Cybersecurity for startups: get compliant with NIS 1

What is the NIS 1 Directive?

‍As the need for cybersecurity grows, the NIS 1 Directive (Network Information Security Directive) steps in to make things secure. Its mission is to ensure a high level of cybersecurity across the EU member states. How? By setting clear requirements for certain organizations to follow. Embracing the NIS 1 Directive helps us safeguard critical infrastructure and keep our digital environment safe.

‍

‍

Who should care?

‍The directive applies to two groups: essential service providers (think water, transport, energy infrastructure) and digital service providers (like online search engines, marketplaces, and cloud computing). To figure out if a company needs to follow the NIS 1 Directive, they have to do something called self-identification, which helps the company decide if it applies to them. But here's the truth: many online businesses are clueless about whether they need to comply or not. Here's the deal:

‍

‍If you provide any of these services:

• cloud computing (IaaS, PaaS, SaaS)
• online marketplace
• online search engine

And you fit either of these criteria:

• more than 50 employees
• Annual Recurring Revenue (ARR) above EUR 10 million

You have to comply! But don’t worry. We'll break down what this means in practice for you.

‍

‍

How to comply with the NIS 1 Directive?

‍To comply, digital service providers need to protect their networks and systems. Here are the key areas you should focus on:

‍

1. securing your systems and facilities

Implement both physical and technical security measures to minimize any risks (i.e. lock your offices, use password manager and data backup etc.)

‍

2. handling incidents like a pro

Know what steps to follow when a breach happens (minimize the incident impact and report the attack to authorities)

‍

3. Having a backup plan to ensure business continuity

Create a backup plan that will keep your systems running in case of any unexpected events or after a disaster already occurred

‍

4. continuous monitoring, auditing and testing

Run regular scans to reveal issues in the security mechanisms

Perform simulated attacks to check the security of your systems

‍

5. compliance with international standards

Be compliant with ISO standards, SOC 2 or any other relevant regulations

‍

Want all the details? Check out the official website of the European Union Agency for Cybersecurity.

Also, there's a new version of the NIS directive coming soon. It's been approved by the European Union and will come into effect across all member states next year.

‍

‍

What are the penalties?

If a company fails to comply, it could face hefty fines. Each EU member state sets its own penalties, which can go up to £17 million. And importantly, a company can be penalized more than once.

‍

‍

Key takeaways:

• The NIS 1 Directive is here to protect our networks and information systems.
• It affects two groups: essential service providers and digital service providers.
• If you're a digital service provider with either 50+ employees or an ARR above EUR 10 million, compliance is a must.
• Cloud computing, online marketplaces, and search engines are in the spotlight.
• Don't know if you're in the club? Self-identify or reach out to us and we’ll guide you through the process!

‍

Eldison to the rescue!

‍Feeling a bit lost in the NIS 1 Directive maze? No worries! Eldison Legal has your back. Reach out to us, and together we'll keep your network and information systems safe and sound.