Cybersec Update #5: Your information system and the identification of key and important entities
This is an important issue from the point of view of identifying key and important entities that work closely with their affiliates or partners, and such cooperation is based, for example, on a shared information system.
Self-identification of an entrepreneur
This is one of the key obligations for entities within the scope of NIS2 and the act amending the act on the national cybersecurity system. If the status of a key entity or important entity depends on the size of the entity, the criteria for recognition as a key entity or important entity are examined as at the date of preparation of the financial statements.
NIS2 allows Member States to apply proportionate solutions
One of the recitals (16) of the NIS2 Directive states that Member States may take into account the fact that an entity is independent from partner or affiliated companies in terms of the networks and information systems it uses to provide its services, as well as in terms of the services it provides. In this way, disproportionate consideration of affiliated and partner companies can be avoided when classifying a given entity as critical or important.
The authors of the draft amendment to the UKSC took advantage of the opportunity provided by the NIS2 Directive. This means that when examining the status of micro, small, and medium-sized enterprises, as a rule, the revenues, balance sheet total, and number of employees of affiliated and partner companies should also be taken into account. This may have a dramatic impact on the position of the SME sector.
The information system is key
However, taking into account the size criteria, if an entity meets the requirements to be considered a key or important entity, but at the same time its information system is independent of the information systems of its affiliated or partner companies, or it does not provide services jointly with its affiliated or partner companies, this will mean that it is not a key or important entity.
Unclear provisions of the draft amendment to the UKSC
The draft amendment to the UKSC, despite all the benefits of such a provision, is not precise, as it does not elaborate on what this independence of the information system is.
The explanatory memorandum to the draft states that we can talk about the independence of an information system, among other things, when the provision of services by that entity does not require the involvement of an affiliated or partner entity.
This explanation in the explanatory memorandum seems insufficient, and it is necessary to clarify this issue in the bill itself. Entities may jointly use multiple information systems. However, not all of them will have to be used directly to provide services, and such systems should be considered independent of each other.
