NIS 2

EU mandates, cyber
security is a must have

Diverto

NIS2 Directive - comply on time

Creating resilience and protection against cyberattacks at the EU level.

To help determine your organization's level of compliance with the NIS2 Directive, download the self-assessment tool.

Find out in which areas you are compliant and in which there is room for improvement.

CONDUCT SELF-ASSESSMENT

What is the NIS2?

The NIS2 Directive is a legislative framework that prescribes measures to achieve a high common level of cyber security and resilience at the EU level.

What is CSA?

Cybersecurity Act in Croatia is a transposition of the NIS2 Directive, a local legislative framework that applies in the territory of the Republic of Croatia, published on February 7, 2024.

We have summarized all the key information you need to know about the NIS2 Directive for you in a simple document. Download it, get informed and find out what key measures are needed to comply with the NIS2 Directive.
DOWNLOAD

Why NIS2 and CSA?

Enhancing cybersecurity at the national and European level.

By implementing this law, Croatia and the European Union in general are strengthening their capacities for prevention, detection, response, and recovery from cyber incidents.

Expansion of application and scope.

Following experiences brought by the pandemic and the emerging geopolitical situations, the EU has recognized the need to extend the application of the Directive to:

  • a larger number of sectors that are crucial for the functioning of the economy
  • all information and cyber systems of obligated entities

Improving international cooperation.

The law enhances international cooperation and sharing of information about incidents, as well as best practices.

Requirements and obligations defined by NIS2

All entities subject to the NIS2 Directive are required to:

1

Implement a series of organizational and technical measures to secure networks and information systems

2

Report incidents

3

Conduct self-assessment and/or cybersecurity audit

The measures will be detailed further within the future Cybersecurity Regulation.

 

Does NIS2 apply to my company?

The NIS2 Directive applies to public and private entities that are:

  • Members of sectors listed in Annexes I and II of the NIS2/CSA
  • Medium or large enterprises/organizations.

Exceptionally, individual entities that the competent sectoral body determines to be of particular importance can be recognized as subjects of the regulation regardless of their size.

Also, given the measures that emphasize supply chain security, the scope consequently extends to suppliers or service providers of entities obligated under the NIS2/CSA.

Sectors in scope

 

NIS1 sectors
  • ENERGY
  • TRANSPORT
  • FINANCIAL INFRASTRUCTURES AND BANKING
  • WATER
  • HEALTH
  • DIGITAL SERVICE PROVIDERS
  • DIGITAL INFRASTRUCTURE
+

 

NIS2 sectors
  • PUBLIC ADMINISTRATION
  • FOOD
  • RESEARCH
  • SPACE
  • WASTE MANAGEMENT
  • ICT SERVICES (B2B)
  • POSTAL SERVICES
  • MANUFACTURE OF CHRITICAL GOODS
  • PROVIDERS OF PUBLICLY AVAILABLE ELECTRONIC COMMUNICATIONS
Diverto

NIS2 - a challenge for OT systems

The complexity and criticality of OT systems, their "traditional" separation from IT, and a strong reluctance to introduce risky technological changes pose challenges for their owners. Integrating such systems with IT systems places new risks before organizations, which they often cannot and do not know how to handle.

The NIS2 Directive emphasizes the organization's responsibility for the cybersecurity protection of OT systems. To achieve compliance, all the tasks that have been postponed for years will now need to be completed in a much shorter timeframe, regardless of the risks and challenges.

 

What if I do not comply with NIS2 – what are the penalties?

In the event of non-compliance with the law, the competent authority has the right to issue:

  • Corrective measures,
  • Temporary suspensions,
  • Prohibitions on conducting business.

Prohibitions on conducting business can be directed towards the obligated entity, but also towards the responsible person. There are also financial penalties for the obligated entity, as well as for the responsible person within the obligated entity.

Fines to liable entity

up to EUR10mil

or up to 2% of annual total turnover
- essential entities

up to EUR7mil

or up to 1,4% of annual total turnover
- important entities

Fines to responsible person

up to €6000

essential entities

up to €3000

important entities

Diverto

How to comply with NIS2?

In the focus of the NIS2 Directive, i.e. the Croatia's Cybersecurity Act, are:

Risk Management

Incident Management

Supply Chain Management

Business Continuity Management

Entities obligated under NIS2 are required to establish a framework for managing risks related to information and communication technologies (ICT) and information and cybersecurity (ICS), with the goal of achieving a common minimum level of security.

If you have implemented international standards such as ISO/IEC 27001, you already have an advantage in complying with the directive's requirements.

Additionally, in the case of OT, compliance will be simpler if you apply ISA/IEC 62443 standards, which deal with cybersecurity for industrial control systems.

Diverto’s approach to achieving compliance with NIS2

The beginning of your journey towards compliance with NIS2 depends on the current maturity level of your information and cybersecurity management system.

We implement measures to achieve compliance through three groups of activities:

  • Governance
  • Resilience testing
  • Monitoring and continuous defense

Given that managing information and cybersecurity is an ongoing process, it is necessary to periodically verify the initial compliance assessment and determine further steps for enhancing the implemented controls.

Find out how each stage of this Diverto approach helps you align with NIS2 and, ultimately, establish a high level of security for your business.

DIVERTO APPROACH
Diverto
Suggested-approach_NIS2

Check if you are compliant with the NIS2 Directive.

Not 100% sure if the NIS2 Directive applies to your business?

You have already taken certain measures and are wondering how compliant you are with its regulations. To more easily assess your security maturity, download the self-assessment tool and begin your journey to compliance with the NIS2 Directive.

CONDUCT SELF-ASSESSMENT