In wait for hydrogen
15 July 2024
Poland as the leader in offshore wind?
29 August 2024
The introduction of the NIS2 Directive marks a milestone in the European approach to cyber security. While this piece of legislation is supposed to increase resilience against hacking attacks, many companies, including those in the maritime sector, still face implementation challenges. Obligations that stem from the need to comply with the directive require the identification of key risks and the introduction of security procedures, which in turn will make it easier for companies to obtain insurance policies against cyber threats.
By 17 October 2024, Polish companies in sectors deemed critical and important are required to implement the recommendations of the EU’s NIS2 Cyber Security Directive. These regulations also apply to all entities that cooperate with them in the supply chain. The document, which came into force on 16 January 2023, is the basis for the operation of cyber security systems in the EU space, including for seaports, shipping, the TSL sector, offshore wind and the shipbuilding industry.
Among the sectors identified as critical sectors that need to be most protected were transport (water, land and air), energy (including RES) or public administration (including maritime administration). In turn, the important sector includes the industry, including shipyards. One important matter in the NIS2 regulations is that companies must self-define whether or not they are subject to EU regulation. It is up to the entity itself to determine whether its scope of activities qualifies it for implementation of the directive, although the range of industries covered by the regulations seems quite clear. To date, under the NIS1 rules, it was the ministry responsible for a given sector of the economy which, by administrative decision, designated the so-called key service operators who were subject to the regulations. In the maritime and transport sector, there were ca. 30 entities. Now, this number should increase significantly.
Furthermore, according to NIS2, it is of paramount importance for the security of companies in the sectors identified as critical and important to control the supply chain and “take into account the risks arising from the entity’s relationships with third parties, such as data storage and processing service providers, security service providers and software providers”. In these regulations, the European Union emphasises “supply chain security, including the security aspects of the relationship between each entity and its direct suppliers of products or services”.
NIS2 imposes obligations on all companies in critical and important sectors to, inter alia, provide risk analysis and security policies for information systems, ensure security in the acquisition, development and maintenance of networks and information systems, provide procedures to assess the effectiveness of cyber security risk management measures, handle incidents and ensure business continuity and crisis management. NIS 2, to improve international cooperation, also establishes the EU Cyber Crises Liaison Organisation Network (EU-CyCLONe), which will, inter alia, support the coordination of large-scale incident management at European Union level.
Incident handling, and therefore having its own Security Operation Centre (SOC) department, will be particularly sensitive. This is because companies will have to provide an „early warning” report within 24 hours of detection, followed by an initial assessment within 72 hours. They also have one month to submit a final report. Failure to do so can result in financial penalties, and these are very severe – up to €10 million or 2% of the total annual turnover of the company concerned. The NIS2 also imposes direct management liability for failures to implement EU regulations, such as a temporary ban on holding management positions, including on boards of directors and supervisory boards. Notably, NIS2 implies the possibility of inspections, audits and security scans, by the relevant supervisory authorities, and the request for evidence of the implementation of cyber security policies from the entity concerned.
As a result, it seems optimal to outsource the handling of the SOC and all cyber security to specialist companies. And cyber security specialists emphasise that it is also worth noting the introduction of XDR (enhanced detection and response) functionality, which is becoming one of the core requirements in NIS 2. It enables faster detection of threats and more efficient work and response.
Article developed with Namiary na Morze i Handel magazine
phot. Namiary na Morze i Handel magazine
