TIS2 – will this affect you?
If your activity is related to ensuring the essential needs of the public, you definitely fall into this list. Please note that the list of entities under the directive includes companies with an annual turnover of more than 10 million EUR.
| Sector | Classification | Examples |
|---|---|---|
|
Health sector
|
Necessary
|
Healthcare institutions, hospital laboratories
|
|
Digital infrastructure
|
Necessary
|
Internet, Cloud service providers
|
|
Transport
|
Necessary
|
Air traffic control, water traffic control, railway infrastructure
|
|
Energy
|
Necessary
|
Electricity, gas, oil pipeline suppliers
|
|
Finance
|
Necessary
|
Banks, credit institutions, investment platforms
|
|
Digital service providers
|
Important
|
Online e-commerce platforms, Cloud service providers
|
|
Public administration
|
Important
|
State services
|
|
Production
|
Important
|
Medicines, medical devices
|
|
Cosmic space
|
Important
|
Satellite operators
|
|
Food
|
Important
|
Food supply chains
|
|
Mail and delivery services
|
Important
|
Courier services
|
|
Sewage and waste management
|
Important
|
Water purification equipment, waste management services
|
|
Providers of public electronic communications services
|
Important
|
Electronic platforms, colocation services
|
|
Production of critical products
|
Important
|
Critical raw materials
|
How to prepare / meet TIS2?
MDP CLOUD offers proven, integrated, and effective solutions for TIS2 compliance.
Frequently Asked Questions about TIS2
What is the TIS2 directive?
The TIS2 directive is an EU legal act aimed at improving the security of networks and information systems across the European Union.
What are the main TIS2 requirements?
Organizations must implement cybersecurity measures, conduct risk management, ensure incident management and reporting, perform regular security audits, and adhere to strict supply chain security requirements.
How does TIS2 differ from TIS1?
Compared to TIS1, the new version of the directive significantly expands the circle of companies that will be subject to its application. In addition to the expansion of critical areas, important areas have also been added. The application of the directive to these areas will manifest itself in that organizations belonging to critical sectors will have to continuously provide evidence of their cybersecurity status, while important organizations will be checked in the event of an incident.
Organizations in the critical sector are those with more than 250 employees and annual revenues exceeding 50 million euros; important organizations are those with fewer than 50 employees and annual revenues up to 10 million euros. The criteria may vary depending on the sector. An organization can be considered critical regardless of size if it is the sole provider of a critical service.
Furthermore, some companies will be affected indirectly, as they will act as service providers (third parties) for these companies, which will also have their focus on cybersecurity checked.
Which organizations are subject to the TIS2 directive?
TIS2 applies to providers of important and essential services across various sectors, including energy, healthcare, transportation, finance, and other critical infrastructures.
What will happen if you do not comply with TIS2 requirements after October 18, 2024?
By not taking appropriate security measures, you do not remove yourself from the increased risk of cyber attacks. Such attacks can disrupt your operations and/or harm the company's reputation.
Moreover, if necessary organizational changes are not implemented in time, fines are at risk:
- For critical sector companies and organizations, fines can reach up to 10,000,000 Eur or 2% of the annual revenue of the previous year (the larger monetary amount is chosen);
- For important sector companies and organizations, fines can reach up to 7,000,000 Eur or 1.4% of the annual revenue of the previous year (the larger monetary amount is chosen).
When will the TIS2 directive come into effect?
The TIS2 directive was approved in 2022, and Member states must implement it in their national law by the end of 2024.
How does the TIS2 directive affect small and medium enterprises (SMEs)?
Although NIS2 is mainly aimed at important and essential service providers, certain SMEs, especially those operating in critical infrastructures or having a significant impact on cybersecurity, will also have to comply with the directive's requirements.
How do TIS2 requirements change the handling of cybersecurity incident reports?
According to TIS2, organizations must promptly report any significant cyber incidents within a certain timeframe (usually within 24-72 hours), including information about the scale of the incident and potential impact.
Is the TIS2 directive applicable only to EU organizations?
The TIS2 directive applies to all organizations that provide essential services within the EU, regardless of whether they are based in the EU or outside of it.
How will TIS2 affect supply chain security?
The TIS2 directive requires organizations to assess and manage cybersecurity risks in the supply chain, including the requirement to ensure that their suppliers adhere to similar security standards.
How is the TIS2 directive related to GDPR?
Although TIS2 and GDPR directives have different goals (TIS2 is aimed at cybersecurity, while GDPR is focused on data protection), they are closely related, as both require a high level of protection and incident reporting.
What should organizations do if a cyber incident occurs?
Organizations must promptly report the incident to the relevant authorities, implement the incident management plan, and take action to mitigate the impact and prevent similar events in the future.
Clients
