Preparation for Directive (EU) 2022/2555 (NIS 2) of the European Parliament and the Council services

In December 14, 2022 a new directive was adopted on measures for a high common level of cybersecurity across the Union (directive on security of network and information systems, hereinafter – NIS2). NIS2 aims at a fundamental change in the activities of organizations operating in the nation-state in the field of cyber security, expanding the number of entities covered by the directive, establishing mandatory cybersecurity risk management measures and providing for stricter sanctions.

Entities falling within the scope of the NIS2 directive must take appropriate and proportionate measures in order to manage the risks arising from the networks and information systems used for their activities or service provision and to prevent information and cyber security incidents or to reduce the impact of incidents on the services provided and service recipients.

Organizations seeking to adequately prepare for the implementation of the NIS2 directive must assess information and cyber security risks and manage them by choosing and implementing appropriate and proportionate measures to ensure the security of networks and information systems.

Organizations can prepare for the implementation of the requirements of the NIS2 directive independently or use the service provided by us – Preparation for the (EU) 2022/2555 (NIS2) directive service.

• We perform a GAP analysis for the requirements of the NIS2 directive, during which: We evaluate the current state of the organization’s information and cyber security management and the organization‘s internal legal acts regulating information and cyber security management; We determine and analyze the organizational structure of information and cyber security management; We prepare and reconcile policies and procedures regulating information and cyber security management that need to be prepared or adjusted; We prepare an implementation plan for the activities necessary to ensure the requirements of the NIS2 directive
• As needed, we perform an assessment of the compliance of the requirements with the NIS2 directive
• We prepare or adjust the policies and procedures regulating the organization’s information and cyber security management
• We provide training for employees on the requirements of the NIS2 directive and their implementation in the organization
• We perform information security risk assessment and prepare a plan of risk management measures
• We carry out business continuity testing exercise
• We provide consultancy services on the implementation of necessary activities and preparation for the implementation of the NIS2 directive

• The report of GAP analysis for the requirements of the NIS2 directive and an implementation plan for the activities necessary to ensure the requirements of the NIS2 directive are prepared
• The policies and procedures regulating the organization’s information and cyber security management are prepared or adjusted and reconciled, as well as draft orders on the formation of groups and the appointment of responsible persons
• Information security risk assessment report and risk management measures plan are prepared and reconciled
• Training materials adjusted and training for employees on the requirements of the NIS2 directive and their implementation in the organization conducted
• The report of the business continuity testing exercise is prepared and reconciled
• Consultations provided during the preparation for the implementation of the NIS2 directive

• Non-compliance with the requirements of the NIS2 directive have been identified and eliminated
• Prepared or adjusted policies and procedures regulating the organization’s information and cyber security management, responsible persons appointed
• Employees of the organization are familiarized with the requirements of the NIS2 directive and their implementation process in the organization
• Potential information and cyber security risks are identified and appropriate and proportionate risk management measures are selected
• Tested business continuity management plan
• The implementation of the requirements of the NIS2 directive is ensured

In order to properly implement the requirements of the NIS2 directive, we would recommend the full implementation of an information security management system in accordance with the requirements of the ISO/IEC 27001 standard.

Entities fall within the scope of the NIS2 directive depending on the sector in which they operate and on the size of the entity (depending on the number of staff and annual turnover). According to the presented criteria, entities falling within the scope of the NIS2 directive are assigned to one of two categories – essential or important entities. The NIS2 directive applies to the following sectors:

• Energy (electricity, district heating and cooling, oil, gas, hydrogen)
• Transport (air, rail, water, road)
• Banking
• Financial market infrastructures
• Health
• Drinking water
• Waste water
• Digital infrastructure
• ICT service management (business-to-business)
• Public administration
• Space
• Postal and courier services
• Waste management
• Manufacture, production and distribution of chemicals
• Production, processing and distribution of food
• Manufacturing
• Digital providers
• Research

An entity operating in the above listed sectors falls within the scope of the NIS2 directive if it is a large or medium-sized company (more than 50 employees and its annual turnover / annual balance sheet total of more than 10 million EUR.). With specific exceptions, small and micro enterprises are excluded from the scope of the NIS2 directive.

If the requirements of the NIS2 directive are not properly met, the following fines may be applied to entities: With regard to essential entities, fines may reach EUR 10,000,000 or 2% of the annual turnover of the preceding financial year (whichever is higher); With regard to important entities, fines may reach EUR 7,000,000 or 1.4% of the annual turnover of the preceding financial year (whichever is higher).

• cV Group information security management system (ISMS) implementation and preparation for certification
• UAB ”Pigu” information security management system (ISMS) implementation and preparation for certification