Is the NIS2 directive a step in the right direction?

The NIS2 Directive – new EU-wide cybersecurity rules – introduces legal measures aimed at raising the overall level of cybersecurity in the EU.

The directive is set to enter into force on October 17, 2024. The timeline is intended to give organizations time to assess their readiness from a compliance perspective, by conducting internal audits and security assessments to ensure they meet the requirements set out in the directive.

Companies identified as operators of essential services in essential sectors will be required to take appropriate security measures and notify relevant national authorities of major incidents to comply with NIS2. In addition, essential digital service providers, such as search engines, cloud computing services and online marketplaces, must comply with the security and notification requirements under the Directive.

So, is this a major step forward in protecting organizations from harm?

In short, yes. No one could have predicted the rapid advances in business digitalization due to the pandemic, and laws are already struggling to keep up with clever cybercriminals.

The rapid need to go digital has also led to an increase in cybercrime and fraud, hence the need for stricter regulations to ensure greater security across the EU.

The EU believes that the original Network and Information Systems Regulations (NIS) Directive did not go far enough. NIS2 extends the scope of the 2016 legislation to new sectors and entities, which currently cover fifteen sectors, from chemicals to waste management.

NIS2 will further improve the resilience of critical infrastructure in the EU to cyber threats, for the good of us all. It aims to improve the overall level of cybersecurity in the EU – which is both welcome and required.

While risk-averse and well-prepared organisations will have a solid cybersecurity strategy, NIS2 aims to catch those that lag behind with stringent compliance orders, audits, customer threat notifications and, in the most serious cases, administrative fines of €10 million or 2% of global annual revenue – whichever is higher.

Security designed to avoid disasters

This may seem draconian, but most of the sectors covered by the new NIS2 directive are considered critical national infrastructure. Organisations operating in these sectors now have a higher burden of proof to demonstrate that they have all the necessary safeguards in place to avoid a cyberattack that could have catastrophic national consequences.

NIS2 requires entities to implement ten core security measures designed to mitigate specific types of cyber threats, based on risk management, corporate responsibility, reporting obligations and business continuity.

Conducting the necessary cybersecurity audits will involve both establishing appropriate cybersecurity technology solutions and cybersecurity policy processes. For this reason, it is important to partner with an organization – such as Obrela – that can impartially and fairly assess the effectiveness of both.

NIS2 emphasizes the importance of a comprehensive approach to risk management. This includes not only implementing advanced technological safeguards, but also integrating a solid cybersecurity culture within the organization. Training employees in cybersecurity best practices, providing regular updates and patches, and conducting frequent penetration tests are key elements of this approach.

Supply Chain Security

The directive also recognizes the interconnected nature of the digital economy and the importance of supply chain security. From October, organizations must ensure that their suppliers and partners also adhere to rigorous cybersecurity standards. This comprehensive approach helps create a safer digital ecosystem by reducing the potential for weak links that cybercriminals can exploit.

The number of supply chain-related cybersecurity breaches in the EU has increased significantly in 2023. A notable example is the MOVEit breach in May 2023, when a ransomware group exploited a vulnerability in the MOVEit software, affecting over 2,300 entities and over 65 million people worldwide, with a financial impact exceeding $10 billion​ (Foley & Lardner LLP)​.

The frequency of supply chain breaches increased by 26% from 2022 to 2023. The average number of such breaches per organization increased from 3.29 in 2022 to 4.16 in 2023, according to Supply Chain Brain. Almost all companies (98%) reported that they were negatively impacted by cybersecurity breaches in their supply chains. As supply chains become more complex with multiple layers of networks and numerous digital endpoints, cyberattacks are also becoming more sophisticated and serious. And reports suggest that 40% of these supply chain attacks result from unauthorized network access.

This highlights the urgent need for improved supply chain cybersecurity measures. Organizations must adopt comprehensive risk management frameworks, conduct thorough supplier analysis, and implement continuous monitoring and detection mechanisms to mitigate risk – a process that is now being accelerated by the need to adapt to NIS2.

A new era of cooperation

Another critical aspect of NIS2 is its redoubled focus on strengthening cooperation and information exchange between Member States. By fostering a collaborative environment, the Directive aims to create a united front against cyber threats. This includes the establishment of the European Cyber ​​Crisis Liaison Network (EU-CyCLONe), which will play a key role in coordinating cross-border incident response activities.

The Directive emphasizes the importance of rapid incident reporting. Organizations are required to report significant cybersecurity incidents to national authorities within 24 hours of detection. This rapid reporting mechanism ensures that authorities can respond quickly to mitigate the effects of the incident and prevent it from spreading to other sectors or Member States.

The NIS2 Directive represents a significant step forward in the EU’s efforts to enhance cybersecurity across the region. By setting higher standards, broadening the scope of covered entities and fostering greater cooperation, it aims to build a more resilient and secure digital environment.

For organizations, this means not only adapting to new regulations, but also an opportunity to strengthen their cybersecurity posture, thus contributing to a safer digital environment for all.

Janis Welitsikakis is a product manager at Obrela

Image: ideogram

You can also read:

OT protection with MDR:

If you enjoy this website and enjoy using our comprehensive Directory of over 6,500 service providers, you can gain unlimited access, including an exclusive series of in-depth executive reports, by purchasing a Premium Subscription.

• Individually £5 per month or £50 per year. Sign up

• Multi-user, corporate and library accounts available upon request

Cybersecurity Intelligence: Captured, Organized, and Accessible