Cybersecurity is now one of the most critical challenges faced by modern businesses.The European Union, recognizing the growing threat of cyberattacks and the need for enhanced cybersecurity protection, has established the new NIS2 Directive. This legislation is designed to strengthen the level of cybersecurity across all member states and protect businesses from the increasing threats in cyberspace.
The new NIS2 Directive, enforced by the European Union, requires immediate compliance from all companies with more than 50 employees or an annual turnover exceeding 10 million euros by October 17, 2024; otherwise, they will face heavy fines and other penalties.
At TicTac, we are here to guide you through this complex landscape and help you comply with the new directive.
Download the NIS2 Compliance Guide for Free
Protect your business and avoid heavy penalties.
With TicTac’s Free Compliance Guide, you will gain all the necessary knowledge and tools you need to determine whether your entire business falls within the requirements of the law and whether you need to comply with the new European cybersecurity standards.
What is NIS2 and why does it matter?
NIS2 (Network and Information Security Directive 2) is the second version of the original NIS Directive, adopted in 2016, which aimed to set the basic standards for network and information security in Europe.
However, the rapid evolution of technology and the increasing frequency and complexity of cyberattacks necessitate the need to update these regulations. NIS2 introduces stricter requirements and covers a wider range of sectors and organizations.
The Critical Changes Introduced by the NIS2 Directive in Greece
The NIS2 Directive brings a number of significant changes and improvements compared to its previous version. These changes concern not only the stringency of security measures but also the scope of organizations that must comply across the EU.
1. More Sectors Under Compliance Regime
The initial areas covered by the original NIS Directive included:
- Energy (electricity, oil, natural gas)
- Transportation (aviation, railways, shipping, road transport)
- Banking services
- Financial market infrastructures
- Health (hospitals, healthcare providers)
- Water supply and management (water supply, water distribution)
- Digital service infrastructures (cloud service providers, internet exchange points infrastructures)
- Digital service providers (search engines and social networking platforms)
NIS 2 now expands beyond the original industries and includes organizations operating in sectors such as:
- Production and distribution of food and chemicals.
- Industry and construction.
- Food
- Sewage and Waste Management
- Courier and Postal services
- Providers of public electronic communication networks or services
- Public administration
- IT services management
- Space
- Research services
This means that more organizations than ever are required to comply with the increased security requirements of NIS2 to protect themselves from cyber threats.
Free Business Audit Tool for NIS2
Because compliance with the NIS2 directive is critical for many businesses, we created the NIS2 Eligibility Calculator so you can quickly, simply, and completely FREE to see if your business needs to comply with the new requirements and avoid millions of euros in fines.
2. Stricter Security Measures
The directive requires organizations to adopt stricter security measures to protect their information systems. This includes threat detection, incident response, and ensuring service continuity. Specifically, these requirements include:
- Technological solutions for system monitoring.
- Training of staff on cybersecurity issues.
- Development of incident response plans.
Organizations are called upon to implement solutions that enable the rapid detection and response to cyber threats, ensuring that their operational activities are not disrupted.
3. Cooperation between States to Counter Cyberattacks
NIS2 promotes cooperation between EU Member States to address cyber threats jointly. This is achieved through the creation of new cooperation mechanisms, such as the EU Cybersecurity Centre, which coordinates efforts to address cyber attacks at a pan-European level. Every company can benefit from this cooperation, as information sharing and joint threat response enhance security across the continent.
4. Risk Assessment and Risk Management
NIS2 requires organizations to adopt a risk-based approach. This involves assessing the risks that threaten the business and implementing appropriate measures to mitigate those risks. With this approach, organizations can focus on the most critical threats and allocate their resources more effectively, thereby protecting their data and ensuring business continuity.
What is the Goal of NIS2?
The primary objective of the NIS2 Directive is to strengthen cybersecurity in the European Union. The protection of critical infrastructure is vital to ensure the smooth functioning of society and the economy. The Directive aims to establish a secure digital environment that protects both businesses and citizens from cyber threats.
The steps that each business should take in the areas mentioned above are as follows:
Infrastructure Protection
Organizations operating in critical sectors (such as energy, healthcare, etc.) must adopt rigorous security measures to ensure the resilience of their systems. This framework includes threat management, risk detection, incident response, and the development of strategies for restoring services after an attack.
Network Resilience
Resilience is a core principle of NIS2. Organizations must be able to withstand and recover quickly from cyberattacks, ensuring the continuity of their business activities. This requires having incident response plans and the ability to quickly restore digital services.
Transparency and Accountability
Businesses are required to report security incidents and adopt practices that promote transparency and accountability. This includes informing relevant authorities and their customers about security incidents and the measures being taken to address them. This transparency helps to create an environment of trust between businesses and their customers.
How to React to Cyberattacks According to NIS2
NIS2 requires companies and organizations to report security incidents that affect their services.
Let’s see how this whole process works:
1. Early Warning (24 hours)
When there is a suspicion of malicious activity that may have consequences beyond borders, organizations must issue an initial alert within 24 hours. This alert enables relevant authorities to react quickly and coordinate with each other, particularly when the issue affects multiple countries.
2. Official Incident Notification (72 hours)
Within 72 hours of discovering an incident, organizations are required to submit a more detailed report. This includes an assessment of the severity and impact of the incident, as well as specific elements indicating the nature of the attack. This information is crucial for enabling authorities to understand what happened and take appropriate action.
3. Interim Status Report (1 month)
If required by competent authorities or CSIRTs (Computer Security Incident Response Teams), organizations may be required to submit an interim report within one month. This report should provide updated information on the progress made in managing the incident and the actions taken to restore security.
4. Final Report
Once the incident is resolved, organizations must submit a final report within one month. If the incident is still ongoing, a progress report is submitted, and later, a final report. These reports contain detailed information about what happened, the corrective actions taken, and the lessons learned from the incident.
In some cases, organizations need to inform their customers about important events. This is important to maintain trust and transparency between companies and their customers.
Additionally, if deemed necessary, the competent authorities can inform the public about significant incidents or request that companies do so. This process ensures that citizens are aware of issues that may affect the security of their personal data.
Cybersecurity Risk Management Measures
To comply with the NIS2 Directive, businesses, whether classified as “critical” or “significant,” must take appropriate and proportionate technical, operational, and organizational measures to manage the risks to the systems that support their services. These measures aim to prevent or minimize the impact of incidents on both the services themselves and others that may be affected.
Free Business Audit Tool for NIS2
Because compliance with the NIS2 directive is critical for many businesses, we created the NIS2 Eligibility Calculator so you can quickly, simply, and completely FREE to see if your business needs to comply with the new requirements and avoid millions of euros in fines.
These measures should be based on an all-threat approach, with the common goal of protecting networks, information systems, and the physical environment of these systems from all types of incidents. The minimum required measures include:
- Information Systems Risk & Security Analysis
Organizations must conduct regular risk analyses and identify potential weaknesses in their information systems. - Incident Management
Incident management involves detecting, responding to, and recovering from cyberattacks. Organizations must have plans in place to respond promptly to incidents, minimizing service disruptions and limiting damage. - Business Continuity Measures (back-ups, disaster recovery, crisis management)
Maintaining business continuity requires the creation of backups, the development of disaster recovery strategies, and the establishment of crisis management procedures.
- Supply Chain Security
Supply chain security is crucial for protecting information systems from threats posed by third-party vendors. Organizations must carefully evaluate and select their partners, ensuring that they also follow high-security standards. - Security in Systems Acquisition, Development, and Maintenance, Including Vulnerability Management and Disclosure
Security in the acquisition, development, and maintenance of systems is crucial for protecting against vulnerabilities and threats. Organizations must incorporate protective measures throughout the life cycle of their systems and responsibly manage vulnerabilities. - Policies and Procedures for Evaluating the Effectiveness of Cybersecurity Risk Management Measures
- Basic Computer Training and Management
Employees must be informed about security best practices and understand the importance of prevention. - Policies Regarding the Appropriate Use of Cryptography and Encryption
The use of encryption is crucial for protecting data from unauthorized access. Organizations should develop policies for the appropriate use of encryption technologies, ensuring that their data remains secure and confidential. - Human Resource Security, Access Control Policies, and Asset Management
Human resource security involves implementing access control policies and managing business assets. Organizations must ensure that only authorized users have access to critical systems and data. - Use 2FA, Secure Voice/Video/Text Communications, and Secure Emergency Communications
Using multiple factors for user authentication and implementing secure communications are critical to protecting information. Organizations should implement measures to ensure the safe exchange of information, particularly in emergency situations.
Implementing these measures is crucial to safeguard information systems and maintain business continuity. Compliance with NIS2 requires a comprehensive approach to risk management, ensuring that organizations are prepared to address cyber threats and protect their data.
At TicTac, we are dedicated to providing you with the solutions you need to manage these risks and ensure the security of your business.
NIS 2 Principles & TicTac Solutions
| NIS2 principles | TicTac Solution / Process |
|---|---|
| Risk analysis & IT systems security | We start with an inventory of information assets, a risk assessment, and the appropriate documentation for risk acceptance by management for the risks that exist. We then plan scheduled re-audits and improvement proposals based on the organization’s budget. |
| Incident management | Xcitium EDR /MDR or Acronis EDR/MDR |
| Business continuity measures (backups, disaster recovery, crisis management) | Acronis Cloud Backup (We provide the most advanced fail-safe Backup solutions and create an immediate Disaster Recovery plan for you, as well as documentation for crisis management) |
| Supply chain security | Security Scorecard (External risk assessment software) |
| Security in the acquisition, development, and maintenance of systems | We prepare a security policy (We provide special software for recording Assets and the regular automated application of updates) |
| Policies and procedures for evaluating the effectiveness of cybersecurity risk management measures | We develop a security policy (We provide specific tools that can help in the regular assessment of internal and external cyber risk management) |
| Basic computer security practices and training | Wizer / On-Site Cybersecurity awareness training for staff |
| Policies for the appropriate use of cryptography and encryption | It is covered by the company’s security policy, if it exists; otherwise, a policy is created (we help you create policies in your organization) |
| Human resource security, access control policies, and asset management | It is covered by the company’s security policy, if it exists; otherwise, a policy is created (we help you with Projects that include Active Directory / Microsoft Entra ID |
| Use of multi-factor authentication, secure voice/video/text communications & secure emergency communications | Solutions that come with projects, such as those from Microsoft or other providers |
TicTac as your NIS 2 Compliance Partner
Complying with the NIS 2 directive can be a significant challenge for companies, but it also presents a unique opportunity to strengthen their cybersecurity. This is where TicTac comes in, as it can be your ideal partner on the path to compliance. With many years of experience in the cybersecurity sector, we provide a range of specialized services to address the requirements of the new directive.
Risk Assessment and Threat Analysis
The first and most critical step in NIS2 compliance is a risk assessment and threat analysis. Our company works closely with your business to identify the most critical threats and define strategies to mitigate them. Through a detailed analysis, we identify the areas that require immediate attention and propose solutions tailored to your specific needs.
Development of Security Policies and Procedures
Creating clear security policies and procedures is crucial to protecting your information systems. Together, we develop customized policies that meet your business requirements, including cyber risk management, security incident response, and ensuring business continuity.
Staff Training and Awareness
One of the most important factors in successful compliance is training your staff. We offer training and awareness programs that educate your staff on how to identify and respond to cyber threats. This strengthens your business’s cybersecurity and reduces the risk of human error, one of the leading causes of cyberattacks.
Implementation of Cutting-Edge Technological Solutions
We offer cutting-edge technology solutions to protect your information systems effectively. From threat monitoring and detection systems to solutions for secure data storage and management, we offer the technologies you need to help you ensure the security of your business in cyberspace. By implementing these solutions, you can be confident that your business is protected from modern cyber threats.
Download the NIS2 Compliance Guide for Free
Protect your business and avoid heavy penalties.
With TicTac’s Free Guide, you will gain all the necessary knowledge and tools you need to determine whether your business falls within the requirements of the law and whether you need to comply with the new European cybersecurity standards.
Don’t Neglect It!
NIS2 compliance is not just a legal obligation but also a strategic investment to protect and strengthen your business. By implementing the proper measures and procedures, you can protect your data and information, enhance customer trust, and maintain your competitiveness in the marketplace.
Contact our team today and let us guide you through the NIS2 compliance process, ensuring the security and success of your business in an increasingly digital world.
