Higher Demands on Management
– Obligation to participate in the responsibility for safety
– The organization must be familiar with the requirements of the directive and the risk management efforts.
– Direct responsibility for identifying cyber risks, mitigating them, and ensuring compliance with requirements.
– Requirements for risk management and robustness.
– Implementation of preventive measures to reduce risks and consequences.
– Initiatives such as risk assessments, contingency plans, awareness training for employees, access control, and management.

Reporting Obligations
A specific reporting obligation is introduced, requiring companies to notify the relevant authority of significant incidents.

Within 24 hours:

• Computer Security Incident Response Team (EU body).
• Description of the incident.

Within 72 hours:

• Detailed description of the incident timeline.
• Severity, impact, and actions taken.

Within 1 month:

• Full detailed report.
• Mitigation measures.
• Consequences.

Who is Affected?
Digital infrastructure:
DNS, data centers, cloud providers, MSPs, communication platforms, top-domain administrators, trust services.

Energy:
Producers, operators, suppliers, distributors, transmission and sale of electricity, oil, gas, district heating/cooling, hydrogen, operators, and producers of EV charging stations.

Transport:
Air, rail, road, and sea transport as well as freight and port companies.

Public administration:
Central administration, regions, and municipalities.

Banking and financial market infrastructures:
Banks, credit, trading, and stock exchange companies, as well as their infrastructure.

Health:
Healthcare providers, research laboratories in health promotion, pharmaceutical companies, and manufacturers of medical equipment and raw materials.

Drinking and wastewater:
Suppliers, distributors, collection, and disposal.

Space:
Space infrastructure, software, and services.

Chemicals:
Manufacturing, production, and distribution.

Waste management:
Collection, transport, recovery, and disposal.

Postal and courier services:
Preparation, sorting, transport, and delivery of mail and packages.

Food companies:
Manufacturing, distribution, and production.

Digital service providers:
Providers of online marketplaces, search engines, and social platforms.

Research:
Research organizations.

Manufacturing of particularly critical equipment:
Manufacturing and production of pharmaceuticals, electronic and optical equipment, machinery, vehicles, and spare parts considered critical to society.

Is Your Company Affected?
If you fall under the above categories, you should be aware of the following: Your company must demonstrate how your IT & OT security is structured, how you handle IT & OT security, how your IT & OT systems recover, and how strong your IT security is. The directive outlines a series of mandatory measures, including:

• Risk analysis and information system security.
• Incident management.
• Operational continuity (e.g., backup, recovery, and crisis management).
• Continuous evaluation of security measures.
• Employee training.
• Encryption.
• Personnel security and access control.

Want to know more? Contact us – we can help with both the technical and legal aspects. Learn more at https://nto.dk/ot-cyber-security.