Facebook image

NIS2 and risk management

The issue of cybersecurity is of paramount importance among the new challenges of the digital age. The European Union's NIS2 Directive establishes a regulatory framework to protect the EU's digital infrastructure by enhancing information security. NIS2 is not just another bureaucratic hurdle, but an opportunity for companies to review and strengthen their IT risk management strategies. How can good risk management help you prepare for NIS2?

NIS2 registration – first step to cybersecurity

The aim of NIS2 is to achieve a high level of cybersecurity across the EU member states, with a particular focus on organizations operating critical infrastructure. Its implementation in Hungary is regulated by Act XXIII of 2023 (Cybersecurity Act),which sets out the necessary steps and deadlines. As part of the domestic implementation, the organisations concerned must register with the Supervisory Authority of Regulated Activities (SZTFH) by 30 June 2024, which is the first and most important step for further processes.

Once registered, organisations must take a number of additional steps to comply with the NIS2 Directive. 

Is your company affected by the new NIS2 Directive? Check your NIS2 involvement with the help of RSM’s NIS2 calculator


NIS 2 deadlines

  • By 30 June 2024: All organizations affected by NIS2 must self-identify and apply for registration by completing the SZTFH 420 form.
  • From 18 October 2024: Organizations affected by NIS2 should implement security measures in accordance with the appropriate security class of their electronic information systems and pay the supervisory fee to SZTFH.
  • By 31 December 2024: NIS2 affected organizations must sign a contract with a selected auditor.
  • By 31 December 2025: The selected auditor conducts the first cybersecurity audit.  

NIS2 deadlines



Mapping cybersecurity gaps - GAP analysis

The GAP analysis is an essential tool for companies to identify what they need to do for NIS2.  This step will help identify cybersecurity gaps and develop an appropriate action plan.   

Companies that already have ISO27001 certification or are compliant with the requirements of Act L are in a favourable position as they already have internal processes and policies in place.  For them, integrating the requirements of NIS2 will be less challenging, but it is important to stress that ISO27001 certification does not mean full NIS2 compliance.

In any case, mapping the deficiencies and developing an appropriate action plan is necessary to ensure compliance with NIS2 requirements.

Integrating cybersecurity into your business – risk management

Integrating cybersecurity into the organisational infrastructure requires carefully coordinated activities to ensure that the core NIS2 requirements for cybersecurity are met and that risks to the organisation deriving from systems are managed effectively and cost-efficiently.  

A well-executed risk management process guides the organization in developing best practices for protecting its information and systems by helping management understand the current state of security measures planned or implemented to protect the information and systems and the related controls. This way they can make informed decisions and investments that reduce risks to acceptable levels. 

The organisation can tailor measures based on a risk analysis, and then prioritise and implement them according to a specific system.  Risk-based prioritisation may be an appropriate solution. The prioritisation of measures is not negligible, as measures are very broad, covering many areas, and it is therefore worth addressing the areas of greatest risk first.

Risk analysis – preparing for NIS2 requirements

Risk analysis is not just a mandatory element, but also a useful tool to help companies prioritise their cybersecurity tasks and get a realistic picture of their threat level.  A thoroughly developed risk management plan in line with the NIS2 requirements not only complies with the regulations, but also contributes to the long-term stability and growth of the company. 

The NIS2 Directive, and with it the implementation of appropriate risk management, is not a burden but an opportunity for companies to strengthen their digital defences.

Compliance with NIS2 – how can RSM help?

As part of RMS’s NIS2 consulting, our experienced IT auditor professionals will help you prepare for NIS2 compliance, and your company will meet the cybersecurity requirements.

NIS2 advisory

    Related posts