Home Latest Feeds Technology News This new legislation threatens companies with serious fines and the removal of the managing director

This new legislation threatens companies with serious fines and the removal of the managing director

This new legislation threatens companies with serious fines and the removal of the managing director


NIS2 – using a distant analogy – is the new GDPR, i.e. a regulation with which the companies concerned must deal with in their own interest. During a mandatory IT audit, they must demonstrate that they are prepared to deal with cyber security incidents.

If this fails, they can pay up to 2 percent of their annual sales as a penalty, and even the company manager can be banned from his position. György Piszker, head of the Kontron Hungary system architect, explained how companies can currently progress.

In 2022, the European Union’s Cyber ​​Security Agency (Enisa) listed the threats with which businesses are most attacked: ransomware is in first place, followed by viruses, Trojans and spyware, which also prey on human error, and they want to persuade the unsuspecting user to open malicious documents, files, e-mails, click on websites that provide unauthorized access to company data and bank accounts. Overload attacks – when users are prevented from accessing certain websites and services – are also in the news every day. But hackers are increasingly attacking supply chains, disrupting the relationship between organizations and suppliers.

“The European Union’s new Cybersecurity Directive, i.e. NIS2, defines minimum rules aimed at preventing these attacks and which the relevant industry players must comply with,” said György Piszker, head of Kontron Hungary’s system architect.

Which companies are affected by NIS2?

Sectors considered particularly risky:
– energy (electricity, district heating and cooling, oil, gas, hydrogen),
– transport (air, rail, water, road, public transport),
– healthcare,
– the water utility (drinking water and waste water),
– the communication,
– the network provider of the digital infrastructure (cloud provider, domain name provider, content provider),
– the outsourced ICT,
– and companies dealing with space-based services.

The sectors deemed risky are also:
– postal and courier services,
– with the production, processing and distribution of food,
– with waste management,
– with the production and distribution of chemicals,
– with production (medical technology, machines, electrical equipment, electronic devices, cement, lime and plaster production),
– with the digital service (online marketplace),
– and research companies.

Provided that they have more than 50 employees and an annual turnover of over 10 million euros, or if they are suppliers of an organization covered by NIS2, because then they must also have NIS2 certification, regardless of size and turnover.

“No one will notify the companies separately that they are affected. They must carry out their own classification and, on a self-declaration basis, register with the Regulatory Authority for the Supervision of Regulated Activities (SzTFH) with their name, tax number and TEOR number by June 30, 2024,” explained the expert.

The specific national regulation was expected for January 2024, but it was not completed by then, after that it was promised for February, but there is still work to be done before it finally enters into force.

What should you start preparing for?

“The legislation will practically contain all the measures that must comply with both a risky and an organization deemed to be particularly risky. The law will define control points and control groups, which will be examined by the auditor, who will review the companies’ electronic information systems. This includes it includes, for example, company correspondence, the HR record system, the corporate management system, the IT system that controls the production line in a factory – so everything in which – to put it very simply – bits are running – György Piszker characterized the expected IT challenges.

“Until the legislation arrives, it is worthwhile for companies to start reviewing their internal IT rules and processes: see which one contains what, how they are connected to each other, when they were updated. These are the first and basic questions during the situation assessment, from here you can start and make suggestions , which policy should be supplemented to what extent, or even completely re-created – this will be done by the auditor. If there is not one, an information security officer must be appointed – either from within the company, if there is an internal resource for this, or to invite an external IT consultant or system integrator . He will be the professional leader of the situation assessment,” explained Kontron’s expert, but added that the expectations will be quite complex and will not be easy to interpret.

How much does this cost companies?

According to György Piszker, the cyber security preparedness of domestic companies is not strong, there are significant deficiencies in both technological control and regulation. It depends on the size of the company, the complexity of the company, and the current state of affairs.

“The ISO 27001 cybersecurity certification is a good basis, which indicates significant preparation, but there are differences between the expectations of the two systems, so those companies that already have it will also have work to do,” he added.

What must be accomplished?

The focus is on cyber security risk analysis and information security, business continuity, disaster recovery, supply chain security, the use of encryption solutions, the use of authentication solutions, the provision of communication channels (text, voice, video) and cyber security training within the organization retention. “But it is not enough if, for example, a policy is ready and we put it in the account, because the auditor will ask to show the associated error marks that have been created so far. After all, if a process, a regulation works, there are associated error marks – at least one,” Kontron warns.

In addition, organizations have an obligation to notify the national authorities of events that cause serious operational disruption or financial loss, or that cause significant property or non-property damage to legal or natural persons. Since the companies have so far kept quiet about the attacks rather than announcing them, the current cyber security situation in Europe is not transparent – it is already in the USA, where the companies were obliged to report them. Since the companies in our country will also be forced to investigate the attack cases in-house and find a solution on how to avoid them in the future, the number of attacks should slowly decrease.

Even the company manager can be banned

If a company does not comply with the NIS2 guidelines even after the “correction” period provided by the auditor has expired, a fine of 10 million euros or 2 percent of their annual global turnover will be imposed on highly critical sector players, while organizations with basic criticality will be fined 7 million euros or their annual turnover of 1 A fine of .4 percent can be imposed. In addition, a supervisory commissioner can be appointed to the organization, the executive can be banned from managing the company, or the operation of the organization can be suspended. “In the same way as in the case of an economic crime, since the executive is ultimately responsible for ensuring that his organization complies with the NIS2 directive. If he did not take care of this or did not take care of it in an inadequate capacity, then the authority can appoint a supervisory commissioner in his place, and he can be banned or suspended. But it will also be more than enough if it does not receive the certification and falls out of the circle of suppliers where this becomes expected,” said György Piszker, Kontron’s expert.



Please enter your comment!
Please enter your name here