WHERE AND HOW TO APPROACH THE IMPLEMENTATION OF THE NEW INFORMATION SECURITY ACT?

NIS2 Directive and the New Information Security Act (ZInfV-1)

The Government Office for Information Security (URSIV) of the Republic of Slovenia is preparing a new Information Security Act (ZInfV-1), which will transpose the European NIS2 Directive (Directive on measures for a high common level of cybersecurity across the Union) into Slovenian legislation. This directive, adopted in December 2022, requires EU member states to implement it into their legal frameworks by October 17, 2024.

What does NIS2 bring?

The NIS2 Directive represents a significant step forward in improving cybersecurity resilience across the EU. It updates the existing legal framework to reflect rapid digitalization and emerging cybersecurity threats. The main goals of the directive are:

• Improved resilience: By extending the rules to more sectors and entities, organizational resilience against cyber threats is strengthened.
• Faster incident response: The new regulation allows for better preparedness and responsiveness in the event of cyberattacks.
• Enhanced protection: The directive contributes to higher cybersecurity standards for companies, EU member states, and the Union as a whole.

The scope of NIS2 is broader than previous legislation, encompassing new entities previously not subject to information system security obligations. Organizations already covered by the earlier Information Security Act (ZInfV) will also be affected, requiring them to further strengthen the security of their systems and processes.

A step-by-step approach to NIS2 implementation with ADD as your partner: 

1) Self-assessment: In partnership with leading experts, we guide you through the self-assessment process to determine whether your organization is subject to the NIS2 directive.

2) Risk and vulnerability assessment. If your organization falls under the scope of the directive, the next step is a risk and vulnerability assessment. This includes evaluating all business processes and technological systems, identifying critical ICT components, and assessing the impact of potential cyber incidents. The assessment is based on legal requirements and globally recognized standards like CIS Controls and CIS Benchmark.

Establishing a security strategy and policy with prioritization. Based on the assessment, a comprehensive security strategy and policy are developed. These must include components such as information system security policies, incident response procedures, roles and responsibilities for data security, and more. Clear procedures must be defined for managing cyberattacks, communicating with authorities, and ensuring business continuity.

4) Implementation of technical measures. To meet the directive’s objectives, organizations must implement technical security measures, including:

• Intrusion detection and prevention systems.
• Encryption of sensitive data.
• Data backups.
• Network segmentation.
• Regular security updates and patching.
• Incident response capabilities.

5) Employee training and awareness

Organizations are already investing heavily in cybersecurity awareness and training. Entities under the directive are expected to provide ongoing training on security policies and practices, ensuring employees understand how to handle data securely and respond to incidents appropriately.

6) Regular audits and system testing

Conducting security audits, penetration tests, and system reviews helps verify the effectiveness of implemented security measures. Simulation exercises (e.g., phishing tests) are recommended to train staff on responding to real threats.

7) Collaboration and information sharing

The directive encourages organizations to collaborate with stakeholders (authorities, partners, sectors) and share information about threats and incidents. Mechanisms for reporting and communication must be established.

8) Supplier risk management

Cyber risks can spread through supply chains. Organizations must manage third-party risks by including suppliers in their security policy and assessing their NIS2 compliance.

»Implementing NIS2 requires both technical and organizational measures. Regular security assessments, staff training, and cooperation with relevant authorities are key. Our team supports and guides you throughout the process.”

FOR ASSISTANCE AND ADDITIONAL INFORMATION, OUR TEAM OF SPECIALISTS ACROSS VARIOUS FIELDS IS AT YOUR DISPOSAL.