NIS2 Directive and New Information Security Law (ZInfV-1)
The Office of the Government of the Republic of Slovenia for Information Security (URSIV) is preparing a new Information Security Law (ZInfV-1), which will transpose the European NIS 2 Directive (Directive on measures for a high common level of cybersecurity in the Union) into Slovenian legislation. This directive, adopted in December 2022, requires EU member states to transpose it into their legal systems by October 17, 2024.
What does NIS 2 bring?
The NIS 2 Directive represents a significant step forward in efforts to enhance cybersecurity resilience in the EU. It aims to update the existing legal framework to adapt to rapid digitalization and new cybersecurity threats. The main objectives of the directive are:
- Improving Resilience: By expanding the rules to more sectors and entities, organizations’ resilience to cyber threats is improved.
- Faster Incident Response: The new regulation will allow for better preparedness and responsiveness to cyberattacks.
- Increased Protection: The directive will contribute to greater cybersecurity for companies, member states, and the EU as a whole.
The scope of NIS 2 is broader than existing legislation, as it includes new entities that were not previously required to meet obligations regarding the protection of information systems. Changes will also affect those entities that were already required to comply with the previous Information Security Law (ZInfV). These entities will need to further strengthen the security of their systems and processes.
Comprehensive Approach to Implementing the NIS2 Directive with ADD as a Partner Step-by-Step:
1 ) Self-Recognition: The first step is self-recognition. In partnership with leading experts in the field, we guide you through the self-recognition process, helping you determine whether your organization is required to implement the NIS 2 directive.
2 ) Risk and Vulnerability Assessment: If your organization is subject to the requirements, a risk and vulnerability assessment follows. This assessment includes all business processes and technological systems, identification of critical information and communication technologies (ICT), and evaluation of the potential consequences of cyber incidents. We rely on legally defined benchmarks (requirements) as well as the use of globally recognized CIS standards (CIS Controls and CIS Benchmark).
3 ) Establishment of Security Strategy and Policy with Prioritization: Based on the conducted risk and vulnerability assessment, a security strategy and policy with prioritization are then established. This should include several components, including: information systems security management policies, rules and procedures for incident response, assignment of responsibilities for data management and security, and more. It is also necessary to define clear procedures for handling cyberattacks and communication with relevant authorities, as well as prepare a plan for rapid recovery and business continuity following an incident.
4 ) Implementation of Technical Measures: To achieve the objectives of the directive, organizations must implement technical measures to protect information systems, including:
- Intrusion detection and prevention systems.
- Encryption of sensitive data.
- Data backup.
- Establishing network segmentation to prevent the spread of threats.
- Regular security updates and upgrades.
- Establishing incident response capabilities.
5) Employee Training and Awareness
We observe that organizations today invest significant resources in training and raising awareness about risks related to cyber threats. As such, continuous training on security policies and practices is expected from those subject to the directive, ensuring employees are informed and able to handle data securely and protect personal information. Additional emphasis will also be placed on familiarizing staff with procedures in the event of an incident (what to do in case of a suspected breach or attack).
6) Regular Reviews and System Testing
By conducting security tests, such as penetration tests and system security audits, organizations can assess the effectiveness of security measures. It is also advisable to conduct simulation exercises for incident handling so that employees know how to react in the event of an actual attack—an example being the implementation of phishing tests that can be combined with employee training after testing.
7) Collaboration and Information Sharing
The NIS 2 Directive encourages organizations to collaborate with other stakeholders (government authorities, partners, sectors) to share information about cyber threats and attacks. It is crucial to establish mechanisms for reporting and collaborating with relevant authorities and partners.
8) Supplier Management
Risks can be transferred within the supply chain, so organizations must ensure the management of cyber risks associated with their suppliers. Include suppliers in your security policy and establish procedures to assess their compliance with NIS 2.
“Implementing NIS 2 requires technical and organizational measures. Regularly evaluating security systems, training employees, and collaborating with relevant authorities is essential. Our company helps guide you through this process.“
FOR ASSISTANCE AND ADDITIONAL INFORMATION, OUR TEAM OF SPECIALISTS FROM VARIOUS FIELDS IS AT YOUR DISPOSAL.
Za več informacij nas kontaktirajte na info@add.si, +386 (0)1 479 00 11 ali pa izpolnite kontaktni obrazec.