By October 17, 2024, Member States of the European Union (EU) will have to transpose into national legislation the new NIS Directive that reflects increased obligations for States, Essential Entities (formerly called Operators) and Central and Local administration. Among the novelties are fines of up to ten million euros or 2% of turnover, and direct accountability of the top management of organizations.

A set of lessons learned regarding the inefficiencies of the previous directive were also identified, and an attempt was made to correct the disparities identified in the transposition into the national legislation of the member states.

The changes come six years after the publication of the first Directive, at a time when the report recently published by the Cybersecurity Observatory on the cybersecurity landscape in Portugal in 2022, presents some improvements in terms of awareness and education, and the adoption of more security measures. in the field of ICT , and some negative points such as the reduction in the number of strategies for information security in Public Administration.

Never devaluing what good is done with a lot of effort, these achievements are not enough to face the rapid evolution of the threat environment. In Portugal, the profusion of cyber-attacks in 2022 (those that became public knowledge) was historic and forced the top management of public and private organizations to give more importance to this issue.

However, the involvement of top management does not always correspond to a commitment to a strategy and a medium-long-term plan, nor to adequate risk training, prioritization of investments and, above all, timely decision-making that only management can top can take.
Therefore, the pragmatic and assertive way in which the Directive introduces obligations for top management, as well as forms of accountability, is very relevant.

The management bodies will be responsible for approving risk management measures and supervising their application, and may be held responsible for any infringements committed.
The Directive goes so far as to define a list of ten minimum requirements relating to these measures.

These demands will require a greater level of commitment from the leadership of organizations than has been the case so far and, therefore, it is not surprising that the Directive provides that members of the top management bodies “are required to attend training sessions” within the scope of cybersecurity risk management and that similar training actions should be “regularly carried out for its workers”.

Along with these measures, there are also others that strengthen the powers and capacities of the competent authorities, very focused on supervision and dissuasion.
In terms of supervision, we can highlight on-site inspections, regular security audits, but it is at the level of dissuasive powers that the biggest surprises arise, namely in cases of non-compliance with the instructions provided for in warnings and/or orders relating to audits, security measures and mandatory notifications.

In the event of these non-compliance and as a last resort, the competent authorities will have the power to order or judicially request the temporary suspension of part or all of the activities of the essential entities.
Additionally, the competent authorities will have the power to “Request that the competent bodies or courts (…) temporarily prohibit any natural person with management responsibilities at the level of executive management or legal representation from exercising management functions in that essential entity.”

Six years after the NIS Directive, the legislator’s challenge is directly addressed to the leadership of public and private organizations that ensure the provision of essential and important services to life in society and the regular functioning of institutions.
However, the road to October 17, 2024 will not be easy or painless, and organizations are one budget away from achieving timely compliance.
On the one hand, it is very likely that leaders will be faced with the need to review decisions taken in the past, and it is expected that the complexity of the issues will cause a feeling of overload. On the other hand, the financial and organizational demands will be high. However, I admit that the biggest challenge will be about an equally scarce resource for organizational leaders: their time.

So what would be the first steps that leaders could take?

Here are some suggestions for quick wins:

– Validate with the CNCS whether your organization is expected to be identified as an essential entity or an important entity under the directive (see list of sectors in Annex I of the Directive).

– Review the existing cybersecurity strategy and verify that the investment plan guarantees compliance by October 17, 2024.

– Approving and supervising the implementation of adequate and proportionate technical, operational and organizational measures to guarantee a level of security of networks and information systems adequate to the risks posed.

– Implement the necessary internal governance changes to reflect the central and transversal role of cybersecurity, ensuring direct reporting to management bodies

– Consult the CISO to identify training in cybersecurity, including risk management, to build capacity for management bodies.

– Ensure that the conditions are in place for timely compliance with the information obligations established by the directive.

2023 therefore opens with new challenges for cybersecurity leaders who, now, in addition to responding to the growing threats of cybercrime, also have to respond to the increased demands of the legislator.

free nintendo eshop codes generator reddit
get free instagram followers 2023 updated
nba 2k22 myteam locker codes that don't expire
pet master free spins daily links that you can use 2023
random psn codes generator
how to get spotify premium for free forever 100 working
Stumble Guys Mod Apk v0.40 (Unlimited Gems & Money
tiktok coins for free 2023
check my walmart visa gift card balance
bigo live mobile hack [MQ]
how to get more free credits on bingo blitz
free nintendo eshop codes generator 2023
free instagram followers 50 free followers daily followeran
nba 2k22 vc kaufen ps5
pet master free spins coins daily links 2023
free psn code generator
here s how you can get free 3 months of spotify premium in india
stumble guys gems purchase
contact free tiktok coins hack ios 2023 with generator no verification
how to check balance on gift card from walmart
bigo live diamond hack without verification 2023 [MQ]
bingo blitz free credits peoples gamez gift exchange
how to get free nintendo eshop codes no human verification
how to get your first 1000 instagram followers later
i just bought vc and didn't get it 2k22
pet master free spins coins updated 2023
psn code generator no human verification 2023
three months of free spotify premium all the details on how to

By bfrpx

Leave a Reply

Your email address will not be published. Required fields are marked *