The NIS2 directive is the biggest change in the area of cyber security in the European Union in recent years. Many owners of small and medium businesses wonder whether this regulation means anything for them. In this article we explain in simple terms what NIS2 is, who it applies to and how to prepare.
What is the NIS2 directive
NIS2 is a European Union directive that sets common rules for cyber security. Its goal is to raise the level of protection for essential services and digital infrastructure across the EU. It has been transposed into Croatian law through the Cyber Security Act, which means the obligations are not just a recommendation but a legal requirement.
Unlike its predecessor, NIS2 significantly broadens the range of companies it applies to and introduces concrete obligations, along with the possibility of penalties for those who fail to meet them.
Does NIS2 apply to your business
NIS2 does not cover every single company, but the range of those obligated is wider than many think. In general, the directive targets medium and large companies in so-called essential and important sectors. These include, among others:
- energetika, promet, vodoopskrba i zdravstvo,
- digital infrastructure and IT service providers,
- proizvodnja, prehrambena industrija i upravljanje otpadom,
- postal and courier services.
It is also important to understand that obligations cascade through the supply chain. Even if your company is not directly obligated, a large client who is can ask you for proof of security measures before continuing to work with you.
What obligations it brings
NIS2 requires obligated entities to take risk management seriously. In practice this means several key areas:
- Upravljanje rizicima: redovita procjena prijetnji i ranjivosti te poduzimanje mjera za njihovo smanjenje.
- Prijava incidenata: serious security incidents must be reported to the competent authorities within prescribed deadlines.
- Sigurnost lanca opskrbe: checking the security of suppliers and partners.
- Odgovornost uprave: company leadership is responsible for cyber security and cannot fully delegate it to the IT department.
How to prepare
Preparation does not have to be daunting if you start gradually. The first step is to understand where your company stands today, which systems you use, which data is sensitive and where the weak points are. A vulnerability assessment helps here and, if needed, penetration testing that shows how resilient your systems really are.
At Mat-Tech we help businesses take that first step. Through vulnerability assessment and penetration testing, u suradnji s partnerom Bastion Information Security i platformom pentesting.hr, we determine where you stand and what specifically you need to improve for compliance.
Whether you are directly obligated or a supplier to a company that is, investing in cyber security today protects your business tomorrow. NIS2 is a good reason to take security seriously, not because of penalties, but for the resilience of your own company.
Need help preparing for NIS2?
Get in touch for a vulnerability assessment and compliance consulting.
Contact Us