The NIS2 Directive now has an application date
On January 5, 2023, the NIS 2 directive came into force in Spain. The new directive 2022/2555 updated the previous regulations on the security of networks and information systems of the European Union contained in the NIS 1 Directive promulgated in 2016.
NIS 2 establishes a common framework within the EU. This framework includes cybersecurity measures for strategic sectors in the Union, expanding these sectors compared to the previous NIS Directive.
These strategic sectors encompass both public and private entities and are considered “strategic” due to their relevance to the economy and citizens within the European Union. A total of 18 strategic sectors of activity have been identified, covering diverse areas such as financial services infrastructure, ICT service management, research, food, education, healthcare, the energy sector, trade, transport, and defense, among others.
New features of the new management
The NIS 2 directive differentiates between “core entities” and “important entities , ” based on the high criticality of their business sectors. Within this classification, it considers qualified trust service providers like Vintegris as critical service providers, and specifically, their activity falls under the category of services provided by “highly critical” sectors.
This Directive aims to define a common framework for Member States regarding cybersecurity and how to address existing risks in this area. To this end, Member States must adopt and approve the necessary measures to comply with the requirements set out in NIS 2 by 17 October 2024.
NIS 2 establishes the requirements that must be considered for the management of cybersecurity risks, establishing a minimum of technical, operational and organizational measures that must be implemented to prevent, detect, minimize security incidents that affect the services provided and guarantee the resilience of the systems that support the provision of these critical services.
These measures are based on the existence of a security policy and the periodic performance of risk analyses, along with the adoption of the necessary security measures for the treatment of the risks detected.
Security measures include: security incident management, ensuring business continuity, protecting the supply chain, using cryptography, human resource security, cybersecurity training and awareness, establishing measures such as the use of MFA (Multi-Factor Authentication) to ensure authorized access to resources, physical security of facilities, secure development, vulnerability analysis, and other measures that must be developed by each Member State of the Union, based on existing security standards.
On the other hand, the Directive establishes the obligation to report security incidents, taking into account their classification, the communication by the affected entities to the reference CSIRT (Spanish Cybersecurity and Incident Management Teams) in each Member State and the collaboration between the different CSIRTs to promote knowledge management in cybersecurity and the adoption of measures that prevent the materialization of incidents.
Víntegris, as a qualified provider of trusted services, must comply with the security measures defined for organizations considered to provide critical services. Our objectives and security policy are aligned with internationally recognized security standards such as ISO 27001:2022 and the National Security Framework . Víntegris’ Information System, which supports the services offered as a Trusted Service Provider, is certified under these standards, allowing us to optimally address compliance with the requirements established by the NIS 2 Directive.
At Vintegris, we continue working to guarantee the security and privacy of the services provided to our clients, complying with current security standards.