Dudas y aclaraciones sobre cómo implantar NIS2 en nuestras empresas

Doubts and clarifications about how to implement NIS2 in our companies

Juan Antonio Calles

We recently discussed the NIS2 Directive in another Flu Project article , this time dedicated to a very similar topic, the release of the 2nd RTS package launched by the ESAs for DORA compliance. However, in today's post we want to focus on NIS2 and some of the different questions that have arisen in recent months, so save this post as an FAQ, which may be useful to you in your respective organizations.

As a reminder, when we talk about NIS2 we are referring to Directive (EU) 2022/2555: NIS 2 (v2 of Network and Information Security), aimed at increasing cybersecurity in the EU using essential sectors as a lever. It has nothing to do with the (American) NIST, whose similarity in 3 letters out of 4 is mere coincidence ;). This new regulation was created to update and repeal Directive (EU) 2016/1148 of July 6, 2016 (former NIS1 Directive).

NIS2 distinguishes two large groups to which certain requirements will apply depending on their criticality. These requirements will apply to companies in these sectors, as long as they have more than 50 workers (that is, they are at least a medium-sized company):

  • High Criticality Sectors:
    • Energy
    • Transport
    • Bank
    • Infrastructure Financial markets
    • Health Sector
    • Drinking water
    • Sewage
    • Digital Infrastructure
    • ICT Services (B2B)
    • Public administration
    • Space

  • Other Critical Sectors:
    • Postal and courier services
    • Waste Management
    • Manufacture, production and distribution of chemical substances and mixtures
    • Food production, transformation and distribution
    • Manufacturing: Among others, medical products.
    • Digital service providers
    • Investigation

However, and due to the wording of Article 2, Point 1 of the Directive, which has generated some controversy because the wording gives rise to confusion, these requirements will not only apply to these 18 sectors in medium and large organizations, but They will also apply to any organization in these sectors, regardless of size, under certain circumstances.


This hypothesis is corroborated by the publication of the National Cryptologic Center, who clarifies on this page that, regardless of their size, the measures will apply to both groups (High Criticality and Critical Sectors) in cases linked to national security and the operation of critical infrastructures, in centers that carry out research (e.g. teaching centers), in regional and local administrations (e.g. city councils), which on the other hand is something obvious, given that in many cases such as in towns and small cities they will not reach 50 employees but their services are more than essential for citizens and the state, etc. In the following capture of the CCN website you can consult these details: 


In this same publication you can download a very interesting infographic that links the National Security Scheme (ENS) with NIS2, and in which they clarify that in the eyes of the administration, a company that has the ENS certified at its High Level will be considered as "compliant" with the NIS2 Directive, so if you already have this certification, you will have already done your homework:


 

Likewise, it clarifies that those companies that have ENS Medium and Basic certifications must emphasize the issues of continuity and supplier management, as defined by the Directive itself.

To begin to understand what NIS2 is about, I recommend 2 of the official publications that we have in Spanish, the official translation of the directive itself :


And the CCN-STIC Guide 892 which was published just a few days ago:

On the other hand, it is important to clarify that, according to article 41 of the NIS2 Directive, this must be transposed by the EU countries no later than October 17, 2024, under a norm with the rank of Law. That is, in a Approximately one month will end the deadline to have it officially with us, although there is still some uncertainty because it has not been published and it is unknown if there will be many variations that could change the pace for those organizations that have already gotten to work with the implementation.

Another important date that we have with us is April 17, 2025, the day on which the different EU countries must have made public their lists of companies and administrations affected by the application of the regulation. These lists of essential and important entities must be updated, at most, every 2 years.

Finally, and regarding another question that we are often asked, is NIS2 certifiable? Technically NO. It is simply a law that we must comply with, as is the case with many others such as the Organic Law on Data Protection (LOPD). However, as CCN-CERT clarifies, due to their similarities, possession of ENS certification is a recognized way to comply with NIS2, so it is something that organizations can consider within their governance and security strategies. .

Soon we will continue to expand this chain of articles as new data on this long-awaited regulation is published.

Greetings!



return to blog

Leave a comment

Please note that comments must be approved before they are published.