In recent years, the European Union has placed special emphasis on cybersecurity. In 2022, three pieces of legislation were adopted to strengthen the defense of organizations against cyberattacks. The Dora regulation prepares the financial sector for resilience, while the CER directive concerns the resilience of critical organizations, and the NIS2 directive outlines measures to ensure high-level cybersecurity.

Why is this important for certain organizations? Because the NIS2 directive, along with Act XXIII of 2023 on cybersecurity certification and supervision, which implements it, imposes numerous obligations on organizations that fall under its scope, along with the threat of severe sanctions.

The law establishes a dual criteria system for its scope, defining both so called high-risk and particularly high-risk sectors. Additionally, a certain minimum size is required for an organization to fall under its scope. Sectors classified as particularly high-risk include energy, transportation, healthcare, water utilities, and telecommunications, while high-risk sectors include postal and courier services, food production, product manufacturing, and chemical production and manufacturing. Companies in the above sectors with over 50 employees or annual net revenues exceeding 10 million euros fall under the regulation’s scope. Additionally, their suppliers must also comply with the requirements.

According to the law, affected organizations must register with the Regulated Activities Supervisory Authority, appoint a person who’s responsible for information system security within the organization, and classify their IT systems into security classes as defined by the law. Although the final version of the legislation, which details the tasks for each class, has not yet been adopted, the draft indicates that affected organizations will have to complete hundreds of tasks to ensure compliance.

Organizations must complete a self-identification by June 30, 2024, to determine whether the relevant legislation applies to them or not. If it does, they must register with the Authority and classify their IT systems into security classes. The NIS2 directive sets an October 18, 2024 deadline for organizations to apply the required protective measures for NIS2 compliance and to pay the supervisory fee to the competent authority by this date. By December 31, 2024, firms must contract an auditing firm to verify compliance, which must be completed by December 31, 2025.

The stakes are high. Without compliance, affected organizations are more both more vulnerable to cyberattacks and also face significant penalties: up to 10,000,000 EUR or 2% of total annual worldwide turnover for particularly high-risk sector organizations, and up to 7,000,000 EUR or 1.4% of the previous year’s turnover for high-risk sector organizations. Furthermore, a new sanction option allows the suspension of both the organization and its senior executives from the relevant activities in severe cases.

Don’t wait any longer. Contact our office at +36 1 700 4750, or send an email to nis2@rvdpartners.com. Our team of experienced legal and IT security experts is ready to help you successfully implement the NIS2 directive. Prepare for future challenges with us and ensure the cybersecurity of your business or organization!