Organizations under the scope of the European Union’s new cybersecurity directive, NIS2, have one year to prepare. The help of a consultant can come in handy.
NIS2 obliges member states to take measures to improve the cyber security of network and information systems, build national incident notification systems and cooperate with other EU institutions in the field of cyber security. Companies operating in Hungary must comply with the Hungarian legislation that implements the requirements of NIS2 in the domestic legal environment. One of the most important pieces of legislation of this kind is Act XXIII of the 23rd year on cyber security supervision, published this spring. law (Cyberscience). The organizations concerned must apply the prescribed protection measures from October 18, 2024, and the first supervisory audits are expected from January 1, 2025.
Preparation cannot be postponed
The scope of NIS2 includes medium and large organizations of particularly risky (energy, transport, healthcare, etc.) and risky (postal services, waste management, etc.) sectors. Micro and small businesses are only affected when they become suppliers to companies covered by NIS2. Since many threats originate in the supply chain, it is understandable that regulations prioritize supply chain resilience.
– It is important for the organization to be aware of its own level of preparedness, i.e. the starting point. Both NIS2 and Kibertan mention that the organizations involved have an information security management system. In practice, this means that if a company’s activities comply with the ISO 27001 standard, it can consider itself to be in a good state of readiness. However, for example, organizations that have certain protection solutions, but they are not aware, documented, or monitored, can be considered immature. Companies with a more advanced state of maturity are, for example, a dedicated information security officer or an IT manager who also takes on this role. Then there are organizations that have been under supervision for years, their preparedness is regularly examined and audited, and they constantly improve their cyber resilience. Every company can move forward from its current state. The foundation is for the organization to have an information security management system, perform a risk analysis and involve the organizations in the supply chain. Particular attention should be paid to those suppliers who support the organization with info-communication products, processes or services. In the case of the more mature ones, the gaps are typically still to be assessed and filled. Immature organizations, however, have much more to do, they should start preparing now – points out Zsuzsanna Borbély, service business manager of filter:max Kft.
Step by step to full compliance
Anyone familiar with ISO 27001 can easily navigate the information security professional requirements of NIS2 and Kibertan. Filter:max’s experts have been working with information security regulatory systems for more than ten years, the elements of which are also covered by the new legislation.
As a starting point, it can assess the organization’s cyber security readiness status. It is important for the company to have a risk analysis, including the risks arising from the supply chain, and to build up its protection system accordingly. Business continuity management is essential. It is important to create and implement incident management as a process, as well as to fulfill the reporting obligation. – The managing director of the organization concerned is personally responsible for certain issues. Zsuzsanna Borbély emphasizes that information security awareness training must be held at the company, in which decision-makers must also participate.
Time-limited or continuous cooperation
filter:max can help organizations on a project basis or in the framework of continuous cooperation. If, for example, a company only lacks a business continuity management system, the task can be solved within a given time frame.
The situation is different when the organization struggles with several deficiencies. In this case, you need constant help. – In many cases, the company does not have the expertise to achieve compliance with the legislation. In such cases, the solution is provided by an external expert. There are also companies that have an internal information security expert and would be able to implement the steps required by law. However, in order to be able to complete everything by the deadline, their capacity is limited. Even in such cases, external help comes in handy, which we are happy to provide – sums up the consulting services offered by filter:max, the service business manager.
At the end of October, filter:max will provide information on the legislation and compliance with it in a webinar.