TIS2 – will it affect you?
If your activities are related to ensuring the needs essential for the public, you definitely fall into this list. Please note that companies with an annual turnover of more than 10 million EUR are included in the list of entities under the directive.
| Sector | Classification | Examples |
|---|---|---|
|
Health sector
|
Necessary
|
Healthcare facilities, hospital laboratories
|
|
Digital infrastructure
|
Necessary
|
Internet, Cloud service providers
|
|
Transport
|
Necessary
|
Air traffic control, water traffic control, railway infrastructure
|
|
Energy
|
Necessary
|
Electricity, gas, oil pipeline suppliers
|
|
Finance
|
Necessary
|
Banks, credit institutions, investment platforms
|
|
Digital service providers
|
Important
|
Online electronic trading platforms, Cloud service providers
|
|
Public administration
|
Important
|
State services
|
|
Production
|
Important
|
Medicines, medical devices
|
|
Cosmic space
|
Important
|
Satellite operators
|
|
Food
|
Important
|
Food supply chains
|
|
Mail and delivery services
|
Important
|
Courier services
|
|
Sewage and waste management
|
Important
|
Water treatment facilities, waste management services
|
|
Providers of public electronic communications services
|
Important
|
Electronic platforms, colocation services
|
|
Production of critical products
|
Important
|
Critical raw materials
|
How to prepare / meet TIS2?
MDP CLOUD offers proven, integrated, and efficient solutions for TIS2 compliance.
Frequently Asked Questions about TIS2
What is the TIS2 directive?
The TIS2 directive is an EU legal act aimed at improving the security of networks and information systems across the European Union.
What are the main TIS2 requirements?
Organizations must implement cyber security measures, conduct risk management, ensure incident management and reporting of incidents, perform regular security audits, and adhere to strict supply chain security requirements.
How does TIS2 differ from TIS1?
Compared to TIS1, the new version of the directive significantly expands the circle of companies that will be subject to its application. In addition to the expansion of critical areas, important areas have also been added. The application of the directive to these areas will manifest in that organizations belonging to critical sectors will have to continually provide evidence of their cybersecurity status, while important organizations will be checked in the event of an incident.
Critical sector organizations are those that have more than 250 employees and annual revenues exceeding 50 million euros; important organizations are those that have fewer than 50 employees and annual revenues up to 10 million euros. The criteria may vary depending on the sector. An organization can be considered critical regardless of size if it is the sole provider of a critical service.
Furthermore, some companies will be affected indirectly, as they will act as service providers (third parties) to these companies, which will also have their attention to cybersecurity checked.
Which organizations are subject to the TIS2 directive?
TIS2 applies to providers of important and essential services across various sectors, including energy, healthcare, transport, finance, and other critical infrastructures.
What will happen if you do not meet the TIS2 requirements after October 18, 2024?
By not taking appropriate security measures, you do not withdraw from the increased risk of cyber attacks. Such attacks can disrupt your operations and/or harm the company's reputation.
Moreover, if necessary organizational changes are not implemented in time, fines are at stake:
- For critical sector companies and organizations, fines can reach up to 10,000,000 Eur or 2% of last year's annual revenue (the higher monetary amount is chosen);
- For important sector companies and organizations, fines can reach up to 7,000,000 Eur or 1.4% of last year's annual revenue (the higher monetary amount is chosen).
When will the TIS2 directive come into force?
The TIS2 directive was approved in 2022, and Member states are required to implement it in their national law by the end of 2024.
How does the TIS2 directive affect small and medium-sized enterprises (SMEs)?
Although NIS2 is primarily aimed at important and essential service providers, certain SMEs, especially those operating in critical infrastructures or having a significant impact on cybersecurity, will also have to comply with the directive's requirements.
How do TIS2 requirements change the handling of cyber incident reporting?
According to TIS2, organizations are required to promptly report any significant cyber incidents within a certain timeframe (usually within 24-72 hours), including information about the scale of the incident and potential impact.
Is the TIS2 directive applicable only to EU organizations?
The TIS2 directive applies to all organizations that provide essential services within the EU, regardless of whether they are established in the EU or outside of it.
How will TIS2 affect supply chain security?
The TIS2 directive requires organizations to assess and manage cybersecurity risks in the supply chain, including the requirement to ensure that their suppliers adhere to similar security standards.
How is the TIS2 directive related to GDPR?
Although TIS2 and GDPR directives have different goals (TIS2 is aimed at cybersecurity, while GDPR is focused on data protection), they are closely related as both require a high level of security and incident reporting.
What should organizations do if a cyber incident occurs?
Organizations must promptly report the incident to the relevant authorities, implement the incident management plan, and take actions to mitigate the impact and prevent similar events in the future.
Clients
