In 2024, mandatory monitoring begins for public and private structures required to implement Cybersecurity measures. Fines starting from 7 million euros will be imposed on public and private sector structures that do not comply with the requirements of Directive (EU) 2022/2555.

What is Directive (EU) 2022/2555? The Directive concerns measures for a high common level of cybersecurity in the EU and takes into account several additional agreements, proposals, opinions, and recommendations from the EU, EC, national parliaments, ECB, EESC, and CoR. It targets various sectors that store and/or use personal data of EU citizens/consumers.

Who does this Directive affect? The Directive affects several sectors in the public and private branches (a full list can be found in Annex I and Annex II of the Directive). The sectors are divided into two separate lists – Sectors of High Criticality (Annex I) and Other Critical Sectors (Annex II). Affected sectors include Transport, Energy, Banking Sector, Financial Market Infrastructures, Healthcare, Drinking and Waste Water, Digital Infrastructure, ICT Service Management, Public Administration, Postal and Courier Services, Waste Management, Production, Preparation and Distribution of Chemicals, Food Production, Processing and Distribution, and others. The Directive affects all enterprises within these sectors without exceptions.

What measures need to be taken to comply with the Directive? To comply with the Directive, the affected sectors need to implement Cybersecurity measures to protect enterprises and administrations from data leaks, malware, ransomware attacks, and other types of malicious activities aimed at compromising the personal data of partners/clients/patients, which could, in one way or another, lead to threats or interference with national security. To meet the conditions of the Directive, you can use Cy-Napea's Cybersecurity services, which fully comply with the Directive's requirements.

I have an installed Antivirus program. Do I need to take other measures? Yes. An antivirus program is only a small part of Cybersecurity systems. More information on what cybersecurity entails can be read here. You can read about the difference between a regular antivirus program and a cybersecurity system here.

Will my sector be monitored for compliance with the Directive's requirements? The implementation and compliance with the Directive's measures will be monitored by specially formed commissions, which will be directly subordinated to the EU, EC, and the Council of Europe. Monitoring begins from the final date for the introduction and implementation of the Directive in the respective country, and companies/institutions that have not complied with the Directive's requirements are subject to heavy fines.

What is the penalty if I do not implement the mandatory Cybersecurity measures in my enterprise? For violations of the Directive's provisions, the sanctions are as follows:

• Administrative fines of up to at least 10,000,000 EUR or at least 2% – whichever is greater – of the total global annual turnover for the preceding financial year of the enterprise to which the essential entity belongs.
• Administrative fines of up to at least 7,000,000 EUR or at least 1.4% – whichever is greater – of the total global annual turnover for the preceding financial year of the enterprise to which the important entity belongs.
• Member States may provide for the power to impose periodic penalty payments to compel an essential or important entity to cease a violation of this Directive in accordance with a previous decision of the competent authority.

The provided sanctions do not mention adjusting the size of the fines according to the turnover of the firms; only a minimum threshold of 7,000,000 EUR for important entities and 10,000,000 EUR for essential entities is set, which practically means that enterprises with annual turnover significantly below these minimum thresholds also fall under the minimum sanctions, potentially leading to bankruptcies of certain enterprises. Therefore, we advise strict compliance with the Directive. For a free consultation, you can contact us via the contact form on our website, our phone number +359 897 56 77 77, or our email address – sales@belanimus.com.

Are Cybersecurity services expensive? The cybersecurity services market offers a range of products providing various measures for cybersecurity. The prices of these services depend on the measures/services included in a given product. In most cases, clients need to use more than one product to fulfill all cybersecurity measures, leading to significant compatibility issues between products. Our Cy-Napea product combines everything necessary from a software perspective to ensure the corporate security of your enterprise. Considering that we use an All-In-One product, this brings the product's price down to the price of a good paid antivirus program. The cost of our product depends on the chosen packages and additional options/services (more information can be found here), and the price is calculated based on individual needs, meaning each client pays only for what they use and nothing more. For a free consultation with our specialists, you can use the contact form on our website, our phone number +359 897 56 77 77, or our email address – sales@cy-napea.com. Preliminary information on the supported technical parameters can be found here.