The GDPR was nothing in comparison: the deadline for the creation of the NIS2 framework is approaching

Thousands of domestic companies are affected by the revised EU cyber protection directive (NIS2), which means that many domestic companies have to build their cyber protection systems completely from the ground up. The new rules apply to companies that employ at least 50 people or have an annual turnover of more than 10 million euros, perform activities defined by law, and all organizations that perform essential functions in terms of the economic and social development of the EU. The companies concerned had to apply to the Regulatory Authority for Regulated Activities by June 30 this year, and they must meet the requirements of the regulation by the end of this year, December 31, 2024.

But what does this mean in practice?

The main points of the requirements include risk analysis and management, prevention and detection of cyber security incidents, their reporting and management within a given time window, access management, use of encryption and ensuring the continuity of business processes during cyber security incidents. The protection must also cover the acquisition, development and operation of electronic information systems and the software and hardware products used by them. According to the directive, every enterprise can be classified into a security risk group and must implement specific administrative, logical and physical measures associated with that category.

“A critical issue in terms of meeting the NIS2 requirements is whether the given company has previously dealt with cyber security issues. If the company concerned has to build a system completely from the ground up due to the new guidelines, it means a significant investment and an extra burden both in terms of infrastructure and human resources.”

– said Berki Gergő, TOPdesk Hungary business manager.