CER and NIS2 Directives

Contact Information

CER Directive Improves Disruption Resilience in Critical Services in Society

The aim of the new Critical Entities Resilience Directive (CER) is to improve the resilience of services critical to the functioning of society, that is, to ensure that they function as smoothly and continuously as possible.

Laki kattaa 11 toimialaa, joiden palveluiden häiriöillä olisi merkittäviä yhteiskuntaa heikentäviä vaikutuksia: energia, liikenne, pankkiala, finanssimarkkinoiden infrastruktuuri, terveydenhuolto, juomavesi, jätevesi, digitaalinen infrastruktuuri, julkishallinto, avaruusala sekä elintarvikkeiden tuotanto, jalostus ja jakelu

Resilience to disturbances is improved by continuity planning

The best way to meet the requirements of this Resilience Directive, irrespective of the industry, is through thorough business continuity planning and continuity management.

Vaikka CER-velvoitteet koskevat vain kriittisiksi nimettyjä toimijoita, varautuminen, riskienhallinta ja henkilöstön turvallisuudesta huolehtiminen ovat hyödyllisiä jokaiselle elintärkeitä palveluita tuottavalle organisaatiolle.

The Directive introduces mandatory obligations

The CER Directive is also a significant change because it introduces mandatory obligations for operators. The current law on security of supply (1390/1992) stipulates that the participation of actors from sectors or sectors critical to security of supply in improving resilience is voluntary.

Kun toimija on nimetty kriittiseksi, sille syntyy konkreettisia ja määräaikaan sidottuja velvoitteita. Toimijan on laadittava riskiarvio yhdeksän kuukauden kuluessa nimeämisestä, ja häiriönsietokykyä koskeva suunnitelma on laadittava vuoden kuluessa oman riskiarvion valmistumisesta. Lisäksi toimijan on toteutettava käytännön toimenpiteitä, kuten häiriöiden ennaltaehkäisy, kriittisen infrastruktuurin fyysinen suojaaminen, riskien- ja kriisinhallinnan järjestelyt sekä henkilöstön turvallisuusselvitykset, ja huolehdittava siitä, että johto ja henkilöstö harjoittelevat kriisitilanteita. Merkittävistä poikkeamista on ilmoitettava valvovalle viranomaiselle, ja ensi-ilmoitus on tehtävä 24 tunnin kuluessa poikkeaman havaitsemisesta.

Directive emphasises continuity planning and crisis resilience

The criteria for applying the Directive are the criteria of the Directive and the national risk assessment. The application will be subject to industry-specific restrictions, for example, according to the size of the company or the role of the organization.

The key is the development of organisations' own risk assessments and crisis resilience plans, i.e. operational continuity plans.There will be concrete requirements for organisations' crisis resilience, such as disruption prevention, physical protection of infrastructure, risk and crisis management arrangements, continuity management and staff safety clearances. In addition, new obligations will be imposed on the authorities under the Directive.

Companies should also take into account the future expansion of the scope of the Contingency Act and the future preparedness required of public administrations from their private sector partners. Legislation to this effect will not come into force until 2026 at the earliest.

Varaudu myös laajenevaan sääntelyyn

CER-lain rinnalla on hyvä seurata valmiuslain kokonaisuudistusta, jonka myötä myös yrityksille kohdistuvat varautumisvelvoitteet ovat laajenemassa. Lisäksi julkishallinto edellyttää yhä useammin yksityisen sektorin kumppaneiltaan varautumista ja jatkuvuudenhallintaa.

Kun jatkuvuussuunnittelu on kunnossa, organisaatio täyttää CER-lain velvoitteet ja on samalla valmis vastaamaan muuttuvaan sääntely-ympäristöön.








The NIS2 Directive improves the basic level of cybersecurity in the EU

The new NIS2 Directive aims to improve the basic level of cybersecurity across the European Union and sets a minimum level of cybersecurity risk management for the sectors covered by the directive. The NIS2 Directive entered into force on 14 December 2022 and the transition period to national legislation will take place by October 2024. NIS2 replaces the previous NIS Directive.

The scope of the Directive covers a wide range of sectors and sectors: energy, transport, finance, water supply, healthcare, digital infrastructure, cyber services, public administration, space operators, postal and courier services, food manufacturing, production and distribution, manufacturing, chemical industry, waste management, digital service providers and research activity.

The Directive applies to companies with more than 250 employees or whose turnover exceeds EUR 10 million. In addition, the NIS2 Directive applies to all operators classified as critical under the CER Directive.

Directive increases reporting obligations and lays down minimum standards

Key reforms compared to the previous NIS Directive are the increase in the number of industries and Article 21, which obliges operators to report on their information security risk management.

Article 21 contains a list of measures that must be adopted at the enterprise. The list describes minimum standards for risk analysis, security concepts, prevention of data breaches, cybersecurity training, and crisis management, among others.

The requirements relate to information security management and its management system, “security hygiene” and reporting. The requirements are not so much about data security

Directive emphasises continuity planning and crisis resilience

technical implementation, although the use of multi-step authentication is required as an individual matter whenever possible.

Directive aims to raise the bar on cybersecurity

Key minimum requirements include:

  • obligation to report security breaches (including specified time limits)
  • production of risk assessments
  • security policies for information systems
  • anomaly management methods
  • Preparations for continuity of operations
  • definition of management responsibilities
  • increasing security awareness through training

Compliance with the directive is sanctioned and the penalty is up to €10 million or 2% of the company's international turnover. The new law relating to the directive is in the round of opinions and, when it comes into force, will set the minimum level that all industries must implement for the NIS2 Directive. The law defines what must be done, not how. In addition, stricter and more detailed regulations may be laid down on a sector-by-sector basis.

The ISO/IEC 27001 standard responds well to the requirements of the NIS2 Directive, but continuity management, for example, may require actions broader than ISO/IEC 27001.

Well-implemented business continuity management and security management systems provide the basis for meeting the requirements of the CER and NIS2 directives. If necessary, we will clarify the situation and development objectives of your organization in terms of business continuity management, contingency planning and the requirements of the CER directive.

For more information on the CER Directive:



EUR Lex - Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the resilience of critical actors

CER Directive: DIRECTIVE (EU) 2022/2557 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022

Safety of Service Centre - Preparation of the CER Directive

Government - legislative project, legislative preparation
Lisätietoa NIS2-direktiivistä:



European Commission - Directive on measures to ensure a common high level of cybersecurity across the Union

Government - Working Group on National Implementation of the NIS2 Directive

EUR Lex - NIS2 Directive in Finnish


REFERENCES

What our customers say

“The varied and demanding exercise tested our plans and showed how important it is to test the plans with practical training. As a result of the exercise, a lot of new ideas were created, on the basis of which we will develop our activities.”
CEO
Power grid company
“Continuity Consulting Oy organized an exercise for us to test the cooperation between the Group Management and the medical area, the arrangements for crisis communication and the functionality of our preparedness practices. During the day, we received a lot of development ideas for developing plans at different organizational levels.”
CHIEF MEDICAL OFFICER
Hospital District
“For the exercise, Continuity Consulting created a situation-appropriate training framework that excellently tested our organization's ability to respond in a crisis and was inspiring for all participants.”
CEO
Water supply plant

Products and services

Continuity plan

CER and NIS Directives

Crisis Management Exercises

Snapshot

Continuity Management for Service Providers

Information Administration and Cybersecurity

Business Security Assessment and Verification

Continuity management as a service

Risk assessments

Contact us

Welcome to discuss your business continuity management and its development opportunities.
050 551 2093Contact Information
+358 50 511 2093
info@jatkuvuus.fi
© 2024 Jatkuvuuskonsultointi Oy
This site uses cookies
Preferences
dismissingaccept
evästeet