In this blog, we decided to bring you closer to the NIS2 directive, the European directive on measures for a high common level of cyber security, which is implemented across EU member states, including Croatia, and will particularly benefit companies like Span that offer cybersecurity services.
Introduction
In 2016, the EU adopted the Network and Information Systems (NIS) Directive, which was the first of its kind legislation, European legislation on cyber security. However, the implementation of this directive varied greatly across EU countries and encountered significant obstacles like regulatory complexities.
Consequently, the European Commission decided to revise it and with the NIS 2 directive that clearly defines which organizations the directive addresses and what requirements apply to them. The NIS2 directive entered into force more than a year ago. From then until today, most of the work has been done by the legislative bodies of the EU member states, preparing national regulations framework in order to implement the NIS2 Directive.
Such an example of preparing the framework via national regulation in Croatia would be the Croatian Cyber Security Act, which entered into force this year. Overall, this act will enable full alignment with the NIS 2 Directive. According to the act, in Croatia, some of the regulatory authorities are The Croatian National Bank (“HNB”), The Croatian Financial Services Supervisory Agency (HANFA), The Croatian Regulatory Authority for Network Industries (HAKOM), The Ministry of Science and Education (MZO) and others.
Now, what’s the next?
First step – The first step is called categorization. Latest by 15 February 2025, the aforementioned authorities will have to send a notification on categorization to all economic operators which are expected to implement cyber security measures from the above-mentioned Croatian Cyber Security Act. The entity will be classified as a “key” or “important” oblige of this act. Croatian Cyber Security Act is local regulation trying to enforce all guideline under NIS 2 directive. NIS 2 directive has much wider framework than the Act itself. Entities that are liable under this NIS2 regulation are divided into key and important subjects. According to NIS2, key subjects are companies and institutions from certain sectors that have more than 250 employees and an annual turnover of more than EUR 50m or those with a total annual balance sheet of more than EUR 43m. Important subjects are companies and institutions from certain sectors with more than 50 employees and an annual turnover of more than EUR 10m or those with a total annual balance sheet of more than EUR 10m. This might serve as a solid guideline for classification in Croatia. After receiving the classification, two deadlines will begin to run.
First deadline – a month from receiving the notification on categorization (read: notification on if the subject is key or important), 15 March 2025, the entity will be obliged to start notifying the competent team about any data-relevant incident.
Second deadline – a year from receiving the notification on categorization, 15 February 2026, the entity must already fully comply with all provisions of this act.
Non-compliance could bring substantial fines to entities, amounting up to EUR 10m or up to 2% of the total annual worldwide turnover (depending on which amount is greater), and the specific amount will depend on whether the entity falls into the category of “key” or “important” entities as well as on the nature and severity of the violation.
Estimates
As estimated by the European Commission, direct costs of the implementation of the NIS 2 regulation for EU companies are estimated to amount to EUR 31.2 bn annually, representing 0.31 % of the total sales in all sectors affected by the NIS 2 directive. This will significantly increase the average spending on cyber security, which stood at 0.52% of total sales in these sectors in 2020. Further, the companies to which NIS already applies should expect up to a 12% increase in ICT expenditure in the years immediately following the introduction of NIS 2, while those companies to which the first NIS did not apply should expect 22% higher costs. According to the experts from the sectors around 600-700 entities are classified as “key”, and much more than that as “important”. Looking at the companies available on the stock exchange, Span is a key company to benefit from such regulation/development. To put things into perspective, Span recorded lower profitability in FY 2023 as the company started the strong investment cycle, in the form of expanding its workforce for c. 1/3 on the Group level, increasing employment, especially in its Cybersecurity segment. Looking at the private companies, it is expected for them to lead the way with the implementation as their international partners and vendors will force companies to be NIS2 compliant. On the other hand, we expect government enterprises to comply in the latest possible moment as we not see it their budgets yet. Overall, this investment cycle for Span, so far, materialized in the form of higher staff cost growth, resulting in lower operating profitability margins. We expect Span to soon see the results from aforementioned investments.
Span’s key financials [FY 2023 vs. FY 2022, EURm]
Source: ZSE, InterCapital Research