The NIS Directive: cybersecurity, a top priority for the companies in 2022

On 12 January 2019, Law no. 362/2018 (European NIS Directive) on ensuring a high common level of security of network and information systems was published. This law is addressed to Operators of Essential Services (OES) in 7 sectors of economic activity: Energy, Transport, Banking, Financial Market Infrastructure, Health, Drinking Water Supply and Distribution, Digital Infrastructure and Digital Service Providers (DSP) from three categories, respectively: online marketplaces, search engines, cloud computing services.

A first step in the implementation of this law is the registration in the Registry for operators of the entities that meet the conditions of Operators of Essential Services.

All the entities that have registered or are about to be registered in the Registry for operators of essential services (ROSE) will be required to conduct an audit to certify compliance with the minimum security requirements. This audit must be performed by IT auditors who hold a valid certificate issued by CERT. The list can be consulted on the institution's website.

In response to the growing threats posed by digitalisation and the growing number of cyber attacks, the European Commission presented on 16 December 2020, as a draft proposal, the „NIS 2” Directive, that is going to replace the current Network and Information Security directive. The new Directive aims to:

• Increase the level of cyber resilience of a comprehensive set of companies operating in the European Union (EU) in all relevant sectors;
• Improve the level of common awareness of the situation and the collective ability to prepare for and respond to a cyber attack.

The „NIS 2” Directive will broaden the current scope of the NIS Directive and establish that all medium and large entities, that are active in the sectors covered by the new Directive, will automatically comply with the security rules set out in the proposal.

The Directive will apply to certain key public or private entities operating in the following sectors: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration and space, and certain important entities operating in the following sectors: postal and courier services, waste management, manufacturing, production and distribution of chemicals, food production, processing and distribution, digital producers and suppliers.

Micro and small entities within the meaning of Commission Recommendation 2003/361 / EC of 6 May 2003 are excluded from the scope of the Directive, except for providers of electronic communications networks or publicly available electronic communications services, trust service providers, Top-level domain name (TLD) registries and public administration, as well as certain other entities, such as the sole provider of a service in a Member State.

The „NIS 2” Directive, by effectively forcing several entities and sectors to take action, will help increase the level of cybersecurity in Europe in the long run.

Mazars Romania received a cybersecurity audit certificate, granted by CERT-RO, for the compliance of the Romanian entities with the European NIS Directive. For more information regarding this subject, contact our IT audit and consulting team.