NIS 2 Directive Training



Training program 1: Preparing for the NIS 2 Directive, for EU and non-EU firms, tailored-made training (In-House Instructor-Led Training, or Online Live Training).

Possible modules of the tailor-made training program

Introduction.
- Subject matter and scope.
- Essential and important entities.
- The "high common level of cybersecurity across the Union".
- Member States adopt national cybersecurity strategies and designate or establish competent authorities, cyber crisis management authorities, single points of contact on cybersecurity, and computer security incident response teams (CSIRTs).
- The new cybersecurity risk-management measures and reporting obligations.
- The new cybersecurity information sharing obligations.

Understanding the important definitions, including ‘near miss’, ‘large-scale cybersecurity incident’, ‘significant cyber threat’, ‘internet exchange point’, etc.

National cybersecurity strategy - objectives, resources, regulatory measures.
- Competent authorities and single points of contact.
- National cyber crisis management frameworks.
- Computer security incident response teams (CSIRTs).
- Coordinated vulnerability disclosure and a European vulnerability database.

- The new Cooperation Group that facilitate strategic cooperation and the exchange of information.
- The new network of national CSIRTs.
- The new European cyber crisis liaison organisation network (EU-CyCLONe) for large-scale cybersecurity incidents and crises.
- International cooperation.
- Peer reviews.

Cybersecurity risk management measures and reporting obligations.
- Governance.
- The management bodies of essential and important entities approve the cybersecurity risk-management measures.
- The management bodies of essential and important entities are required to follow training, and encourage essential and important entities to offer similar training to their employees.
- Cybersecurity risk-management measures.
- Reporting obligations.

Jurisdiction and territoriality.
- Entities are considered to fall under the jurisdiction of the Member State in which they are established.
- Entities are considered to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk-management measures are predominantly taken.
- Entities not established in the EU, but offer services within the EU, must designate a representative in the EU.
- The tasks of the representative.

Cybersecurity information-sharing arrangements.

General aspects concerning supervision and enforcement.
- Supervisory and enforcement measures in relation to essential entities.
- Supervisory and enforcement measures in relation to important entities.
- General conditions for imposing administrative fines on essential and important entities.
- Infringements entailing a personal data breach.
- Penalties.

- What is next: Delegated and Implementing Acts.
- Review.
- Transposition.

What is extraterritoriality?
- Extraterritorial application of EU law.
- Risk and compliance management challenges for firms established in non-EU countries.

- Master plan and list of immediate actions, for firms established in EU and non-EU countries.

- Other new EU directives and regulations that introduce compliance challenges to EU and non-EU firms: The European Cyber Resilience Act, the Digital Operational Resilience Act (DORA), the Critical Entities Resilience Directive (CER) etc.

- Closing remarks.


Target Audience, duration.

We offer a 60-minute overview for the board of directors and senior management of EU and non-EU firms, tailored to their needs. We also offer 4 hours to one day training for risk and compliance teams, responsible for the implementation of the EU directives and regulations.


Instructor.

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html


Who must comply with the NIS 2 directive?

According to Article 2 (Scope) of the NIS 2 Directive, NIS 2 applies to:

1: Public or private entities of a type referred to in Annex I or II (follows) which qualify as medium-sized enterprises, or exceed the ceilings for medium-sized enterprises, and which provide their services or carry out their activities within the European Union.

A microenterprise is defined as an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million. NIS 2 does not apply there.

A small enterprise is defined as an enterprise which employs fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million. NIS 2 does not apply there too.

A medium-sized enterprise is defined as an enterprise which employ between 50 and 250 persons and which have an annual turnover between EUR 10 million and EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million. NIS 2 applies there.


In ANNEX I we have:

1. Energy.

a. Electricity.
— Electricity undertakings.
— Distribution system operators.
— Transmission system operators.
— Producers.
— Nominated electricity market operators.
— Market participants.

b. District heating and cooling.
— Operators of district heating or district cooling.

c. Oil.
— Operators of oil transmission pipelines.
— Operators of oil production, refining and treatment facilities, storage and transmission.
— Central stockholding entities.

d. Gas.
— Supply undertakings.
— Distribution system operators.
— Transmission system operators.
— Storage system operators.
— LNG system operators.
— Natural gas undertakings.
— Operators of natural gas refining and treatment facilities.

e. Hydrogen.
— Operators of hydrogen production, storage and transmission.


2. Transport.

a. Air.
— Air carriers used for commercial purposes.
— Airport managing bodies, airports, including the core airports and entities operating ancillary installations contained within airports.
— Traffic management control operators providing air traffic control (ATC) services.

b. Rail.
— Infrastructure managers.
— Railway undertakings, including operators of service facilities.

c. Water.
— Inland, sea and coastal passenger and freight water transport companies.
— Managing bodies of ports, including their port facilities, and entities operating works and equipment contained within ports.
— Operators of vessel traffic services (VTS).

d. Road.
— Road authorities responsible for traffic management control, excluding public entities for which traffic management or the operation of intelligent transport systems is a non-essential part of their general activity.
— Operators of Intelligent Transport Systems.


3. Banking.
— Credit institutions.


4. Financial market infrastructures.
— Operators of trading venues.
— Central counterparties (CCPs).


5. Health.
— Healthcare providers.
— EU reference laboratories.
— Entities carrying out research and development activities of medicinal products.
— Entities manufacturing basic pharmaceutical products and pharmaceutical preparations.
— Entities manufacturing medical devices considered to be critical during a public health emergency (public health emergency critical devices list).


6. Drinking water.
— Suppliers and distributors of water intended for human consumption, excluding distributors for which distribution of water for human consumption is a non-essential part of their general activity of distributing other commodities and goods.


7. Waste water.
— Undertakings collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water, excluding undertakings for which collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water is a non-essential part of their general activity.


8. Digital infrastructure.
— Internet Exchange Point providers.
— DNS service providers, excluding operators of root name servers.
— TLD name registries.
— Cloud computing service providers.
— Data centre service providers.
— Content delivery network providers.
— Trust service providers.
— Providers of public electronic communications networks.
— Providers of publicly available electronic communications services.


9. ICT service management (business-to-business).
— Managed service providers.
— Managed security service providers.


10. Public administration.
— Public administration entities of central governments as defined by a Member State in accordance with national law.
— Public administration entities at regional level as defined by a Member State in accordance with national law.


11. Space.
Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services, excluding providers of public electronic communications networks.


ANNEX II


1. Postal and courier services.


2. Waste management.
— Undertakings carrying out waste management, excluding undertakings for whom waste management is not their principal economic activity.


3. Manufacture, production and distribution of chemicals.
— Undertakings carrying out the manufacture of substances and the distribution of substances or mixtures, and undertakings carrying out the production of articles.


4. Production, processing and distribution of food.
— Food businesses which are engaged in wholesale distribution and industrial production and processing.


5. Manufacturing.

(a) Manufacture of medical devices and in vitro diagnostic medical devices.
— Entities manufacturing medical devices, and entities manufacturing in vitro diagnostic medical devices.

(b) Manufacture of computer, electronic and optical products.

(c) Manufacture of electrical equipment.

(d) Manufacture of machinery and equipment.

(e) Manufacture of motor vehicles, trailers and semi-trailers.

(f) Manufacture of other transport equipment.


6. Digital providers.
— Providers of online marketplaces.
— Providers of online search engines.
— Providers of social networking services platforms.


7. Research.
— Research organisations.


Important note: This is an overview, not a detailed list of activities. Depending on their products or services, and where their products or services belong in NACE (the statistical classification of economic activities in the European Union), entities must carefully consider if they must comply with the NIS 2 Directive or not.

For example, in the category "manufacture of computer, electronic and optical products" there are undertakings carrying out any of the economic activities referred to in section C division 26 of NACE Rev. 2:

26.1 Manufacture of electronic components and boards.
26.2 Manufacture of computers and peripheral equipment.
26.3 Manufacture of communication equipment.
26.4 Manufacture of consumer electronics.
26.5. Manufacture of instruments and appliances for measuring, testing and navigation; watches and clocks.
26.6. Manufacture of irradiation, electromedical and electrotherapeutic equipment.
26.7 Manufacture of optical instruments and photographic equipment.
26.8. Manufacture of magnetic and optical media.

Another example, in the category "banking" belong "Credit institutions as defined in Article 4, point (1), of Regulation (EU) No 575/2013". In Regulation (EU) No 575/2013, "credit institution" means an undertaking the business of which is to take deposits or other repayable funds from the public and to grant credits for its own account.



Training program 2: NIS 2 Directive Trained Professional (NIS2DTP) - distance learning, online exam, certificate of completion.


Overview

The NIS 2 Directive gives the opportunity to risk and compliance managers to implement new and more stringent cybersecurity rules, and to dramatically improve risk prevention, detection, response, incident handling, business continuity, supply chain security, vulnerability handling and disclosures.

According to Article 20 (Governance), the management bodies of essential and important entities must approve the cybersecurity risk-management measures taken by those entities, oversee its implementation, and can be held liable for infringements.

According to Article 20, Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.

According to Article 21 (Cybersecurity risk-management measures), essential and important entities must take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.

Taking into account the "state-of-the-art" and, where applicable, relevant European and international standards, as well as the cost of implementation, the measures referred shall ensure a level of security of network and information systems appropriate to the risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.

The measures shall be based on an "all-hazards approach" that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include "at least" the following:

(a) policies on risk analysis and information system security;

(b) incident handling;

(c) business continuity, such as backup management and disaster recovery, and crisis management;

(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;

(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;

(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;

(g) basic cyber hygiene practices and cybersecurity training;

(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;

(i) human resources security, access control policies and asset management;

(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.


Objectives

The program has been designed to provide with the skills needed to understand and support compliance with the NIS 2 Directive.

It also provides with the skills needed to pass the NIS 2 Directive Trained Professional (NIS2DTP) exam, and to receive the Certificate of Completion, that provides independent evidence to firms and organizations that you have a quantifiable understanding of the subject matter.


Target Audience

The program is beneficial to risk and compliance managers and professionals, auditors, consultants, suppliers and service providers that:

- work for EU companies and organizations that have to comply with the NIS 2 Directive,

- work for non-EU companies and organizations that have operations in EU Member States or provide services to EU citizens, and have to comply with the NIS 2 Directive.

The Directive applies to "essential" and "important" public and private entities, as described below.


Course Synopsis

The European Union (EU) - key institutions, the EU legislative process, the roles.
- The European Commission, the European Council, the Council of the European Union, the European Parliament, the Court of Justice of the European Union, the European Central Bank, the European Court of Auditors.
- How does the legislative process work in the EU?
- The European System of Financial Supervision.
- The major changes after the Lisbon Treaty.
- Delegated acts - supplementing or amending certain non-essential elements of a basic act.
- Implementing acts.
- Regulatory technical standards (RTS), Implementing technical standards (ITS).
- The Committee of European Auditing Oversight Bodies (CEAOB).
- The European External Action Service.
- Common Foreign and Security Policy (CFSP), Common Security and Defence Policy (CSDP).
- The European Cyber Defence Policy Framework (CDPF).
- The EU's Cybersecurity Strategy for the Digital Decade.


The first NIS Directive.
- “An Open, Safe and Secure Cyberspace”.
- The NIS Cooperation Group.
- The NIS Directive, important parts.
- Subject matter and scope.
- Important definitions.
- Identification of operators of essential services.
- Significant disruptive effect.
- National strategy on the security of network and information systems.
- National competent authorities and single point of contact.
- Computer security incident response teams (CSIRTs).
- The CSIRTs network.
- International cooperation.
- Security requirements and incident notification.
- Jurisdiction and territoriality.
- Penalties.
- Transposition of the NIS Directive.


The need for a NIS 2 Directive.
- The NIS Directive significantly increased the European Union’s level of cyber security and resilience.
- The review of the NIS Directive also revealed inherent shortcomings that prevented it from addressing effectively current and emerging cybersecurity challenges.
- Member States, and their very wide discretion to decide the scope of NIS.
- The world we live today is very different.


The NIS 2 Directive.
- Which one, DORA or NIS 2, applies to financial entities?
- The “lex specialis derogat legi generali” (special law repeals general laws) doctrine, accepted by the EU and international law. - NIS 2 is lex generalis, a general law.
- NIS 2 is a legal obligation only when there is no special law for a sector.
- NIS 2 and Regulation (EU) 2022/2554 (the Digital Operational Resilience Act - DORA).
- NIS 2 and Directive (EU) 2022/2557 (the Critical Entities Resilience Directive - CER).
- NIS 2 and Directive 95/46/EC (General Data Protection Regulation - GDPR).


The NIS 2 Directive, important parts.
- Before discussing Article 1 of the NIS 2 Directive.
- Entities of a type referred to in Annex I or II.
- Entities identified as critical entities under Directive (EU) 2022/2557.
- NACE Rev. 2


- Subject matter.
- Scope.
- Essential and important entities.
- Sector-specific Union legal acts.
- Minimum harmonisation.
- Definitions.


- National cybersecurity strategy.
- Competent authorities and single points of contact.
- National cyber crisis management frameworks.
- Computer security incident response teams (CSIRTs).
- Requirements, technical capabilities and tasks of CSIRTs.
- Coordinated vulnerability disclosure and a European vulnerability database.
- Cooperation at national level.


- Cooperation Group.
- CSIRTs network.
- European cyber crisis liaison organisation network (EU-CyCLONe).
- International cooperation.
- Report on the state of cybersecurity in the Union.
- Peer reviews.


- Governance.
- Cybersecurity risk-management measures.
- Union level coordinated security risk assessments of critical supply chains.
- Reporting obligations.
- Use of European cybersecurity certification schemes.
- Standardisation.


- Jurisdiction and territoriality.
- Registry of entities.
- Database of domain name registration data.


- Cybersecurity information-sharing arrangements.
- Voluntary notification of relevant information.


- General aspects concerning supervision and enforcement.
- Supervisory and enforcement measures in relation to essential entities.
- Supervisory and enforcement measures in relation to important entities.
- General conditions for imposing administrative fines on essential and important entities.
- Infringements entailing a personal data breach.
- Penalties.
- Mutual assistance.


- Transposition.
- Entry into force.


Overview of other new EU Directives and Regulations that must be implemented.
- The European Cyber Resilience Act.
- The Digital Operational Resilience Act (DORA).
- The Critical Entities Resilience Directive (CER).
- The Digital Services Act (DSA).
- The Digital Markets Act (DMA).
- The European Health Data Space (EHDS).
- The European Chips Act.
- The European Data Act.
- The European Data Governance Act (DGA).
- The Artificial Intelligence Act.
- The European ePrivacy Regulation.

Closing remarks.


Become a NIS 2 Directive Trained Professional (NIS2DTP)

This is a Distance Learning with Certificate of Completion program, provided by Cyber Risk GmbH. The General Terms and Conditions for all legal transactions made through the Cyber Risk GmbH websites (hereinafter “GTC”) can be found at: https://www.cyber-risk-gmbh.com/Impressum.html

Each Distance Learning with Certificate of Completion program (hereinafter referred to as “distance learning program”) is provided at a fixed price, that includes VAT. There is no additional cost, now or in the future, for any reason.

We will send the distance learning program via email up to 24 hours after the payment (working days). Please remember to check the spam folder of your email client too, as emails with attachments are often landed in the spam folder.

You have the option to ask for a full refund up to 60 days after the payment. If you do not want one of our distance learning programs for any reason, all you must do is to send us an email, and we will refund the payment, no questions asked.

Your payment will be received by Cyber Risk GmbH (Dammstrasse 16, 8810 Horgen, Switzerland, Handelsregister des Kantons Zürich, Firmennummer: CHE-244.099.341). Cyber Risk GmbH will also send the certificates of completion to all persons that will pass the exam.

The all-inclusive cost is 297 USD (US Dollars). There is no additional cost, now or in the future, for this program.


First option: You can purchase the NIS 2 Directive Trained Professional (NIS2DTP) program with VISA, MASTERCARD, AMEX, Apple Pay, Google Pay etc.

Purchase the NIS2DTP program here (VISA, MASTERCARD, AMEX, Apple Pay, Google Pay etc.)





Second option: QR code payment.

i. Open the camera app or the QR app on your phone.

ii. Scan the QR code and possibly wait for a few seconds.

iii. Click on the link that appears, open your browser, and make the payment.




Third option: You can purchase the NIS 2 Directive Trained Professional (NIS2DTP) program with PayPal

When you click "PayPal" below, you will be redirected to the PayPal web site. If you prefer to pay with a card, you can click "Debit or Credit Card" that is also powered by PayPal.



What is included in the cost of the distance learning program:


A. The official presentations (878 slides).

The presentations are effective and appropriate to study online or offline. Busy professionals have full control over their own learning and are able to study at their own speed. They are able to move faster through areas of the course they feel comfortable with, but slower through those that they need a little more time on.


B. Up to 3 online exam attempts per year.

Candidates must pass only one exam. If they fail, they must study the official presentations and retake the exam. Candidates are entitled to 3 exam attempts every year.

If candidates do not achieve a passing score on the exam the first time, they can retake the exam a second time.

If they do not achieve a passing score the second time, they can retake the exam a third time.

If candidates do not achieve a passing score the third time, they must wait at least one year before retaking the exam. There is no additional cost for additional exam attempts.

To learn more, you may visit:

https://www.nis-2-directive.com/Distance_Learning_Programs_Exam_Certificate_of_Completion.pdf


C. The certificate of completion.

Processing and posting via registered mail with tracking number. Certificates are usually dispatched up to 10 weeks after you pass the exam.

If you want a digital copy of your certificate too, to have it until you receive your printed and stamped certificate of completion, please send us an email. We will send a digital copy of your certificate via email in less than 24 hours (working days).



Frequently Asked Questions for the distance learning programs.


1. I want to know more about Cyber Risk GmbH.

“Cyber Risk GmbH” is a company incorporated in Switzerland.
Registered company name: Cyber Risk GmbH.
Registered address: Dammstrasse 16, 8810 Horgen, Switzerland.
Company number: CHE-244.099.341.
Cantonal Register of Commerce: Canton of Zürich.
Swiss VAT number: CHE-244.099.341 MWST.
EU VAT number: EU276036462. Cyber Risk GmbH is registered for EU VAT purposes in Germany (Bundeszentralamt für Steuern, Dienstsitz Saarlouis, Referat St III 4, One-Stop-Shop, Ludwig-Karl-Balzer-Allee 2, 66740 Saarlouis - Verfahren One-Stop-Shop, Nicht EU-Regelung) for the sale of services in the EU. The VAT One Stop Shop (OSS) simplifies VAT obligations for non-EU businesses selling goods and services cross border to final consumers in the EU. Cyber Risk GmbH declares and pays EU VAT in a single electronic quarterly return submitted to Germany, and the German Bundeszentralamt für Steuern forwards the EU VAT due to each member State of the EU.


“Cyber Risk GmbH Training Programs” are training programs developed, updated and provided by Cyber Risk GmbH, and include:
a) In-House Instructor-Led Training programs,
b) Online Live Training programs,
c) Video-Recorded Training programs,
d) Distance Learning with Certificate of Completion programs.


“Cyber Risk GmbH websites” are all websites that belong to Cyber Risk GmbH, and include the following:


a. Sectors and Industries.

1. Cyber Risk GmbH

2. Social Engineering Training

3. Healthcare Cybersecurity

4. Airline Cybersecurity

5. Railway Cybersecurity

6. Maritime Cybersecurity

7. Transport Cybersecurity

8. Transport Cybersecurity Toolkit

9. Hotel Cybersecurity

10. Sanctions Risk

11. Travel Security


b. Understanding Cybersecurity.

1. What is Disinformation?

2. What is Steganography?

3. What is Cyberbiosecurity?

4. What is Synthetic Identity Fraud?

5. What is a Romance Scam?

6. What is Cyber Espionage?

7. What is Sexspionage?


c. Understanding Cybersecurity in the European Union.

1. The NIS 2 Directive

2. The European Cyber Resilience Act

3. The Digital Operational Resilience Act (DORA)

4. The Critical Entities Resilience Directive (CER)

5. The Digital Services Act (DSA)

6. The Digital Markets Act (DMA)

7. The European Health Data Space (EHDS)

8. The European Chips Act

9. The European Data Act

10. European Data Governance Act (DGA)

11. The Artificial Intelligence Act

12. The European ePrivacy Regulation

13. The European Cyber Defence Policy

14. The Strategic Compass of the European Union

15. The EU Cyber Diplomacy Toolbox



2. Are your training and certification programs vendor neutral?

Yes. We do not promote any products or services, and we are 100% independent.



3. I want to learn more about the exam.

You can take the exam online from your home or office, in all countries.

It is an open book exam. Risk and compliance management is something you must understand and learn, not memorize. You must acquire knowledge and skills, not commit something to memory.

You will be given 90 minutes to complete a 35-question exam. You must score 70% or higher.

The exam contains only questions that have been clearly answered in the official presentations.

All exam questions are multiple-choice, composed of two parts:

a. A stem (a question asked, or an incomplete statement to be completed).

b. Four possible responses.

In multiple-choice questions, you must not look for a correct answer, you must look for the best answer. Cross out all the answers you know are incorrect, then focus on the remaining ones. Which is the best answer? With this approach, you save time, and you greatly increase the likelihood of selecting the correct answer.

TIME LIMIT - This exam has a 90-minute time limit. You must complete this exam within this time limit, otherwise the result will be marked as an unsuccessful attempt.

BACK BUTTON - When taking this exam you are NOT permitted to move backwards to review/change prior answers. Your browser back button will refresh the current page instead of moving backward.

RESTART/RESUME – You CANNOT stop and then resume the exam. If you stop taking this exam by closing your browser, your answers will be lost, and the result will be marked as an unsuccessful attempt.

SKIP - You CANNOT skip answering questions while taking this exam. You must answer all the questions in the order the questions are presented.

We do not send sample questions or past exams. If you study the presentations, you can score 100%.

When you are ready to take the exam, you must follow the steps described at "Question h. I am ready for the exam. What must I do?", at:

https://www.nis-2-directive.com/Distance_Learning_Programs_Exam_Certificate_of_Completion.pdf



4. How comprehensive are the presentations? Are they just bullet points?

The presentations are not bullet points. They are effective and appropriate to study online or offline.



5. Do I need to buy books to pass the exam?

No. If you study the presentations, you can pass the exam. All the exam questions are clearly answered in the presentations. If you fail the first time, you must study more. Print the presentations and use Post-it to attach notes, to know where to find the answer to a question.



6. Is it an open book exam? Why?

Yes, it is an open book exam. Risk and compliance management is something you must understand and learn, not memorize. You must acquire knowledge and skills, not commit something to memory.



7. Do I have to take the exam soon after receiving the presentations?

No. You can take the exam any time. Your account never expires.



8. I want to receive another printed and stamped certificate (I lost the one sent, or for other reasons). Can you send me another one?

Every time we send certificates via registered mail with tracking number, we also send all tracking numbers via email. Please track your certificate and ensure you or somebody else can receive it. If there is any problem in the process, please let us know. If we do not receive an email up to 90 days after the day we sent the tracking numbers, indicating that your certificate was not delivered, we will mark the certificate as delivered.

The cost of each additional printed and stamped certificate is 65 USD. It includes the administration, processing and posting via registered mail with tracking number (not courier). Certificates are usually dispatched every 10 weeks. We accept payment with cards, QR, and PayPal.



9. Why should I purchase this program?

Firms and organizations hire and promote “fit and proper” professionals who can provide evidence that they are qualified. Employers need assurance that employees have the knowledge and skills needed to mitigate risks and accept responsibility. Supervisors and auditors ask for independent evidence that the process owners are qualified, and that the controls can operate as designed, because the persons responsible for these controls have the necessary knowledge and experience.

There are many new Directives and Regulations in the EU, and our target audience is overwhelmed and has little time to spare. Cyber Risk GmbH has developed a program that can assist them in understanding the new requirements, and in providing evidence that they are qualified, as they must pass an exam to receive their certificate of completion.

The all-inclusive cost of our distance learning programs is very low. There is no additional cost for each program, now or in the future, for any reason.

We develop several other distance learning programs. You will have a 100 USD discount for the second and each additional program that Cyber Risk GmbH has developed. The all-inclusive cost for your second and each additional program is 197 USD.

There are 3 exam attempts per year that are included in the cost of each program, so you do not have to spend money again if you fail.

George Lekatis, a well-known expert in risk management and compliance, oversaw the development of this program. He has more than 20,000 hours experience as a seminar leader, and has provided training and executive coaching in information security and risk management to many leading global organizations, in 36 countries.



Training program 3: Preparing for the NIS 2 Directive, the European Cyber Resilience Act, the Digital Operational Resilience Act (DORA), and the Critical Entities Resilience Directive (CER), for EU and non-EU firms (tailored-made training) - In-House Instructor-Led Training, or Online Live Training.

Possible modules of the tailor-made training program

a. The NIS 2 Directive

Introduction.
- Subject matter and scope.
- Essential and important entities.
- The "high common level of cybersecurity across the Union".
- Member States adopt national cybersecurity strategies and designate or establish competent authorities, cyber crisis management authorities, single points of contact on cybersecurity, and computer security incident response teams (CSIRTs).
- The new cybersecurity risk-management measures and reporting obligations.
- The new cybersecurity information sharing obligations.

Understanding the important definitions, including ‘near miss’, ‘large-scale cybersecurity incident’, ‘significant cyber threat’, ‘internet exchange point’, etc.

National cybersecurity strategy - objectives, resources, regulatory measures.
- Competent authorities and single points of contact.
- National cyber crisis management frameworks.
- Computer security incident response teams (CSIRTs).
- Coordinated vulnerability disclosure and a European vulnerability database.

- The new Cooperation Group that facilitate strategic cooperation and the exchange of information.
- The new network of national CSIRTs.
- The new European cyber crisis liaison organisation network (EU-CyCLONe) for large-scale cybersecurity incidents and crises.
- International cooperation.
- Peer reviews.

Cybersecurity risk management measures and reporting obligations.
- Governance.
- The management bodies of essential and important entities approve the cybersecurity risk-management measures.
- The management bodies of essential and important entities are required to follow training, and encourage essential and important entities to offer similar training to their employees.
- Cybersecurity risk-management measures.
- Reporting obligations.

Jurisdiction and territoriality.
- Entities are considered to fall under the jurisdiction of the Member State in which they are established.
- Entities are considered to have their main establishment in the Union in the Member State where the decisions related to the cybersecurity risk-management measures are predominantly taken.
- Entities not established in the EU, but offer services within the EU, must designate a representative in the EU.
- The tasts of the representative.

Cybersecurity information-sharing arrangements.

General aspects concerning supervision and enforcement.
- Supervisory and enforcement measures in relation to essential entities.
- Supervisory and enforcement measures in relation to important entities.
- General conditions for imposing administrative fines on essential and important entities.
- Infringements entailing a personal data breach.
- Penalties.

- What is next: Delegated and Implementing Acts.
- Review.
- Transposition.

What is extraterritoriality?
- Extraterritorial application of EU law.
- Risk and compliance management challenges for firms established in non-EU countries.

- Master plan and list of immediate actions, for firms established in EU and non-EU countries.

- Other new EU directives and regulations that introduce compliance challenges to EU and non-EU firms: The European Cyber Resilience Act, the Digital Operational Resilience Act (DORA), the Critical Entities Resilience Directive (CER) etc.

- Closing remarks.


b. The European Cyber Resilience Act

- Introduction.

- The Cyber Resilience Act - why it is needed.

- Most hardware and software products were not covered by any EU legislation.

- A uniform legal framework for essential cybersecurity requirements for placing products with digital elements on the EU market.

- Cyberattacks against hardware and software products.

- The strong cross-border nature of cybersecurity.

- The obligation for manufactures to take security seriously throughout a product’s life cycle.

- Scope - "products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network".

- Definitions.

- Requirements for products with digital elements.

- Critical products with digital elements.

- High-risk AI systems.

- Machinery products.

- Obligations of manufacturers.

- Reporting obligations.

- Obligations of importers, distributors, economic operators.

- Conformity of the product with digital elements.

- EU declaration of conformity, and conformity assessment procedures for products with digital elements.

- Notifying authorities, requirements relating to notified bodies.

- Notification procedure.

- Changes to notifications.

- Market surveillance and control of products with digital elements in the Union market.

- Access to data and documentation.

- Compliant products with digital elements which present a significant cybersecurity risk.

- Confidentiality.

- Penalties.

- Entry into force and application.


c. The Digital Operational Resilience Act (DORA)

Digital operational resilience is the ability of a financial entity to build, assure and review its operational integrity from a technological perspective. The entity must be able to ensure, either directly or indirectly, through the use of services of ICT third-party providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which the entity makes use of, and which support the continued provision of financial services and their quality.

- Governance and organisation after DORA.

- The internal governance and control frameworks that ensure an effective and prudent management of all ICT risks.

- The management body bears the final responsibility for managing the financial entity’s ICT risks, and must set clear roles and responsibilities for all ICT-related functions.

- Determining the appropriate risk tolerance level of ICT risk of the financial entity, approving, exercising oversight, and reviewing the implementation of the financial entity's ICT Business Continuity Policy and ICT Disaster Recovery Plan.

- Approving and periodically reviewing the ICT audit plans, ICT audits and material modifications.

- Allocating and periodically reviewing appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including training on ICT risks and skills for all relevant staff.

- Approving and periodically reviewing the financial entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers, and be informed, of the arrangements concluded with ICT third-party service providers on the use of ICT services, of any relevant planned material changes regarding the ICT third-party service providers, and on the potential impact of such changes on the critical or important functions subject to those arrangements.

- The sound, comprehensive and well-documented ICT risk management framework, to address ICT risk quickly, efficiently, and comprehensively and to ensure a high level of digital operational resilience.

- The need for an information security management system based on recognized international standards and in accordance with supervisory guidance.

- The segregation of ICT management functions, control functions, and internal audit functions, according to the three lines of defense model, or an internal risk management and control model.

- The rules for the timely verification and remediation of critical ICT audit findings, taking into consideration the conclusions from the audit review, while having due regard to the nature, scale and complexity of the financial entities’ services and activities.

- The digital resilience strategy setting out how the framework is implemented.

- The identification, classification and documentation of all ICT-related business functions, the information assets supporting these functions, and the ICT system configurations and interconnections with internal and external ICT systems.

- The identification of all sources of ICT risk, in particular the risk exposure to and from other financial entities, and the assessment of cyber threats and ICT vulnerabilities relevant to the ICT-related business functions and information assets.

- The detection of anomalous activities, including ICT network performance issues and ICT-related incidents, and the identification of all potential material single points of failure.

- The ICT Business Continuity Policy through dedicated, appropriate, and documented arrangements, plans, procedures, and mechanisms.

- ICT-related incident reviews after significant ICT disruptions of core activities, including analysis of the causes of disruption and identification of required improvements to the ICT operations or within the ICT Business Continuity Policy.

- Communication plans enabling a responsible disclosure of ICT-related incidents or major vulnerabilities to clients and counterparts, as well as to the public.

- The need to establish, maintain and review a sound and comprehensive digital operational resilience testing programme, as an integral part of the ICT risk management framework.

- ICT concentration risk, and sub-outsourcing arrangements.

- Designation of critical ICT third-party service providers.

- The role of the Lead Overseer to assess whether each critical ICT third-party service provider has in place comprehensive, sound, and effective rules, procedures, mechanisms, and arrangements to manage the ICT risks.

- Investigations of ICT third-party service providers.

- Information-sharing arrangements on cyber threat information and intelligence.

- Administrative penalties and remedial measures.

- Criminal penalties.

- Professional secrecy.

- Closing remarks.


d. The Critical Entities Resilience Directive (CER).

- Subject matter, Scope and Definitions.

- Understanding the definitions of a “critical entity”, "resilience", "incident", "critical infrastructure", and "essential service".

Strategy on the resilience of critical entities.
- strategic objectives and priorities;
- a governance framework;
- a description of measures necessary to enhance the overall resilience of critical entities;
- a description of the process by which critical entities are identified;
- a description of the process supporting critical entities;
- a policy framework for coordination between the competent authorities.

Risk assessment by Member States.
- the general risk assessment;
- other relevant risk assessments;
- the relevant risks arising from the dependencies between sectors.

- The risk assessment of the critical entities.

- Resilience measures of critical entities.

- Identification of critical entities.

- What is a "significant disruptive effect".

- Critical entities in the banking, financial market infrastructure and digital infrastructure sectors.

- Competent authorities and single point of contact.

- Member States’ support to critical entities.

- Cooperation between Member States.

Background checks on persons who:
- hold sensitive roles in or for the benefit of the critical entity, notably in relation with the resilience of the critical entity;
- are mandated to have direct or remote access to its premises, information or control systems including in connection with the security of the critical entity;
- are being considered for recruitment to positions that fall under criteria mentioned in the previous points.

Incident notification.
- the number and share of users affected;
- the duration;
- the geographical area affected, taking into account whether the area is geographically isolated.

- Identification of Critical entities of particular European significance.

- The Critical Entities Resilience Group.

- Supervision and enforcement.

- Penalties.

- Sectors, subsectors and categories of entities.

- Transposition.

- Closing remarks.


Target Audience, duration.

We offer a 60-minute overview for the board of directors and senior management of EU and non-EU firms, tailored to their needs. We also offer 4 hours to one day training for risk and compliance teams, responsible for the implementation of the EU directives and regulations.


Instructor.

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html


Contact us

Cyber Risk GmbH
Dammstrasse 16
8810 Horgen
Tel: +41 79 505 89 60
Email: george.lekatis@cyber-risk-gmbh.com








Web: https://www.cyber-risk-gmbh.com









We process and store data in compliance with both, the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). The service provider is Hostpoint. The servers are located in the Interxion data center in Zürich, the data is saved exclusively in Switzerland, and the support, development and administration activities are also based entirely in Switzerland.


Understanding Cybersecurity in the European Union.

1. The NIS 2 Directive

2. The European Cyber Resilience Act

3. The Digital Operational Resilience Act (DORA)

4. The Critical Entities Resilience Directive (CER)

5. The Digital Services Act (DSA)

6. The Digital Markets Act (DMA)

7. The European Health Data Space (EHDS)

8. The European Chips Act

9. The European Data Act

10. European Data Governance Act (DGA)

11. The Artificial Intelligence Act

12. The European ePrivacy Regulation

13. The European Cyber Defence Policy

14. The Strategic Compass of the European Union

15. The EU Cyber Diplomacy Toolbox