NIS2 Enters Law: What EU-Operating Enterprises Need to Know
In an era where digital threats loom larger than ever, the EU deadline for enterprises to take decisive step to fortify their cybersecurity defences has now dawned.
The Network and Information Systems Directive 2 (NIS2), a landmark cybersecurity bill, has come into full force, marking a significant milestone in the EU's efforts to create a harmonised approach to digital security across its member states.
This directive arrives at a critical juncture. The European Union Agency for Cybersecurity (ENISA) has recently reported an alarming increase in sophisticated cyberattacks, including new forms of phishing and zero-day exploits.
These threats are not confined to a single sector but span across industries, threatening the digital infrastructure that underpins much of modern European society and economy. Therefore, from today, organisations operating within the EU will have to follow the rules, or face the wrath.
A look at NIS2
NIS2 is more than just an update to its predecessor NIS1; it represents a paradigm shift in how the EU approaches cybersecurity.
By casting a wider net to include more sectors and by introducing more stringent requirements, the directive aims to create a culture of cybersecurity that permeates through businesses, supply chains, and critical infrastructure operating in the EU.
However, this ambitious goal comes with its own set of challenges, as organisations scramble to understand and implement the new requirements.
NIS2 significantly expands the reach of EU cybersecurity regulations. It now covers a broad range of sectors deemed critical to the economy and society, including energy, transport, banking, healthcare, digital infrastructure, public administration, and space. The directive categorises entities as either "essential" or "important," with the former facing more stringent oversight.
One of the most notable aspects of NIS2 is its extraterritorial reach. For instance, UK businesses supplying products and services to EU-based customers must comply with NIS2 requirements to maintain operations and market access within the EU. This applies to any essential or important entities providing services or carrying out activities within the EU, regardless of whether the entity has an establishment within its borders. Consequences of non-compliance are severe.
"Non-compliance with NIS2 could result in fines amounting to €10 million [US$10.8m] or 2% of global turnover for essential entities and €7 million [US$7.6m] or 1.4% of global turnover for important entities."
These fines are designed to ensure that cybersecurity is treated as a board-level priority rather than an afterthought.
Industry reaction and implementation challenges
The rollout of NIS2 has been met with a mix of anticipation and concern from industry leaders. While many recognise the need for improved cybersecurity measures, there are significant challenges in implementation.
"A lack of guidance from authorities, from the approval of the NIS2 Directive two years ago to this week's deadline, has left many organisations in a state of limbo. With the deadline for enforcement approaching, businesses have been left confused about their responsibilities."
This sentiment is echoed across various sectors. Many organisations are grappling with the practical aspects of compliance, from understanding the technical requirements to allocating the necessary resources.
"A staggering 66% of businesses were set to miss the NIS2 compliance deadline this week."
The directive also introduces personal liability for business leaders, adding another layer of urgency to compliance efforts.
"Under the new directive, business leaders within the EU zone can now be held personally liable for breaches, including financial liability and even temporary bans from management roles," says Edwin
Despite the challenges, industry experts emphasise that NIS2 compliance is not just about avoiding penalties—it's an opportunity to enhance overall cybersecurity posture.
Simon Fisher, Senior Advisory Services Consultant at Orange Cyberdefense, thinks this regulation should serve as a wake up call for cyber hygiene across the board.
"IT and security leaders should use these regulations to reiterate the importance of cybersecurity and compliance to the board. This should help them unlock additional budget to stay ahead of the incoming regulations."
Already, we have seen major insurers Marsh McLennan and Zurich call for government support on what they call some ‘uninsurable’ cyber incidents. This could go a long way to stop greater government intervention in the fallout of atacks.
Yet, the industry is not in agreement about everything about NIS2 and today’s enforcement. Reporting timelines, date of implementation and difficulty of adoption across large enterprises.
“To be effective and realistic, the incident reporting and security measures for NIS 2 should be practical and achievable. Companies need enough time to put the right measures in place.”
“Covered entities should be given until 18 April 2027 to implement the Cybersecurity Measures. During that time, regulators would not enforce these measures but could engage with organisations to understand their roadmap for meeting the controls.
"For a large company like Cisco, adapting to multiple standards is complex and resource-intensive; but for smaller entities, it could be prohibitively burdensome, potentially stifling innovation and competitiveness. Divergent standards or national schemes limit their ability to do business cross-border in the EU, creating barriers that can hinder their growth.”
One of the significant aspects of NIS2 is the emphasis on breach reporting, which requires affected entities to promptly report any cybersecurity incidents to the relevant authority without undue delay and no later than 24 hours after the detection of the incident, with further detailed reporting at subsequent intervals.
The current threshold for entities like Cloud Providers or Managed service providers and managed security service providers have a 10-minute service window of unavailability before they have to file a report.
Key strategies for compliance
Yet despite divergence in opinion, organisations will need to begin adhering in order to avoid penalties that come with non-compliance.
NIS2 Directive Article 21 highlights that covered entities should manage cyber risk by using appropriate and proportionate technical and organisational measures. Akamai list these measures as:
- Risk analysis and information security policies
- Thorough incident handling
- Business continuity and crisis management
- Robust supply chain security
- Extensive network security
- Vulnerability handling and disclosure
- Policies and procedures that assess the effectiveness of cybersecurity risk management
- Use of cryptography and encryption
- Use of multi-factor authentication
Experts also stress the importance of a proactive approach. "Businesses want to understand what the regulation means for their business, how to comply and what technologies are required to implement these measures," says Jesper. He advocates for clearer educational materials, best practices, and localised advice from authorities to help organisations navigate the complexities of NIS2.
As the October 2024 deadline for full implementation arrives, it's clear that NIS2 will continue to shape the cybersecurity landscape in Europe and beyond. While the path to compliance may be challenging, the directive's ultimate goal—a more secure and resilient digital Europe—is one that benefits all.
******
Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
******
Cyber Magazine is a BizClik brand