How EU NIS2 helps build cyber resilience
The EU’s recent Network and Information Security 2 Directive (EU NIS2 Directive) is being introduced to ‘boost the overall level of cybersecurity in the EU’. However, businesses everywhere should be paying attention to how EU NIS2 helps build cyber resilience.
Even as cyberattacks continue to increase, awareness and risk management are still lagging. It’s not just the sheer number of threats bombarding European businesses that are causing the problem, the growing sophistication of attacks is cause for concern. Almost every organization is a potential target, with over 90% of attacks being initiated via email. In response, the EU Directive seeks to establish a high common level of cybersecurity across the Union.
NIS2 takes a risk management approach and has a wider scope than NIS 1. The Directive requires EU member states to put legislation in place to cover cybersecurity risk management, supply chain diligence, incident reporting, and management responsibilities for approval and oversight. Like GDPR, it introduces significant penalties for non-compliance (up to €10 million or 4% of global turnover) and enforcement begins in October this year.
Application is not yet completely clear
The Directive is dense reading. This has led to all kinds of interpretations (or misinterpretations) of which organizations it will apply to. According to the European Commission FAQs, the ‘important and essential’ industries that NIS2 applies to include:
- Sectors of high criticality: energy (electricity, district heating and cooling, oil, gas and hydrogen); transport (air, rail, water and road); banking; financial market infrastructures; health including manufacture of pharmaceutical products including vaccines; drinking water; waste water; digital infrastructure (internet exchange points; DNS service providers; TLD name registries; cloud computing service providers; data center service providers; content delivery networks; trust service providers; providers of public electronic communications networks and publicly available electronic communications services); ICT service management (managed service providers and managed security service providers), public administration and space.
- Other critical sectors: postal and courier services; waste management; chemicals; food; manufacturing of medical devices, computers and electronics, machinery and equipment, motor vehicles, trailers and semi-trailers and other transport equipment; digital providers (online marketplaces, online search engines, and social networking service platforms) and research organizations.
While most blogs and articles mention that NIS2 applies to all operators of essential and important services in Europe (wherever they’re based), it’s important to note the Directive affects the supply chains of those organizations, too.
- Furthermore, NIS2 addresses security of supply chains and supplier relationships by requiring individual companies to address cybersecurity risks in the supply chains and supplier relationships.
This list is not exhaustive or final, and will only become clearer when Member States produce their list of ‘Essential and Important Entities’ – but that isn’t required until April 2025, six months after the Directive kicks in. It’s worth noting that some small and micro businesses in critical sectors will be included.
Three positive changes we’re likely to see as a result of NIS2
Following the precedent of GDPR
In the USA, California, Colorado, and Vermont have all introduced new consumer privacy laws since 2018, and Canada has seen the introduction of new privacy legislation in Alberta, British Columbia, and Quebec. Similar data protection laws have also been introduced in countries in the Middle East, Africa, Japan, South America. In the same way, it’s likely that we’ll start seeing other countries and states following suit with their own variations on NIS2-like regulations.
We also predict that more companies will be seeking ISO 27001 certification (the international standard for information security management systems) to ensure they are covered for NIS2 requirements.
Greater senior accountability
NIS2 makes cybersecurity a boardroom issue, placing responsibility for cybersecurity and risk management firmly with management bodies, who can be held directly and personally liable for infringements. We see this as a growing trend, and making cybersecurity part of overall corporate governance must be a positive step.
The growth of a cybersecurity culture
Better communication and collaboration between companies and countries through incident reporting and information sharing will help to prevent threat proliferation, and potentially mitigate the impact of cyber incidents.
Like health and safety, cybersecurity needs to become embedded in our business and societal standards: it needs to become second nature. While regulation will probably be a key security driver for many years to come (as well as, for the unwary, learning from bitter experience), our security goal must be the normalization of good practice, greater education and awareness, and the adoption of effective tech solutions.
Want to find out more about how Libraesva can help you comply with government and industry regulation?
