Actually, there’s nothing that new about them. Anyone who has to consider any aspect of cybersecurity at their company has probably heard the sonorous sounding terms NIS 2, DORA, E-ITS or even ISO 27001.
If this seems not to have anything to do with your company, read on: you’re almost certain to have either customers or partners whom it does impact or pertain to. It's worth keeping yourself up to date, whether you’re a rank-and-file employee or executive.
On the Äripäev business daily radio programme “Kasvukursil”, a panel consisting of Head of Risk at Telia Eesti Andreas Meister, Grant Thornton Baltic’s Head of IT Artti Aston and CEO of data security provider FocusIT and Head of IT security at SALVe Doris Matteus discussed data security regulations and standards.
What is NIS 2?
NIS 2 directive is a new EU regulation that establishes new more stringent requirements for cyber security for providers of important services. While it entered into force in January 2023, it will apply in Estonia starting October 2024.
The NIS 2 directive applies to companies who provide services or operate in the EU, are at least medium-sized with 50 employees and whose annual balance sheet volume or turnover is more than 10 million euros, Artti Aston explained.
The NIS 2 directive applies to your company if you are operating in the following fields:
- electricity, district heating and cooling
- oil, gas, hydrogen
- air, railway, water or road transport
- banking, financial market infrastructure
- healthcare, research institutes
- drinking water, wastewater, waste handling
- digital infrastructure, ICT service management (business-to-business), digital service providers
- public administration units, postal and courier services
- manufacture, production and distribution of chemicals, production, processing and marketing of food, manufacturing (e.g. of computers, electronics and optical equipment)
Source: “Kasvukursil”, European Parliament website
If your company is in one of these sectors, you will have to take action and get up to speed with the new directive. Of course, you can ask your cybersecurity partner for assistance.
“In the Estonian context, what is important about the NIS 2 changes is that it requires amendments to legislation. But somehow the efforts have stalled out, since we’re still waiting for the draft amendments implementing the NIS 2 directive to become accessible for everyone to read. I think it would be important to Estonian companies to start familiarising themselves with this,” said Meister, expressing criticism.
Meister said the main thing that has to be done in connection with NIS 2 is something Estonian businesses are doing anyway. “It all starts with risk management at a company. The expectation is that companies will devote attention to cyber risks, data security policies. That companies conduct risk analyses and it is very important that they also have incident reporting processes,” Meister stressed. The State Information System Authority, Data Protection Inspectorate or partners should always be notified, for example, if you’re hit by a cyber incident.
Although the new regulations seem vague, it is likely we will make a smooth transition to them. Matteus recalled the concerns revolving around GDPR. “Yes, I would definitely draw a parallel to GDPR: if you take part in conferences and seminars, it is a similar atmosphere to the one we had in 2018 before GDPR came into force. No one knew what would happen,” said Matteus and added that a trustworthy company would get up to speed with the topic one way or another.
Still, does every company have the resources to do its research and bring itself into conformity with the requirements? No, and they don’t have to. Meister gave the example of general medicine centres. “In practice, we don’t imagine that a GP centre would start organising all this alongside its everyday work. If I were a family wellness centre’s IT person, I would outsource the services I needed pursuant to the standard,” he said.
A separate regulation called DORA (Digital Operational Resilience Act) will apply to companies in the financial sector in Europe. Guests on the program said this regulation will require an even broader review of cyber risks. DORA comes into effect on 17 January 2025.
What is DORA?
DORA deals with digital operational resilience in the financial sector and establishes rules for ICT risk management, incident reporting, digital resilience testing and managing ICT third-party risk. To this point, ICT risks in the financial sector had not been governed at a regulation level in the EU, but rather under more general guidelines with different regulation of ICT risks in different member states. DORA establishes, more specifically as well as more broadly, requirements for financial sector enterprises – and these requirements will be directly applicable. In addition, additional technical standards will be established, which financial enterprises will have to implement when the regulation comes into force.
Source: “Kasvukursil” and www.digital-operational-resilience-act.com
If your company is in the purview of both NIS 2 and DORA, DORA is the more important one and takes precedence for financial sector companies, said Matteus. Artti Aston added that various e-money organisations and investment firms’ crypto asset services are also covered by DORA. “There are some sorts of exceptions with additional compliance requirements. What’s important about DORA is that IT services that provide services to financial credit institutions are also partially under supervision of this regulation,” said Aston.
Companies must always be aware of the fact that their partners have to be skilful in managing data security and must also meet the requirements that you have to comply with. More information about DORA is available here.
Knowledge about several standards is necessary for conforming to the requirements. For instance, ISO 27001. “This standard makes it quite easy to prove to your client that we have a certain level of data security; certain processes in place, they are expected to work, since they have been audited by an independent auditor,” said Matteus in summing up.
What is ISO 27001?
ISO 27001 is an international standard for managing data security. The standard defines a systematic approach for creating, implementing, maintaining and constantly improving data security management in an organisation. Organisations can be ISO 27001 certified to demonstrate to clients and other parties that they take IT security seriously and that they have implemented appropriate controls for keeping information safe.
ISO 27001 certification is beneficial for organisations that need to administer and safeguard different types of information and whose activity is related to data security, e.g. the financial sector, healthcare, IT etc. In addition, it is necessary for organisations whose partnership with the state, private sector or NGO sector organisations depends on effective compliance with data security standards.
Source: “Kasvukursil” and itgovernance.eu
Actually, Estonia has its own IT security standard, E-ITS. “It isn’t a set of rules that have to be followed. It’s a standard that ensures that I have set goals or fulfilled requirements. There is a menu of different standards here, like ISO 27001. It is a means of substantiation,” said Aston.
The guests emphasised that the number of cyber incidents is continually growing in Estonia. Meister stressed that IT services are constantly tested. “Someone is always trying to case the joint for some security vulnerability. They are constantly knocking on the doors. Once a vulnerability has been identified, even if it seems innocuous, it means cyber criminals have gained entry and will not fail to exploit the opportunities.”
If you have similar challenges and questions, please contact our specialists.
