Networks and information systems play a crucial role in both society and our daily lives thanks to digital transformation. However, in parallel, this evolution has also led to an increase in cyberthreats.
This poses a major challenge in terms of achieving immediate, adapted and coordinated responses from the European Union, which, by way of various regulations, is making significant efforts to guarantee cybersecurity for its citizens. This was demonstrated by the “Directive (EU) 2016/1148 of the European Parliament and of the Council”, better known as the NIS Directive.
Within the framework of this Directive, one of the main issues that remained unresolved was the significant differences between the Member States in terms of the implementation of cybersecurity measures, which generated greater vulnerability in some cases as regards cyberattacks with potential Union-wide impacts. This gave rise to “Directive (EU) 2022/2555 of the European Parliament and of the Council”, better known as the NIS2 Directive, with the main objective of improving cybersecurity protection for both consumers and businesses. To this end, it has established common minimum requirements for the management of security risks and reporting of incidents to the Competent National Authorities in a coordinated manner.
Implementation of the NIS2 Directive
The NIS2 Directive has expanded and specified the definition of essential service providers to include qualified, trusted service providers. This enables the scope of application by sector to be extended to a larger part of the economy, in order to provide complete coverage of the sectors and services essential to both social and economic activities. It should also be noted that solutions and penalties are foreseen in order to guarantee its effective compliance.
This regulation puts an end to this being of a voluntary nature, by obliging companies to be responsible, implement protection measures to control, manage and supervise risks, and continue to improve resilience and responsiveness. This is all undertaken with one aim: to minimise the vulnerability of the general security level of the Union’s networks and information systems.
Cybersecurity obligations
Additionally, the NIS2 Directive puts significant emphasis on the importance of adopting a wide range of basic cyber hygiene measures, such as zero trust principles, software updates, device configuration, network segmentation, identity management, user access and awareness, the organisation of training for staff and raising awareness of cyberthreats. A clear way to help improve both the detection and prevention of cyberattacks.
This is demonstrated by the fact that with the new regulations, certifications and audits that were previously a recommendation or indicative of good practices are now mandatory for this type of company. Additionally, companies must have a Security Officer. The CISO must be duly qualified and dedicated exclusively to the management of the company’s cybersecurity.
Prior to its approval, Logalty Group had already complied with most of the requirements established in the new NIS2 Directive. Given its various security certifications, the company had been audited by an external company. Oscar Conesa, CISO for Loyalty Group, emphasises that this directive is geared towards the importance of ensuring both governments and companies being prepared, accepting responsibility and implementing all the necessary measures to ensure cybersecurity in all member countries.
