FAQ dodatni #40
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
How can my company show that we are compliant with NIS2?
There is no official "NIS2 certification." Instead, you need to show that you meet the law's requirements. A good way to do this is by using an existing international framework, like ISO 27001 or the NIST Cybersecurity Framework. These standards are well established and cover about 80% of what NIS2 requires. You will still need to address the specific requirements of NIS2, like providing cybersecurity training for your management board. The most important thing is to prove you have a risk based approach to security.
How will the authorities enforce these rules?
Enforcement will happen in two ways. The first is reactive. If your company has a significant security incident, you must report it. The authorities will then investigate and ask for proof of your security measures. The second is proactive. Authorities will conduct audits and inspections. They will likely start with the most essential entities and then expand their checks over time. This approach is similar to how GDPR was rolled out, with fines starting small and increasing after a couple of years.
If my company has an incident, what will authorities focus on?
Based on our conversations with authorities, they will likely ask for proof of a few key security practices. They will want to see that you use multi factor authentication (MFA). They will also check your backup and recovery procedures. Finally, they will look at your process for patching and updating systems.
What are the potential fines for not complying?
The directive sets the maximum possible fines. For "essential" entities, fines can be up to 10 million euros or 2% of the company's total global turnover, whichever is higher. For "important" entities, it is up to 7 million euros or 1.4% of turnover, whichever is higher.
Keep in mind these are maximums. Most countries will have a tiered system that starts with warnings before issuing large fines.
What are the business benefits of complying with NIS2?
Beyond avoiding fines, there are real business advantages. Being compliant can be a market differentiator that helps you win clients who care about security. For some industries, it’s becoming a "license to operate." For example, some governments will only buy from suppliers who can prove they are NIS2 compliant. Most importantly, these rules are based on good security practices that protect your business from data theft, financial loss, and reputational damage.
My company has offices in several EU countries. Do we have to follow each country's specific law?
Yes, each legal entity has to follow the local laws in the country where it operates. However, because all these national laws are based on the same EU directive, they are very similar. The best strategy is to create one central set of security policies at the headquarters that is strong enough to meet the requirements of all the different countries. This creates a consistent, high standard across your entire organization.
How can I find out if my country has officially adopted the NIS2 law?
ENISA, the EU's cybersecurity agency, has a website that tracks the status of each country. These online trackers can sometimes be out of date, though. For the most current information, you can work with a cybersecurity or legal partner. You can also contact your country's national authority directly. They are there to help, not to be an adversary.
mentioned in merge request !52
mentioned in commit
aeaec99621