General News

NIS 2 and its implementation into Slovak law

+

NIS 2 and its implementation into Slovak law

At the beginning of April, the National Security Authority (hereinafter referred to as the "NBU") announced through preliminary information the beginning of the legislative process of the adoption of the amendment to Act No. 68/2018 Coll. on Cyber Security and on Amendments and Additions to Certain Acts, as amended, which is to implement the DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (hereinafter referred to as the „NIS 2“) into the legal order. It is expected that the legislative process in the inter-ministerial comment procedure should be launched in April or May 2024.

In this article, we provide a comprehensive overview of NIS 2 and its impact on the business environment.

1.What is the subject of the modification of NIS 2?

  • Achieving a high common level of cybersecurity across the Union for the better functioning of the internal market.

2.What are the objectives of NIS 2

  • Extend the scope of obliged entities required to take measures to enhance their cyber security capabilities.

  • Harmonise the EU approach to incident reporting, security requirements, surveillance measures and information exchange.

3,By when is NIS 2 to be transposed?

  • EU Member States have 21 months from the entry into force of NIS 2, i.e. until 17 November 2024, to transpose it into national law, whereby the amended Act should be in force in 01. 01. 2025

  • According to the NBU, the Slovak Republic today has an above-standard level of legislation. However, the implementation of NIS 2 will broaden the scope of the NBU's remit. NBU assumes that about 10.000 new entities will fall under the new regulation.

4. What are the key elements of NIS 2?

The NIS 2 aims to address the shortcomings of the previous rules, to adapt them to current needs and to ensure that the legislation is timeless. Unlike the NIS I, NIS 2 will cover a wider range of industries (sectors) depending on their importance to the economy and society.

To this end, NIS 2 extends the scope of the previous rules by adding new sectors based on their degree of digitisation and interconnectedness and their importance to the economy and society by introducing a clear rule on the size threshold, which means that all medium and large companies in the selected sectors will be included in the scope.

  1. Medium-sized enterprises - 50-249 employees or a turnover of more than EUR 10 million,

  2. Large enterprises - 250 employees or more or turnover greater than EUR 50 million

NIS 2 also leaves some discretion to Member States to identify smaller entities with a high security risk profile that should also be subject to the obligations under the new regulation. NIS 2 also removes the distinction between operators of essential services and digital service providers.

Entities are classified on the basis of their importance and divided into two categories: essential and important entities, which will be subject to a different supervision regime. Entities are now to be classified according to their importance and subject to different supervisory regimes. This will allow a lighter regime to be introduced for services that are categorised as "important" rather than "essential".

However, even if a company does not fall within the scope of NIS 2, it is highly likely that some of the company's suppliers or customers that do fall within the scope of NIS 2 will require that company to comply with NIS 2, as that supplier or customer will be obliged under NIS 2 to have cybersecurity measures in place in relation to its supply chain

5.Which sectors and types of entities will be covered by NIS 2?

High criticality sectors:

a.)Energy (electricity, district heating and cooling, oil, gas and hydrogen)

b)Transport (air, rail, water and road)

c) Banking (lex specialis Regulation DORA);

d) Financial market infrastructures (lex specialis DORA Regulation);

e) Healthcare, including the manufacture of pharmaceutical products, including vaccines;

f) Drinking water;

g) Waste water - new inclusion of the sector within the scope of cyber security regulation;

h) Digital infrastructure (DNS service providers; TLD name registries; cloud computing service providers; data centre service providers; content delivery networks; trust service providers; providers of public electronic communications networks and publicly available electronic communications services);

i) ICT service management (managed service providers and managed security service providers) - new inclusion of the sector in the scope of cybersecurity regulation,

j) Public administration,

k) Space - new inclusion of the sector in the scope of cybersecurity regulation.

Other critical sectors:

a) Postal and courier services - new inclusion of the sector in the scope of cyber security regulation;

b) Waste management - new inclusion of the sector within the scope of cyber security regulation;

c) Manufacture, production and distribution of chemicals,

d) Production, processing and distribution of food - new sector inclusion in the scope of cybersecurity regulation;

e) Manufacture of medical devices, computers and electronics, machinery and equipment, motor vehicles, trailers and semi-trailers, and other transportation equipment - new inclusion of the sector in the scope of cybersecurity regulation;

f) Digital service providers (online marketplaces, search engines and social networking platforms) and research organisations.

g) Research

6.Incident reporting

Who is obliged to report incidents? - Essential and important entities

NIS 2 introduces a multi-stage reporting obligation for the affected entities to report each significant incident.

a) Early warning of an incident

  • The entity at issue shall submit a timely incident alert without undue delay, within 24 hours of the discovery of a significant incident,

b) Notification of incident

  • The covered entity at issue shall submit an incident notification without undue delay within 72 hours after the entity becomes aware of the significant incident,

c) Interim report

  • The entity at issue shall, at the request of the Computer Security Incident Response Team (CSIRT) or, where appropriate, the competent authority, provide an interim report with a relevant status update;

d) Final report

  • The entity at issue shall submit a final incident report no later than 1 month after official notification of the incident.

7.Responsibilities of the managing authorities

The statutory bodies of essential and important entities will have ultimate responsibility for cybersecurity risk management in essential and important entities.

In particular, the statutory bodies of essential and important entities must:

  • Approve cyber risk management measures;

  • Oversee the implementation of cyber risk management;

  • Receive training to recognize risks and assess cyber risk management practices and their impact on the services provided by the entity;

  • Offer similar training to its employees on a regular basis;

  • Take responsibility for non-compliance.

Failure of the senior management of the affected entities to comply with the requirements of NIS 2 could have serious consequences such as liability for damages of a member of the company's statutory body, prohibition or restriction of a member of the statutory body from acting as a member of the statutory body, or other sanctions such as fines.

Such temporary suspensions or bans should only be applied as a last resort, i.e. only after other relevant enforcement measures have been exhausted, and only until the entity concerned has taken the necessary measures to remedy the deficiencies or to comply with the requirements of the competent authority in respect of which such temporary suspensions or bans have been applied.

8.Supervisory measures

In order to strengthen supervisory powers and measures that help ensure effective compliance, NIS 2 sets out a minimum list of supervisory measures and means by which competent authorities can supervise essential and important entities.  In addition, NIS 2 introduces a distinction between the supervisory regime for essential and important entities in order to ensure a fair balance of responsibilities for those entities and for competent authorities.

Essential entities should therefore be subject to a comprehensive regime of ex ante and ex post supervision, while important entities should only be subject to a light regime of ex post supervision.

9.Law enforcement powers

In duly justified cases where a competent authority is aware of a serious cyber threat or imminent risk, it should be able to take immediate law enforcement decisions to prevent or respond to an incident.

In order to make enforcement effective, a minimum list of enforcement powers that may apply for breaches of the cybersecurity risk management and notification measures set out in NIS 2 is set out, establishing a clear and consistent framework for such enforcement across the Union.

10.Penalties / Fines

Essential entity - Maximum amount of the administrative fine of EUR 10.000.000,- or up to 2 % of the undertaking's total worldwide annual turnover.

Important entity - Maximum amount of the administrative fine EUR 7.000.000,- or up to 1.4% of the total worldwide annual turnover of the undertaking.

Our services in the cyber security area

(i) Providing comprehensive cybersecurity advice tailored to the specific entity, taking into account legal and factual considerations.

(ii) Structuring cybersecurity projects to ensure compliance with local and international standards.

(iii) Conduct cybersecurity audits.

(iv) Developing a cyber security strategy.

(v) Implementation of technical solutions, i.e. in particular the supply and installation of software and hardware to protect IT systems and data.

(vi) Regular monitoring and system updates.

(vii) Education and simulation of attacks.

(viii Preparation of comprehensive contractual and other cybersecurity documentation.

(ix) Negotiating and drafting cyber security contracts with IT, hardware and network providers as well as developing model documentation for incident reporting and incident reporting, including on-site support and crisis management.

(x) Preliminary dispute resolution and litigation support arising from security incidents (including insider threats and employee errors) as well as preparation of documentation for penetration testing.

(xi) Exploring cybersecurity in M&A transactions.

(xii) Review of client data management and protection practices.

(xiii) Assistance with reporting, external communication, internal investigations (including employment law aspects.

AUTHORS

Jakub Hanesch

MARTIN JACKO