—
- The Law will apply to as many as nineteen different sectors
- The competent authorities will notify companies of their classification by sectors
- In addition to obligations, certain penalties are also foreseen for companies
—
It is unfortunately not news that the number of incidents related to cyber attacks has been steadily increasing in recent years. There is hardly a company, government institution, or individual who has not encountered some form of attempted cyber attack, whether it be ransomware, phishing or even identity theft. The problem is that many attacks remain unreported. Cyber attacks are impossible to prevent, but to strengthen resilience against such attacks, based on the European NIS2 directive, a new Cybersecurity Law came into effect yesterday, which every EU member state, including Croatia, is obliged to implement into its own legislation.
Compared to the NIS Directive from 2016, which Croatia adopted in 2018, the new Law significantly expands the scope of application to as many as nineteen sectors divided according to risk levels. For example, in the high-risk group are energy, transport, banking, financial market infrastructure, healthcare, management and supply of drinking water, wastewater, digital infrastructure, management of ICT services, the public sector, and space. Other risky sectors include postal and courier services, waste management, the chemical industry, the food industry, manufacturing, digital services, and education.
Direct and Indirect Obligors
The new Law obliges entrepreneurs to implement cybersecurity measures in their operations, not only technical measures but a whole range of measures related to the establishment of security procedures. The extent of these measures will largely depend on the categories into which companies will be classified, of which each company will be informed. Marko Gulan, a cybersecurity consultant at Schneider Electric for Southeast Europe, emphasizes that companies have a deadline of 18 months from the date the Law comes into effect (i.e., from February 15) to align their systems with legal requirements. The first step in this is a risk assessment, but Gulan recommends hiring experts for this.
—
—– Although the Law states that companies can conduct self-assessments of security, this is not advisable as self-assessments can be extremely subjective and as such will not reflect actual needs. Companies should definitely turn to external audit service providers who will create meaningful analyses based on which they can develop a plan for implementing adequate security measures – says Gulan.
It is also important to note that the new Law places special focus on supply chains, which means that the actual obligors for implementing security solutions will be significantly more.
– Such companies will be indirect obligors for implementing measures. If we look at the sectors defined by the NIS2 directive, it is already clear which companies will be obligors and which will not. Therefore, another crucial step is to analyze which companies we collaborate with and timely inform the supply chain about the obligation to comply – notes Gulan.
—
—As explained by Bojan Ždrnja, the Chief Technology Officer at Infigo which advises organizations on information security, this change will require companies covered by the Law to make more extensive investments in information security. Therefore, experts from Infigo recommend that entrepreneurs start by reading the Law itself, specifically Annexes I and II, to determine which critical sector they belong to.
– It should be noted that the competent authorities will send questionnaires to all entities based on which they will be officially classified. Of course, as information security is a process, entities can already start aligning with relevant security standards today, which also include NIS2 – says Ždrnja.
Predicted Penalties
Perhaps penalties should not be a motivation, believes Gulan, but significant penalties are foreseen for violations of the Cybersecurity Law, which will certainly motivate companies to invest in the implementation of security measures. Namely, fines for administratively liable key entities can range from 10,000 to 10 million euros or from 0.5% to 2% of the total annual revenue of the company achieved in the previous financial year.
For administratively liable important entities , the predicted fines range from 5,000 euros to 7 million euros or from 0.2% to a maximum of 1.4% of the total annual revenue of that entity, also achieved in the previous financial year.
There Are Still Many Unknowns
As with the new law, the Cybersecurity Law also brings uncertainties, especially now during the initial phase. Currently, the biggest uncertainty, says Ždrnja, is the aforementioned classification that the competent authorities will make within a year. Gulan also considers the creation of a register and sending notifications to companies about the classification into which category they fall as a key step. Furthermore, although the Law is in effect, Gulan emphasizes that the legislator still needs to define subordinate acts and regulations that will provide clearer insight into specific measures.
– Some articles of the Law contain very general instructions, such as ‘establishment of adequate protective measures’ where it is unclear what those adequate measures are. If protective systems are not specifically stated, there are significant challenges in implementing inadequate measures that will not make systems resilient. A particular challenge can be highlighted in industrial systems, which still have deficiencies in basic protective measures today. A recommendation for industrial systems would certainly be to align with the provisions of the IEC 62443 standard, a global standard for industrial facilities. Likewise, one of the articles of the Law regarding incident handling states that upon the occurrence of incidents, the company must form a team to handle that incident. However, companies should have defined procedures even before the incident occurs, because if a team is formed after the incident, the threat can be significantly greater – warns Gulan.
Additional Resilience for Companies
However, in line with EU objectives, this urgently needed Law will provide Croatian citizens, companies, and public institutions with a higher level of cybersecurity. One of the goals of the Law is to bring entities that are key to the functioning of society to an equal or approximately equal level of information security, which, emphasizes Ždrnja, will certainly result in additional resilience to cyber threats.
– The Law as such is also a certain ‘lever’ that will give entities a mandate for increased investments in information security. Additionally, entities covered by the Law will be obliged to report security incidents, which will allow for a more transparent insight into the state of information security. Key entities will also have to conduct independent audits by accredited companies and state bodies, which will ultimately also increase the level of information security – believes Ždrnja.
The Law itself and its enactment will not stop threats, warns Gulan.
– If the Law is not enforced and if obligors do not take it seriously, threats will be more devastating for business. The times ahead will only bring an increasing number of threats, and the implementation of security solutions will help companies achieve a significant level of security – concludes Gulan.
