Fejléc

The NIS 2 Directive has been issued. Now what?

Szerző ikon Tamás Tóth

Dátum ikon 2023.01.10

On December 27, 2022, the European Union published the NIS2 Directive, which took effect on January 16, 2023. Member States must incorporate its provisions into their national legislation by October 17, 2024. This directive introduces significant updates to cybersecurity requirements, particularly for “essential entities” and “important entities” operating within the EU.

Organizations Covered

The Directive applies to essential and important entities that, if disrupted, could significantly impact society and the economy. Essential entities include sectors such as energy, transportation, banking, health, and digital infrastructure. Important entities span postal services, waste management, food production, and digital providers. Micro and small enterprises are excluded.

Management Accountability

A notable requirement is the accountability of management. Organizations must ensure that their management bodies approve and oversee cybersecurity risk measures. Additionally, management members are required to undergo relevant cybersecurity training to enhance understanding and commitment.

Key Security Measures

The Directive outlines mandatory cybersecurity measures, including:

  • Risk analysis
  • Incident management policies
  • Business continuity plans (e.g., backup and disaster recovery)
  • Supply chain security
  • Vulnerability handling
  • Basic cyber hygiene practices and mandatory training
  • Multi-factor authentication and secure communication systems


Existing frameworks like ISO 27001 and the NIST Cybersecurity Framework can aid in compliance. The European Commission may introduce further technical requirements to clarify these measures.

Incident Reporting

Organizations must report significant incidents promptly to national CSIRTs (e.g., Hungary’s National Cyber Defense Institute). The process involves:

  • Early Warning: Within 24 hours, indicating potential causes and cross-border effects.
  • Incident Notification: Within 72 hours, detailing severity, impact, and indicators of compromise.
  • Intermediate report: CSIRT or the competent authority may request on a case-by-case basis;
  • Final Report: Submitted within a month, summarizing the incident, its root cause, and mitigation measures.


Steps for Compliance

Organizations must determine whether they fall under the Directive’s scope. Early preparation is crucial, particularly for those with low cybersecurity maturity. Achieving compliance may require adopting robust frameworks and enhancing internal processes well ahead of the 2024 deadline.
By addressing these requirements, organizations can enhance their resilience and align with the EU’s evolving cybersecurity landscape.

Read the full article on our International subsidiary’s website by clicking on the image.