CER- ja NIS-direktiivit | Jatkuvuuskonsultointi Oy

CER Directive Improves Disruption Resilience in Critical Services in Society

The aim of the new Critical Entities Resilience Directive (CER) is to improve the resilience of services critical to the functioning of society, that is, to ensure that they function as smoothly and continuously as possible.

The CER Directive entered into force on 14 December 2022 and the transition period to national legislation will take place by October 2024. It replaces the previous ECI Directive.

The scope of the CER Directive covers a wide range of sectors and sectors: energy, transport, finance, water supply, healthcare, digital infrastructure, cyber services, public administration, space operators, postal and courier services, food manufacturing, production and distribution, manufacturing, chemical industry, waste management, digital service providers, and research activities. Each state may choose to involve other sectors in addition to these.

Resilience to disturbances is improved by continuity planning

The best way to meet the requirements of this Resilience Directive, irrespective of the industry, is through thorough business continuity planning and continuity management.

Every company providing vital services needs an up-to-date business continuity plan based on best practice, including a contingency plan and a contingency plan.

The Directive introduces mandatory obligations

The CER Directive is also a significant change because it introduces mandatory obligations for operators. The current law on security of supply (1390/1992) stipulates that the participation of actors from sectors or sectors critical to security of supply in improving resilience is voluntary.

Directive emphasises continuity planning and crisis resilience

The criteria for applying the Directive are the criteria of the Directive and the national risk assessment. The application will be subject to industry-specific restrictions, for example, according to the size of the company or the role of the organization.

The key is the development of organisations' own risk assessments and crisis resilience plans, i.e. operational continuity plans.There will be concrete requirements for organisations' crisis resilience, such as disruption prevention, physical protection of infrastructure, risk and crisis management arrangements, continuity management and staff safety clearances. In addition, new obligations will be imposed on the authorities under the Directive.

Companies should also take into account the future expansion of the scope of the Contingency Act and the future preparedness required of public administrations from their private sector partners. Legislation to this effect will not come into force until 2026 at the earliest.

The NIS2 Directive improves the basic level of cybersecurity in the EU

The new NIS2 Directive aims to improve the basic level of cybersecurity across the European Union and sets a minimum level of cybersecurity risk management for the sectors covered by the directive. The NIS2 Directive entered into force on 14 December 2022 and the transition period to national legislation will take place by October 2024. NIS2 replaces the previous NIS Directive.

The scope of the Directive covers a wide range of sectors and sectors: energy, transport, finance, water supply, healthcare, digital infrastructure, cyber services, public administration, space operators, postal and courier services, food manufacturing, production and distribution, manufacturing, chemical industry, waste management, digital service providers and research activity.

The Directive applies to companies with more than 250 employees or whose turnover exceeds EUR 10 million. In addition, the NIS2 Directive applies to all operators classified as critical under the CER Directive.

Directive increases reporting obligations and lays down minimum standards

Key reforms compared to the previous NIS Directive are the increase in the number of industries and Article 21, which obliges operators to report on their information security risk management.

Article 21 contains a list of measures that must be adopted at the enterprise. The list describes minimum standards for risk analysis, security concepts, prevention of data breaches, cybersecurity training, and crisis management, among others.
‍
The requirements relate to information security management and its management system, “security hygiene” and reporting. The requirements are not so much about data security

Directive emphasises continuity planning and crisis resilience

technical implementation, although the use of multi-step authentication is required as an individual matter whenever possible.

Directive aims to raise the bar on cybersecurity

Key minimum requirements include:

obligation to report security breaches (including specified time limits)
production of risk assessments
security policies for information systems
anomaly management methods
Preparations for continuity of operations
definition of management responsibilities
increasing security awareness through training

Compliance with the directive is sanctioned and the penalty is up to €10 million or 2% of the company's international turnover. The new law relating to the directive is in the round of opinions and, when it comes into force, will set the minimum level that all industries must implement for the NIS2 Directive. The law defines what must be done, not how. In addition, stricter and more detailed regulations may be laid down on a sector-by-sector basis.

The ISO/IEC 27001 standard responds well to the requirements of the NIS2 Directive, but continuity management, for example, may require actions broader than ISO/IEC 27001.

Well-implemented business continuity management and security management systems provide the basis for meeting the requirements of the CER and NIS2 directives. If necessary, we will clarify the situation and development objectives of your organization in terms of business continuity management, contingency planning and the requirements of the CER directive.

For more information on the CER Directive:

EUR Lex - Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the resilience of critical actors

‍CER Directive: DIRECTIVE (EU) 2022/2557 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022

Safety of Service Centre - Preparation of the CER Directive

‍Government - legislative project, legislative preparation

For more information on the NIS2 Directive:

‍European Commission - Directive on measures to ensure a common high level of cybersecurity across the Union

‍Government - Working Group on National Implementation of the NIS2 Directive

‍EUR Lex - NIS2 Directive in Finnish

REFERENCES

What our customers say

“The varied and demanding exercise tested our plans and showed how important it is to test the plans with practical training. As a result of the exercise, a lot of new ideas were created, on the basis of which we will develop our activities.”

CEO

Power grid company

“Continuity Consulting Oy organized an exercise for us to test the cooperation between the Group Management and the medical area, the arrangements for crisis communication and the functionality of our preparedness practices. During the day, we received a lot of development ideas for developing plans at different organizational levels.”

CHIEF MEDICAL OFFICER

Hospital District

“For the exercise, Continuity Consulting created a situation-appropriate training framework that excellently tested our organization's ability to respond in a crisis and was inspiring for all participants.”

CEO

Water supply plant