NIS2 Directive

Reference & Solutions Guide

Tic Tac Cybersecurity
CONTENTS
Introduction.......................................................................................................................................... 3
Essential and Important Entities ............................................................................................................. 5
Sectors in scope..................................................................................................................................... 8
Incident Notification ............................................................................................................................ 10
Cyber Security Risk Management Measures .......................................................................................... 12
NIS2 Principles & Tic Tac Cybersecurity Services Mapping .................................................................... 14
Essential and Important Entities - Supervision .......................................................................................... 15
Enforcement and Penalties ................................................................................................................... 17
Management Responsibilities................................................................................................................ 19
Tic Tac Cybersecurity services for NIS2 ......................................................................................... 21
A.Continuous Vulnerability Management by Tic Tac Cybersecurity ..................................................................... 22
B. Incident management and response by Tic Tac Cybersecurity ...................................................................... 23
C. Automated Backup and Disaster Recovery Services by Tic Tac Cybersecurity ................................................... 25
D. Continuous Cyber Risk Scoring by Tic Tac Cybersecurity ............................................................................. 26
E. Cyber Insurance by Tic Tac Cybersecurity ................................................................................................ 27
F. Cyber Awareness Training by Tic Tac Cybersecurity ................................................................................... 28
 Introduction

NIS2 seeks to further enhance the work

started in the NIS Directive to build a high

1
common level of cybersecurity across the
European Union.
1 Introduction
NIS2 will further enhance the
work started in the NIS Directive
It places obligations on Member
States AND individual companies in
in building a high common level of critical sectors.
cybersecurity across the European
Union.

New in NIS2
✔ More Sectors

✔ More entities

✔ New methods of selection and registration

✔ New incident notification deadlines

✔ Extra requirements

Three Main Pillars of NIS2

MEMBER STATE CO-OPERATION AND
RESPONSIBILITIES RISK MANAGEMENT INFO EXCHANGE

National Authorities Accountability for top Cooperation Group

management for non
National Strategies CSIRTs Network
compliance
CVD Frameworks CyCLONe
Essential and important
Crisis Management companies are required to CVD and European
Frameworks take security measures Vulnerability registry

Companies are required Peer-reviews

COMPANY to notify incidents within a
RESPONSIBILITIES Biennial ENISA
given time frame cybersecurity report
 Essential and Important Entities

Entities may be designated as “Essential” or

2
“Important” depending on factors such as
size, sector and criticality.

www.ncsc.gov.ie
2 Essential and Important Entities
SECTOR SUB-SECTOR LARGE
ENTITIES
MEDIUM
ENTITIES
SMALL &
MICRO
ENTITIES
(>= 250 employees (50-249 employees
or more than 50 or more than
million revenue) 10million revenue)

Annex I: Sectors of high criticality

ENERGY Electricity; district heating & cooling; gas; hydrogen; oil. Including providers of recharging services to end users. ESSENTIAL IMPORTANT NOT IN SCOPE

TRANSPORT Air (commercial carriers; airports; Air traffic control [ATC]); rail (infra and undertakings); water (transport companies; ports; Vessel traffic services [VTS]); road (ITS) ESSENTIAL IMPORTANT NOT IN SCOPE

Special case: public transport: only if identified as CER (see notes on page 2) ESSENTIAL IMPORTANT NOT IN SCOPE

BANKING Credit institutions (attention: DORA lex specialis – see note on page 2) ESSENTIAL IMPORTANT NOT IN SCOPE

FINANCIAL MARKET Trading venues, central counterparties (attention: DORA lex specialis – see note on page 2) ESSENTIAL IMPORTANT NOT IN SCOPE
INFRASTRUCTURE

HEALTH Healthcare providers; EU reference laboratories; R&D of medicinal products; manufacturing basic pharma products and preparations; manufacturing of medical ESSENTIAL IMPORTANT NOT IN SCOPE

devices critical during public health emergency

Special case: entities holding a distribution authorization for medicinal products: only if identified as CER (see note on page 2) ESSENTIAL IMPORTANT NOT IN SCOPE

DRINKING WATER ESSENTIAL IMPORTANT NOT IN SCOPE

WASTE WATER (only if it is an essential part of their general activity) ESSENTIAL IMPORTANT NOT IN SCOPE

DIGITAL Qualified trust service providers ESSENTIAL ESSENTIAL ESSENTIAL

INFRASTRUCTURE

DNS service providers (excluding root name servers) ESSENTIAL ESSENTIAL ESSENTIAL

TLD name registries ESSENTIAL ESSENTIAL ESSENTIAL

Providers of public electronic communications networks ESSENTIAL ESSENTIAL IMPORTANT

Non-qualified trust service providers ESSENTIAL IMPORTANT IMPORTANT

Internet exchange point providers ESSENTIAL IMPORTANT NOT IN SCOPE

Cloud computing service providers ESSENTIAL IMPORTANT NOT IN SCOPE

Data centre service providers ESSENTIAL IMPORTANT NOT IN SCOPE

Content delivery network providers ESSENTIAL IMPORTANT NOT IN SCOPE

ICT-SERVICE Managed service providers, managed security service providers ESSENTIAL IMPORTANT NOT IN SCOPE
MANAGEMENT (B2B)

PUBLIC Of central governments (excluding judiciary, parliaments, central banks; defence, national or public security). ESSENTIAL ESSENTIAL ESSENTIAL
ADMINISTRATION
ENTITIES Of regional governments: risk based.(Optional for Member States: of local governments) IMPORTANT IMPORTANT IMPORTANT

SPACE Operators of ground-based infrastructure (by Member State) ESSENTIAL IMPORTANT NOT IN SCOPE
SECTOR SUB-SECTOR LARGE MEDIUM SMALL &
ENTITIES ENTITIES MICRO
ENTITIES
(>= 250 (50-249
employees or employees or
more than 50 more than 10
million revenue) million revenue)

Annex II: other critical sectors

POSTAL AND IMPORTANT IMPORTANT NOT IN SCOPE
COURIER SERVICES

WASTE (only if principal economic activity) IMPORTANT IMPORTANT NOT IN SCOPE

MANAGEMENT

CHEMICALS Manufacture, production, IMPORTANT IMPORTANT NOT IN SCOPE

distribution

FOOD Wholesale production and IMPORTANT IMPORTANT NOT IN SCOPE

industrial production and

processing

MANUFACTURING (in vitro diagnostic) medical IMPORTANT IMPORTANT NOT IN SCOPE

devices; computer, electronic,

optical products; electrical
equipment; machinery; motor
vehicles, trailers, semi-trailers;
other transport equipment (NACE
C 26-30)

DIGITAL online marketplaces, search IMPORTANT IMPORTANT NOT IN SCOPE

PROVIDERS
engines, social networking
platforms

RESEARCH Research organisations (excluding IMPORTANT IMPORTANT NOT IN SCOPE

education institutions)
(Optional for Member States:
education institutions)

ENTITIES PROVIDING DOMAIN NAME

All sizes, but only subject to Article 3(3) and Article 28
REGISTRATION SERVICES

Notes:
Entities designated as Critical entities under Directive (EU) There are certain exceptions to the above guide, please consult
2022/2557, (CER Directive) shall be considered Essential the text of the Directive for a full and comprehensive list of all
entities under NIS2. exceptions.
Lex Specialis may apply where sectoral regulations are at
least equivalent.
 Sectors in scope

NIS2 will apply to a wider and deeper pool

3
of entities than currently covered by the NIS
Directive

www.ncsc.gov.ie
3 Sectors in scope
NIS2 will apply to a wider and deeper pool of entities than currently covered
by the NIS Directive. NIS2 includes new sectors whilst broadening the criteria
for inclusion of entities, categorized as essential or important, within existing
sectors. The sectors are divided into two groups: “Sectors of High Criticality”
and “Other Critical Sectors”.

Annex 1 -
Sectors of High
Criticality HEALTH ENERGY TRANSPORT

DIGITAL
INFRASTRUCTURES
(INCLUDING ISP
DRINKING AND CLOUD)
WATER

WASTE
WATER SPACE BANKING

NEW DORA
FINANCIAL Digital Operations
MARKET
INFRASTRUCTURE Resilience Act
ICT SERVICE
PUBLIC MANAGEMENT
ADMIN (B2B)

Annex 2 -
Other Critical FOOD
Sectors DIGITAL
PROVIDERS RESEARCH
PRODUCTION &
DISTRIBUTION

POSTAL &
COURIER WASTE MANUFACTURING
MANAGEMENT
SERVICES

MANUFACTURE
PRODUCTION AND NEW
DISTRIBUTION OF
CHEMICALS
 Incident Notification

NIS2 imposes notification obligations in

phases, for incidents which have a
“significant impact” on the provision of their
services

4
4 Incident Notification
NIS2 imposes notification obligations in phases, for incidents which have
a ‘significant impact’ on the provision of their services. These notifications
must be made to the relevant competent authority or CSIRT (Computer
Security Incident Response Team).

EARLY WARNING
Is it a suspected malicious act with potential cross-border impacts?

OFFICIAL INCIDENT NOTIFICATION

Assessment of the incident, severity and impact, plus indicators of compromise.

INTERMEDIATE STATUS REPORT

At the request of CSIRT or relevant competent authority.

FINAL REPORT
Or if incident ongoing at time of final report a progress report
and final report 1 month after end

Where appropriate, entities shall notify the recipients of their services of significant incidents.

When in the public interest, the CSIRT or relevant competent authority may inform the public about the
significant incident or may require the entity to do so.
 Cyber Security Risk Management Measures

Essential and Important entities must take

appropriate and proportional technical,
operational and organizational measures to

5
manage the risks posed to the systems

www.ncsc.gov.ie
5 Cyber Security Risk Management Measures
Essential and Important entities must take appropriate and
proportional technical, operational and organizational measures to
manage the risks posed to the systems which underpin their services,
and prevent or minimize the impact of incidents on their and other
services.

Such measures shall be based on an all-hazards approach that aims to protect the network and
information systems and the physical environment of those systems from incidents, and must
include at least the following:

1 Risk analysis & information system security

2 Incident handling

3 Business continuity measures (back-ups, disaster recovery, crisis management)

4 Supply Chain Security

5 Security in system acquisition, development and maintenance, including

vulnerability handling and disclosure

6 Policies and procedures to assess the effectiveness of cybersecurity risk management

measures

7 Basic computer hygiene and trainings

8 Policies on appropriate use of cryptography and encryption

9 Human resources security, access control policies and asset management

10 Use of multi-factor, secured voice/video/text comm & secured emergency

communication

All measures must be: EU can:

• Proportionate to risk, size, cost, and • Carry out risk assessments of critical
impact & severity of incidents ICT services, systems or supply chains
• Take into account the state-of-the-art, and • Impose certification obligations
where applicable relevant European and (delegated acts)
international standards • Adopt implementing acts laying down
technical requiremens
 NIS2 Principles & Tic Tac Cybersecurity
Services Mapping

NIS Principles Tic Tac Cybersecurity Services

Continuous Vulnerability Management
Risk analysis & information system security Cyber risk scoring
Compliance and risk monitoring
Incident handling Incident response services
Business continuity measures (back-ups, disaster recovery, crisis
management) Backup and disaster recovery services
Supply Chain Security Cyber risk scoring
Security in system acquisition, development and maintenance Covered via policy
Policies and procedures to assess the effectiveness of Compliance and risk monitoring
cybersecurity risk management measures Covered via policy
Basic computer hygiene and trainings Cyber awareness training
Policies on appropriate use of cryptography and encryption Covered via policy
Human resources security, access control policies and asset Continuous Vulnerability Management
management Covered via policy
Use of multi-factor, secured voice/video/text comm & secured
emergency communication System-enforced / monitored
 Essential and Important Entities - Supervision

The former distinction between

“operators of essential services” (OES) and
“digital service providers” (DSP) in the

6
original NIS Directive is replaced by a
distinction between “essential” and
“important” entities
6 Essential and Important Entities - Supervision
The former distinction between “operators of essential services” (OES)
and “digital service providers” (DSP) in the original NIS Directive is
replaced by a distinction between “essential” and “important” entities.

No more categorization of OES and DSP

ESSENTIAL ENTITIES IMPORTANT ENTITIES

proactive & reactive supervision reactive Supervision (after incident)

On-site inspections and off-site supervision On-site and off-site inspections after incident

Security Scans Security Scans

Regular & ad hoc Security Audits ad hoc Security Audits

Information Requests Information Requests

Requests for information necessary to Requests for information necessary to

assess the cybersecurity risk-management assess, ex post, the cybersecurity risk-
measures adopted by the entity concerned. management measures adopted by the
entity concerned.

Authorities can request information or

carry-out audits on a regular or ad hoc basis
 Enforcement and Penalties

NIS2 provides national authorities with a

minimum list of enforcement powers for non-
compliance

7
7 Enforcement and Penalties
NIS2 provides national authorities with a minimum list of
enforcement powers for non-compliance, including:

A Issue warnings for non-compliance

B Issue binding instructions

C Order to cease conduct that is non-compliant

D Order to bring risk management measures or reporting obligations in compliance to a specific

manner and within a specified period

E Order to inform the natural or legal person(s) to whom they provide services or activities which
are potentially affected by a significant cyber threat

F Order to implement the recommendations provided as a result of a security audit within a

reasonable deadline

G Designate a monitoring officer with well-defined tasks over a determined period of time to
oversee the compliance

H Order to make public aspects of non-compliance

I Impose administrative fines

J An essential entities certification or authorisation concerning the service can be suspended, if

deadline for taking action is not met

K And those responsible for discharging managerial responsibilities at chief executive officer or
legal representative level can be temporarily prohibited from exercising managerial functions
(applicable to essential entities only, not important entities).

NIS2 makes provision to

impose administrative A maximum of 10,000,000 EUR or up to
fines for infringements. 2% of the total worldwide annual turnoverof the
undertaking to which the ESSENTIAL
ENTITY belongs in the preceding financial year,
whichever is higher.

A maximum of 7,000,000 EUR or up tp

1,4% of the total worldwide annual turnover of
the undertaking to which the IMPORTANT
ENTITY belongs in the preceding financial year,
whichever is higher.
 Management Responsibilities

Senior management has ultimate responsibility

for cybersecurity risk management in

8
essential and important entities
8 Management Responsibilities
Senior management have ultimate responsibility for cybersecurity
risk management in essential and important entities. Failure by
management to comply with NIS2 requirements could result in
serious consequences,
including liability, temporary bans and administrative fines as provided
for inthe implementation of national legislation.

Management bodies of
essentialand important entities
must:

Approve the adequacy of the cybersecurity risk

management measures taken by the entity

Supervise the implementation of the risk management

measures

Follow training in order to gain sufficient knowledge

and skills to identify risks and assess cybersecurity risk
management practices and their impact on the services
provided by the entity

Offer similar training to their employees on a

regular basis

Be accountable for non-compliance

 Tic Tac Cybersecurity services for NIS2

Tic Tac Cybersecurity has created a services

portfolio targeted specifically for NIS2
compliance. With the use of advanced tools
and reports, Tic Tac Cybersecurity elevates
your security posture and attains high levels
of Compliance with NIS2

9
9 Tic Tac Cybersecurity and NIS2
Tic Tac Cybersecurity has created a services portfolio targeted
specifically for NIS2 compliance. With the use of advanced tools and
reports, Tic Tac Cybersecurity elevates your security posture and
attains high levels Compliance with NIS2.

List of Enhanced Service Portfolio for NIS2

compliance

A.Continuous Vulnerability Management by Tic

Tac Cybersecurity

Continuous vulnerability management can be likened to a perpetual

check-up for an organization’s digital well-being. It involves a
methodical approach to identifying, prioritizing, and addressing
weaknesses (referred to as vulnerabilities) in an organization’s IT
systems. These vulnerabilities can range from weak passwords and
outdated software to improperly configured networks. By discovering
and rectifying these vulnerabilities promptly, an organization can
effectively shield itself against potential cyber threats.

Rather than being a one-off endeavor, continuous vulnerability

management operates as an ongoing cycle consisting of four stages:

• Identification of Vulnerabilities: This initiates the continuous

vulnerability management process by identifying all potential weak
points present within an organization’s system, network, or
application infrastructure. Such vulnerabilities may encompass
software bugs, configuration errors, or outdated systems. The use of
 automated tools allows for comprehensive scanning and reporting
on any identified vulnerabilities across the entire IT ecosystem.
• Assessment and Prioritization of Vulnerabilities: Following
vulnerability identification comes their examination and subsequent
prioritization based on the level of risk they pose. Adhering to a
risk-based approach, resources are allocated to resolving the most
critical
• vulnerabilities initially – those that have the potential to cause
maximum harm if compromised.
• Remediation of Vulnerabilities: Once prioritized, vulnerabilities
undergo remediation (i.e., fixing). This can involve actions like
patching software, rectifying configuration errors, or replacing
outdated systems with up-to-date alternatives. The primary objective
is to eliminate vulnerabilities and fortify the overall security system.
• Verification and Follow-up: In the final stage, verification checks
ascertain the successful resolution of existing vulnerabilities and
ensure no new ones were introduced during the process. Continuous
monitoring plays a key role here – constantly checking for new
vulnerabilities and initiating future cycles of the continuous
vulnerability management process.

It is important to emphasize that Continuous Vulnerability Management

should not be regarded as a “set it and forget it” procedure. It necessitates
regular attention and ongoing maintenance. Through this iterative cycle,
resilient security systems are achieved by adapting to emerging threats in
real time.

B. Incident management and response by Tic Tac

Cybersecurity
Incident management helps a company's IT team provide great service
and reduce costly downtime. But those are just a couple of reasons.
There are plenty more benefits associated with implementing incident
management best practices.

A better overall process

Quick identification of incidents is essential for minimizing their

impact and ensuring efficient resolution. Acknowledging incidents
promptly allows organizations to take immediate action, mitigate
effects, and prevent further disruption, ultimately enhancing customer
satisfaction. A standardized approach ensures consistency in incident
handling, streamlining operations, minimizing errors, and facilitating
easier training of new team members. Proactive risk mitigation through
effective incident management strategies helps to protect assets and
reputation. Implementing an agile incident management process
enables organizations to adapt quickly to unexpected events, maintain
flexibility, and deliver quicker responses, ultimately ensuring minimal
downtime and optimal operational effectiveness.

Achieve greater visibility

Enhancing visibility is important for organizations, providing insight

into incident impact and the effectiveness of response strategies. Clear
visibility into IT operations enables proactive issue resolution,
minimizes downtime, and facilitates the identification of patterns for
preventive measures. Prioritizing visibility enhances efficiency,
productivity, and customer satisfaction by enabling informed decision-
making and optimized performance.

Enhance accessibility

Enhance accessibility by implementing good incident management

practices that prioritize the needs of all users. This will ensure that
services are easily accessible and comply with relevant regulations and
standards.

Leverage automation

Automation tools have the capability to expedite the process of incident

detection, diagnosis, and resolution. By incorporating automation into
the workflow, organizations can streamline their operations, improve
overall efficiency, and reduce the time and effort required to identify
and address incidents, allowing teams to focus on more critical tasks.
Additionally, automation tools can provide real-time alerts and
notifications, enabling teams to respond promptly to incidents and
minimize potential impacts.

Earn better satisfaction with IT

Effective incident management directly impacts user and customer

satisfaction with IT services by promptly resolving incidents,
demonstrating a commitment to service quality, and fostering trust and
transparency. Timely resolution of incidents makes users feel valued
and supported and ensures reliability and consistency in IT services,
crucial factors for customer satisfaction. Transparent communication
during incidents helps maintain positive relationships with stakeholders
and minimizes confusion, ultimately strengthening trust and confidence
in the organization. Organizations can reduce downtime, prevent
revenue loss, and maintain a loyal customer base by implementing
reliable incident management processes.

C. Automated Backup and Disaster Recovery

Services by Tic Tac Cybersecurity

Automatic backups and disaster recovery ensure that critical data can
be recovered quickly. This minimizes downtime and keeps your
business running without any interruption. Additionally, we relieve the
burden of managing your backups and disaster recovery protocols to
give you better reliability, reduced risk and more time to focus on your
business.

Both automatic backup and disaster recovery are now fundamental

components of a properly structured business IT solution and essential
to smart information management.

• More Peace of Mind

We’re proud to say that our data centers meet the most rigorous
security and regulatory compliance requirements, including
SOX, PCI, CIPA, HIPAA, and others.

• Quick, Easy Restore

Restoring your files is simple and can be done quickly anytime,

anywhere!

• Automatic & Cost Effective

Cloud backups cost a lot less than managing your own backup as they
are fully automated. No need to waste time and resources making discs
or updating drives to keep off-site.

• You’re in Control
You can set the frequency of backups to suit your requirements, from
‘constant’ to ‘daily’. Email notification follows every backup, keeping
you in the loop and giving you complete control of the process.

• Complete Privacy and Protection

Your encrypted backups can only be accessed using your own

password. Unparalleled ransomware protection is provided out-of-the-
box.

D. Continuous Cyber Risk Scoring by Tic Tac

Cybersecurity

Evaluate your organization's cybersecurity posture across ten groups of

risk factors, including DNS health, IP reputation, web application
security, network security, leaked information, hacker chatter, endpoint
security, and patching cadence, as described on your website. Security
ratings are a resourceful metric that provides a gauge on the
external cybersecurity posture of organizations and has become a data
point that is important in today’s digital landscape, as businesses strive
to protect their sensitive data and assets from cyberattacks.

The platform utilizes a combination of external and proprietary data

sources, continuously monitoring a myriad of risk factors. The platform
collects data from a variety of sources, including public records,
vulnerability scans, threat intelligence and breach history ensuring an
external view of an organization’s cybersecurity posture made available
to clients and organization’s assessing companies as vendors. The
platform then analyzes this data to generate a security rating for the
enterprise or each vendor organization being evaluated.

The platform gathers data from a variety of sources, including:

• Publicly available information: the platform scans the internet for

information about an organization’s security posture, such as exposed
ports, outdated software, and known vulnerabilities.
• Private data sources: the platform also integrates data from a
variety of private sources, such as security researchers, threat
intelligence feeds, and vulnerability databases.
 E. Cyber Insurance by Tic Tac Cybersecurity

Cyber insurance is a form of cover designed to protect your business

from threats in the digital age, such as data breaches or malicious cyber
hacks on work computer systems.

A business is responsible for its own cyber security, but in the event of
a cyber-attack, having the right insurance will mean you aren’t alone.
Cyber cover can provide crucial support to help your business stay
afloat.

What does cyber insurance cover?

In the event of a breach, security failure, illegal threat or cyber-attack,

most cyber insurance policies will cover the first-party and third-party
financial and reputational costs if data or electronic systems have been
lost, damaged, stolen or corrupted.

For the business involved, the first-party cover includes the cost of:

• Investigating a cybercrime
• Recovering data lost in a security breach
• The restoration of computer systems
• Reputation management
• Extortion payments demanded by hackers
• Notification costs, in the case you are required to notify third parties
affected.

Some of our cyber insurance policies also offer support with income
loss if your business needs to close temporarily because of a cyber-
attack.
 F. Cyber Awareness Training by Tic Tac Cybersecurity
Old-school awareness training does not hack it anymore. Your email filters have an average
7-10% failure rate; you need a strong human firewall as your last line of defense.

• Send fully automated simulated phishing attacks, using numerous customizable templates
with unlimited usage
• Train your users with access to always-fresh awareness training content
• AI-Driven phishing recommendations based on your users' phishing and training history
• Use Assessments to gauge proficiency of your users in security knowledge
• Easy user management using Active Directory Integration
Contact Us
Tic Tac Cybersecurity
9, Tripoleos Street, 17237, Imittos, Athens, Greece

info@tictac.gr

+30 210 6897323

www.tictaclabs.com | www.tictac.gr