NIS 2 Directive Training



First option: Distance learning and certificate of completion after an online exam. Become a NIS 2 Directive Trained Professional (NIS2DTP).

For the NIS 2 Directive Trained Professional (NIS2DTP) program, you can find all information at: https://www.nis-2-directive.com/NIS_2_Directive_Trained_Professional_(NIS2DTP).html


Second option: In-House Instructor-Led Training, or Online Live Training.

Training program 1: Preparing for the NIS 2 Directive, for EU and non-EU firms, tailored-made training.

Possible modules of the tailor-made training program

Introduction.
- Subject matter and scope.
- Essential and important entities.
- The "high common level of cybersecurity across the Union".
- Member States adopt national cybersecurity strategies and designate or establish competent authorities, cyber crisis management authorities, single points of contact on cybersecurity, and computer security incident response teams (CSIRTs).
- The new cybersecurity risk-management measures and reporting obligations.
- The new cybersecurity information sharing obligations.

Understanding the important definitions, including ‘near miss’, ‘large-scale cybersecurity incident’, ‘significant cyber threat’, ‘internet exchange point’, etc.

National cybersecurity strategy - objectives, resources, regulatory measures.
- Competent authorities and single points of contact.
- National cyber crisis management frameworks.
- Computer security incident response teams (CSIRTs).
- Coordinated vulnerability disclosure and a European vulnerability database.

- The new Cooperation Group that facilitate strategic cooperation and the exchange of information.
- The new network of national CSIRTs.
- The new European cyber crisis liaison organisation network (EU-CyCLONe) for large-scale cybersecurity incidents and crises.
- International cooperation.
- Peer reviews.

Cybersecurity risk management measures and reporting obligations.
- Governance.
- The management bodies of essential and important entities approve the cybersecurity risk-management measures.
- The management bodies of essential and important entities are required to follow training, and encourage essential and important entities to offer similar training to their employees.
- Cybersecurity risk-management measures.
- Reporting obligations.

Jurisdiction and territoriality.
- Entities are considered to fall under the jurisdiction of the Member State in which they are established.
- Entities are considered to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk-management measures are predominantly taken.
- Entities not established in the EU, but offer services within the EU, must designate a representative in the EU.
- The tasks of the representative.

Cybersecurity information-sharing arrangements.

General aspects concerning supervision and enforcement.
- Supervisory and enforcement measures in relation to essential entities.
- Supervisory and enforcement measures in relation to important entities.
- General conditions for imposing administrative fines on essential and important entities.
- Infringements entailing a personal data breach.
- Penalties.

- What is next: Delegated and Implementing Acts.
- Review.
- Transposition.

What is extraterritoriality?
- Extraterritorial application of EU law.
- Risk and compliance management challenges for firms established in non-EU countries.

- Master plan and list of immediate actions, for firms established in EU and non-EU countries.

- Other new EU directives and regulations that introduce compliance challenges to EU and non-EU firms: The European Cyber Resilience Act, the Digital Operational Resilience Act (DORA), the Critical Entities Resilience Directive (CER) etc.

- Closing remarks.


Target Audience, duration.

We offer a 60-minute overview for the board of directors and senior management of EU and non-EU firms, tailored to their needs. We also offer 4 hours to one day training for risk and compliance teams, responsible for the implementation of the EU directives and regulations.


Instructor.

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html


Who must comply with the NIS 2 directive?

According to Article 2 (Scope) of the NIS 2 Directive, NIS 2 applies to:

1: Public or private entities of a type referred to in Annex I or II (follows) which qualify as medium-sized enterprises, or exceed the ceilings for medium-sized enterprises, and which provide their services or carry out their activities within the European Union.

A microenterprise is defined as an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million. NIS 2 does not apply there.

A small enterprise is defined as an enterprise which employs fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million. NIS 2 does not apply there too.

A medium-sized enterprise is defined as an enterprise which employ between 50 and 250 persons and which have an annual turnover between EUR 10 million and EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million. NIS 2 applies there.


In ANNEX I we have:

1. Energy.

a. Electricity.
— Electricity undertakings.
— Distribution system operators.
— Transmission system operators.
— Producers.
— Nominated electricity market operators.
— Market participants.

b. District heating and cooling.
— Operators of district heating or district cooling.

c. Oil.
— Operators of oil transmission pipelines.
— Operators of oil production, refining and treatment facilities, storage and transmission.
— Central stockholding entities.

d. Gas.
— Supply undertakings.
— Distribution system operators.
— Transmission system operators.
— Storage system operators.
— LNG system operators.
— Natural gas undertakings.
— Operators of natural gas refining and treatment facilities.

e. Hydrogen.
— Operators of hydrogen production, storage and transmission.


2. Transport.

a. Air.
— Air carriers used for commercial purposes.
— Airport managing bodies, airports, including the core airports and entities operating ancillary installations contained within airports.
— Traffic management control operators providing air traffic control (ATC) services.

b. Rail.
— Infrastructure managers.
— Railway undertakings, including operators of service facilities.

c. Water.
— Inland, sea and coastal passenger and freight water transport companies.
— Managing bodies of ports, including their port facilities, and entities operating works and equipment contained within ports.
— Operators of vessel traffic services (VTS).

d. Road.
— Road authorities responsible for traffic management control, excluding public entities for which traffic management or the operation of intelligent transport systems is a non-essential part of their general activity.
— Operators of Intelligent Transport Systems.


3. Banking.
— Credit institutions.


4. Financial market infrastructures.
— Operators of trading venues.
— Central counterparties (CCPs).


5. Health.
— Healthcare providers.
— EU reference laboratories.
— Entities carrying out research and development activities of medicinal products.
— Entities manufacturing basic pharmaceutical products and pharmaceutical preparations.
— Entities manufacturing medical devices considered to be critical during a public health emergency (public health emergency critical devices list).


6. Drinking water.
— Suppliers and distributors of water intended for human consumption, excluding distributors for which distribution of water for human consumption is a non-essential part of their general activity of distributing other commodities and goods.


7. Waste water.
— Undertakings collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water, excluding undertakings for which collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water is a non-essential part of their general activity.


8. Digital infrastructure.
— Internet Exchange Point providers.
— DNS service providers, excluding operators of root name servers.
— TLD name registries.
— Cloud computing service providers.
— Data centre service providers.
— Content delivery network providers.
— Trust service providers.
— Providers of public electronic communications networks.
— Providers of publicly available electronic communications services.


9. ICT service management (business-to-business).
— Managed service providers.
— Managed security service providers.


10. Public administration.
— Public administration entities of central governments as defined by a Member State in accordance with national law.
— Public administration entities at regional level as defined by a Member State in accordance with national law.


11. Space.
Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services, excluding providers of public electronic communications networks.


ANNEX II


1. Postal and courier services.


2. Waste management.
— Undertakings carrying out waste management, excluding undertakings for whom waste management is not their principal economic activity.


3. Manufacture, production and distribution of chemicals.
— Undertakings carrying out the manufacture of substances and the distribution of substances or mixtures, and undertakings carrying out the production of articles.


4. Production, processing and distribution of food.
— Food businesses which are engaged in wholesale distribution and industrial production and processing.


5. Manufacturing.

(a) Manufacture of medical devices and in vitro diagnostic medical devices.
— Entities manufacturing medical devices, and entities manufacturing in vitro diagnostic medical devices.

(b) Manufacture of computer, electronic and optical products.

(c) Manufacture of electrical equipment.

(d) Manufacture of machinery and equipment.

(e) Manufacture of motor vehicles, trailers and semi-trailers.

(f) Manufacture of other transport equipment.


6. Digital providers.
— Providers of online marketplaces.
— Providers of online search engines.
— Providers of social networking services platforms.


7. Research.
— Research organisations.


Important note: This is an overview, not a detailed list of activities. Depending on their products or services, and where their products or services belong in NACE (the statistical classification of economic activities in the European Union), entities must carefully consider if they must comply with the NIS 2 Directive or not.

For example, in the category "manufacture of computer, electronic and optical products" there are undertakings carrying out any of the economic activities referred to in section C division 26 of NACE Rev. 2:

26.1 Manufacture of electronic components and boards.
26.2 Manufacture of computers and peripheral equipment.
26.3 Manufacture of communication equipment.
26.4 Manufacture of consumer electronics.
26.5. Manufacture of instruments and appliances for measuring, testing and navigation; watches and clocks.
26.6. Manufacture of irradiation, electromedical and electrotherapeutic equipment.
26.7 Manufacture of optical instruments and photographic equipment.
26.8. Manufacture of magnetic and optical media.

Another example, in the category "banking" belong "Credit institutions as defined in Article 4, point (1), of Regulation (EU) No 575/2013". In Regulation (EU) No 575/2013, "credit institution" means an undertaking the business of which is to take deposits or other repayable funds from the public and to grant credits for its own account.



Training program 2: Preparing for the NIS 2 Directive, the Digital Operational Resilience Act (DORA), and the Critical Entities Resilience Directive (CER), for EU and non-EU firms (tailored-made training) - In-House Instructor-Led Training, or Online Live Training.

Possible modules of the tailor-made training program

a. The NIS 2 Directive

Introduction.
- Subject matter and scope.
- Essential and important entities.
- The "high common level of cybersecurity across the Union".
- Member States adopt national cybersecurity strategies and designate or establish competent authorities, cyber crisis management authorities, single points of contact on cybersecurity, and computer security incident response teams (CSIRTs).
- The new cybersecurity risk-management measures and reporting obligations.
- The new cybersecurity information sharing obligations.

Understanding the important definitions, including ‘near miss’, ‘large-scale cybersecurity incident’, ‘significant cyber threat’, ‘internet exchange point’, etc.

National cybersecurity strategy - objectives, resources, regulatory measures.
- Competent authorities and single points of contact.
- National cyber crisis management frameworks.
- Computer security incident response teams (CSIRTs).
- Coordinated vulnerability disclosure and a European vulnerability database.

- The new Cooperation Group that facilitate strategic cooperation and the exchange of information.
- The new network of national CSIRTs.
- The new European cyber crisis liaison organisation network (EU-CyCLONe) for large-scale cybersecurity incidents and crises.
- International cooperation.
- Peer reviews.

Cybersecurity risk management measures and reporting obligations.
- Governance.
- The management bodies of essential and important entities approve the cybersecurity risk-management measures.
- The management bodies of essential and important entities are required to follow training, and encourage essential and important entities to offer similar training to their employees.
- Cybersecurity risk-management measures.
- Reporting obligations.

Jurisdiction and territoriality.
- Entities are considered to fall under the jurisdiction of the Member State in which they are established.
- Entities are considered to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk-management measures are predominantly taken.
- Entities not established in the EU, but offer services within the EU, must designate a representative in the EU.
- The tasks of the representative.

Cybersecurity information-sharing arrangements.

General aspects concerning supervision and enforcement.
- Supervisory and enforcement measures in relation to essential entities.
- Supervisory and enforcement measures in relation to important entities.
- General conditions for imposing administrative fines on essential and important entities.
- Infringements entailing a personal data breach.
- Penalties.

- What is next: Delegated and Implementing Acts.
- Review.
- Transposition.

What is extraterritoriality?
- Extraterritorial application of EU law.
- Risk and compliance management challenges for firms established in non-EU countries.

- Master plan and list of immediate actions, for firms established in EU and non-EU countries.

- Other new EU directives and regulations that introduce compliance challenges to EU and non-EU firms: The European Cyber Resilience Act, the Digital Operational Resilience Act (DORA), the Critical Entities Resilience Directive (CER) etc.

- Closing remarks.


b. The Digital Operational Resilience Act (DORA)

Digital operational resilience is the ability of a financial entity to build, assure and review its operational integrity from a technological perspective. The entity must be able to ensure, either directly or indirectly, through the use of services of ICT third-party providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which the entity makes use of, and which support the continued provision of financial services and their quality.

- Governance and organisation after DORA.

- The internal governance and control frameworks that ensure an effective and prudent management of all ICT risks.

- The management body bears the final responsibility for managing the financial entity’s ICT risks, and must set clear roles and responsibilities for all ICT-related functions.

- Determining the appropriate risk tolerance level of ICT risk of the financial entity, approving, exercising oversight, and reviewing the implementation of the financial entity's ICT Business Continuity Policy and ICT Disaster Recovery Plan.

- Approving and periodically reviewing the ICT audit plans, ICT audits and material modifications.

- Allocating and periodically reviewing appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including training on ICT risks and skills for all relevant staff.

- Approving and periodically reviewing the financial entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers, and be informed, of the arrangements concluded with ICT third-party service providers on the use of ICT services, of any relevant planned material changes regarding the ICT third-party service providers, and on the potential impact of such changes on the critical or important functions subject to those arrangements.

- The sound, comprehensive and well-documented ICT risk management framework, to address ICT risk quickly, efficiently, and comprehensively and to ensure a high level of digital operational resilience.

- The need for an information security management system based on recognized international standards and in accordance with supervisory guidance.

- The segregation of ICT management functions, control functions, and internal audit functions, according to the three lines of defense model, or an internal risk management and control model.

- The rules for the timely verification and remediation of critical ICT audit findings, taking into consideration the conclusions from the audit review, while having due regard to the nature, scale and complexity of the financial entities’ services and activities.

- The digital resilience strategy setting out how the framework is implemented.

- The identification, classification and documentation of all ICT-related business functions, the information assets supporting these functions, and the ICT system configurations and interconnections with internal and external ICT systems.

- The identification of all sources of ICT risk, in particular the risk exposure to and from other financial entities, and the assessment of cyber threats and ICT vulnerabilities relevant to the ICT-related business functions and information assets.

- The detection of anomalous activities, including ICT network performance issues and ICT-related incidents, and the identification of all potential material single points of failure.

- The ICT Business Continuity Policy through dedicated, appropriate, and documented arrangements, plans, procedures, and mechanisms.

- ICT-related incident reviews after significant ICT disruptions of core activities, including analysis of the causes of disruption and identification of required improvements to the ICT operations or within the ICT Business Continuity Policy.

- Communication plans enabling a responsible disclosure of ICT-related incidents or major vulnerabilities to clients and counterparts, as well as to the public.

- The need to establish, maintain and review a sound and comprehensive digital operational resilience testing programme, as an integral part of the ICT risk management framework.

- ICT concentration risk, and sub-outsourcing arrangements.

- Designation of critical ICT third-party service providers.

- The role of the Lead Overseer to assess whether each critical ICT third-party service provider has in place comprehensive, sound, and effective rules, procedures, mechanisms, and arrangements to manage the ICT risks.

- Investigations of ICT third-party service providers.

- Information-sharing arrangements on cyber threat information and intelligence.

- Administrative penalties and remedial measures.

- Criminal penalties.

- Professional secrecy.

- Closing remarks.


c. The Critical Entities Resilience Directive (CER).

- Subject matter, Scope and Definitions.

- Understanding the definitions of a “critical entity”, "resilience", "incident", "critical infrastructure", and "essential service".

Strategy on the resilience of critical entities.
- strategic objectives and priorities;
- a governance framework;
- a description of measures necessary to enhance the overall resilience of critical entities;
- a description of the process by which critical entities are identified;
- a description of the process supporting critical entities;
- a policy framework for coordination between the competent authorities.

Risk assessment by Member States.
- the general risk assessment;
- other relevant risk assessments;
- the relevant risks arising from the dependencies between sectors.

- The risk assessment of the critical entities.

- Resilience measures of critical entities.

- Identification of critical entities.

- What is a "significant disruptive effect".

- Critical entities in the banking, financial market infrastructure and digital infrastructure sectors.

- Competent authorities and single point of contact.

- Member States’ support to critical entities.

- Cooperation between Member States.

Background checks on persons who:
- hold sensitive roles in or for the benefit of the critical entity, notably in relation with the resilience of the critical entity;
- are mandated to have direct or remote access to its premises, information or control systems including in connection with the security of the critical entity;
- are being considered for recruitment to positions that fall under criteria mentioned in the previous points.

Incident notification.
- the number and share of users affected;
- the duration;
- the geographical area affected, taking into account whether the area is geographically isolated.

- Identification of Critical entities of particular European significance.

- The Critical Entities Resilience Group.

- Supervision and enforcement.

- Penalties.

- Sectors, subsectors and categories of entities.

- Transposition.

- Closing remarks.


Target Audience, duration.

We offer a 60-minute overview for the board of directors and senior management of EU and non-EU firms, tailored to their needs. We also offer 4 hours to one day training for risk and compliance teams, responsible for the implementation of the EU directives and regulations.


Instructor.

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html



Cyber Risk GmbH, some of our clients