NIS2 Requirements in Cyprus: Navigating the Compliance Requirements and its Integration into National Law

The NIS2 Directive was entered into force as of 16 January 2023 and as a revised version of the initial NIS Directive (2016) aims to further harmonise and set specific cyber security standards and obligations across the EU. In an ever digitally connected environment, cyber security has become one of the most significant components for the smooth and secure operation of the global markets whilst at the same time balancing the need for individuals to be able to interact in a digital environment that safeguards their rights and freedom.

The provisions of the NIS2 Directive will be transposed in national law in Cyprus under the Security of Networks and Information Systems Law (89(1)(2020)) (thereinafter “the Law”) and it is expected to be put into force by the 18.10.2024.

Some of the major changes the NIS2 introduces and key takeaways are addressed in the following article.

The Directive now covers both medium and large entities:

  • Medium enterprises are considered those with 50+ employees and an annual revenue of greater of 10 million euros
  • Large enterprises are considered those with 250+ employees and an annual revenue of over 50 million euros

There is now a new classification of the entities intended to be covered under the Directive:

The directive applies equally to public and private entities for sectors of high criticality. The high criticality sectors are also divided in Essential and Important Entities. The Essential Entities differ from the Important Entities in the sense that in case of a cyber disruption, this can have significant consequences on the member state’s society.

Essential Entities are entities operating in the following sectors:

  • Energy
  • Transport
  • Banking
  • Financial Market Infrastructure
  • Health
  • Water Supply
  • Digital Administration
  • Space industries

Important Entities are entities in the following sectors:

  • Postal services
  • Waste Management
  • Chemical Production
  • Distribution
  • Food Production

Cybersecurity Risk Management Requirements:

Article 21 of NIS2 requires Essential and Important organisations to have in place proportionate and appropriate technical and organisational measures that can safeguard the security of their network and information systems that include, among others:

  • Sufficient set of policies on risk identification, analysis and system security
  • Incident management, handling and reporting procedures
  • Business Continuity controls, disaster recovery and crisis management
  • Supply chain security
  • Policies and controls regarding cryptography and encryption
  • Multifactor authentication and secure communication systems
  • Cybersecurity Training
  • Access control policies and asset management

While the above might sound familiar practices for most organisations, NIS2 essentially sets an EU-wide standard for organisations, so that network security in the EU community is enhanced and harmonised across all member states and for the entities that fall within the scope of the Directive.

Incident Reporting Obligations:

Organisations are required to report to their competent authorities any cyber security incident that can pose a significant impact to their services or affect the society as a whole.

A significant incident is considered when:

  • It can result to a severe disruption of services or financial loss
  • It can affect the rights of individuals resulting in significant material or non-material damage (it is important to note that non material damage can cover distress, mental health impact on the individual, etc).

Organisations are required to report a significant incident to the competent authority within 24 hours of becoming aware of the incident – this is known as the ‘early warning incident’.

Within 72 hours, organisations shall update the information and status of the early warning incident with a report that addresses the severity of the impact indicators of compromise.

A final progress report is also required under the new provisions of the Directive within one month of the initial submission providing a detailed description, the severity of impact, the root cause, and any applicable mitigating measures, as well as any cross-border impact of the incident to any other member states.

Competent Authority and Enforcement Action:

In line with NIS2, member states shall designate a competent supervisory authority that is responsible for the implementation and compliance with the Directive.

In Cyprus the designated supervisory authority is the Digital Security Authority (DSA) and the Commissioner of Communications.

DSA has published on their website the revised amendment law that it is expected to fully pass by the end of October and can be accessed here.

The Law transposes NIS2 in its entirety and provides that DSA can issue fines to Essential and Important entities for breaches or failure to comply with the law of up to 10 million euros or 2% of the company’s total annual worldwide turnover whichever is higher.

In addition to administrative fines, the Law also provides additional enforcement powers, such as:

  • Onsite inspections
  • Suspending certifications and authorisations for services by an organisation
  • Ad hoc audits where it is justified or as a result of a significant incident or infringement
  • Request for information and access to the data of an organisation to carry out inspection and supervisory tasks
  • Request of evidence for the implementation of policies and procedures

Interplay with other Regulations and Challenges:

NIS2 coexists with other EU-wide regulations that focus on the protection of the information society, personal data and individual rights. There is therefore an element of interplay between NIS2 and the GDPR since a cyber incident may very well involve personal data. In such a case the two competent authorities can cooperate as part of their investigation process. However, it is important to note that differing breach notification processes and timelines apply.

Another important remark is that an organisation can be fined by both competent authorities respectively.

What should you be focusing on or keeping an eye out for?

Organisations and entities that fall within scope shall review their control environment to ensure that it is adequate against the Cybersecurity standards provided under NIS2. Therefore, organisations in anticipation of the new requirements shall ensure that:

  • Policies and Procedures are updated
  • Gaps are identified in the control environment and set an action plan for resolution
  • Ongoing cyber security risks are assessed and appropriate mitigating actions are identified
  • Appropriate training is provided to members of staff and key personnel to make certain that understanding with the compliance requirements is sufficient.

The content of this article is valid as at the date of its first publication. It is intended to provide a general guide to the subject matter and does not constitute legal advice. We recommend that you seek professional advice on your specific matter before acting on any information provided. For further information or advice, please contact Lefteris Eleftheriou, Trainee Lawyer at our Nicosia Office, Tel +357 22 447777 or email Lefteris.Eleftheriou@kyprianou.com.

Κοινοποιήστε το άρθρο