementation.

    Although the deadline for implementing the NIS 2 directive expired in October 2024, and according to the announcements of the Polish Ministry of Digital Affairs, the draft amendment to the KSC Act (Krajowy System Cyberbezpieczeństwa - National Cybersecurity System) was to be submitted to the parlament in early 2025, intensive government work on the project is still underway.

    However, in its new announcements from early 2025, the Ministry of Digital Affairs in Poland informs that work on the project will continue in the first quarter of 2025. Considering the delays to date and the need for the Act to be passed by Parliament, it can be expected that the amended KSC Act will enter into force no earlier than in the middle of this year.

     

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post