Daniel Hurel, Vice President of Cyber Security & Next Gen Solutions EMEA at Westcon-Comstor, provides a detailed outlook on the NIS2 directive.
In an increasingly digital world, cyber security has become a paramount concern for governments, organisations, and individuals alike. As cyber threats continue to evolve in complexity and frequency, it is essential for nations to adopt robust cyber security regulations to protect their critical infrastructure, sensitive data, and citizens.
The European Union (EU) recognises the urgency of this issue and has taken a significant step forward with the introduction of the Network and Information Systems Security Directive 2 (NIS2), which is set to be introduced in October 2024, and will impact over 100,000 organisations.
NIS2 aims to equip organisations with the tools they need to better protect themselves against security risks while building upon the foundation laid by its predecessor, the NIS1 Directive.
NIS1, which was introduced in response to the rising cyber security threats due to an increase in digitalisation after the COVID-19 pandemic, aimed to improve the cyber security posture of critical infrastructure operators and digital service providers within the EU. It required Member States to adopt measures to enhance cyber security and report significant cyber security incidents.
NIS2 aims to enhance the resilience and security of critical infrastructure and digital services across the continent further by expanding on the previous requirements and scope of covered organisations and sectors.
Implications for Europe and beyond
Like GDPR, NIS2 will have global ramifications, as it will in some way impact all entities that provide ‘essential or important services’ to the European economy and society, including companies and suppliers both within and outside Europe. Through this, any businesses outside the EU that fit into the specific categories listed in the directive will be expected to comply if they want to conduct business with European companies and countries.
This will not only improve the effectiveness of cyber security but will likely also foster international co-operation and increase trust and benefit relations between member states in other areas.
NIS2 also leads Member States to strengthen their cooperation in cyber crisis management, by providing a formal framework for the Cyber Crisis Liaison Organisation Network (CyCLONe).
NIS2 regards all businesses and organisations with over 50 employees that bring in at least €10,000,000 in annual revenue as ‘essential and important entities’ that must comply with the directive.
Essential entities are considered companies in sectors such as energy, health, transport, public administration, finance, water supply and digital infrastructure. Meanwhile important entities include the sectors of postal services, waste management, manufacturing, food, chemicals, and research.
Organisations are required to implement risk management practices, including risk assessments and mitigation measures, to identify and address potential cyber security threats effectively, as well as report cyber security incidents to relevant authorities within specific timeframes.
Taking this one step further, NIS2 has committed to reducing the pressure on IT departments by highlighting corporate accountability and imposing criminal sanctions for C-level management. As part of the directive, corporate management are required to oversee, approve, and be trained on the entity’s cyber security measures and to address cyber risks.
This bold step will change the sentiment and perceptions around who is responsible cyber security by holding top management personally liable if gross negligence is proven after a cyber security incident.
In addition to this, NIS2 promotes the need for business continuity by requiring organisations to set out a plan for how they intend to ensure business continuity in the case of major cyber incidents. This plan should include considerations about system recovery, emergency procedures, and setting up a crisis response team.
Zero trust compliance
NIS2 outlines a variety of requirements for ‘Basic Cyber Hygiene,’ and in this, highlights the need for organisations to adopt Zero Trust principles.
Zero Trust is a security framework and set of principles focused on ensuring that organisations do not trust any entity, whether internal or external, and continuously verify trust as part of their security posture.
With Zero Trust, the trustworthiness of users is constantly re-evaluated making it easier for any suspicious behaviour to be flagged in a timely manner.
Penalties for non-compliance
The NIS2 directive highlights several key provisions that organisations and Member States must adhere to and introduces penalties and sanctions for non-compliance, including non-monetary penalties and administrative fines and, to incentivise organisations to prioritise cyber security.
For example, essential entities that fail to comply can be fined up to €10,000,000 or 2% of their global annual revenue, while important entities can be fined €7,000,000 or 1.4% of global annual revenue.
Business impact and considerations
For the 100,000-plus organisations set to be impacted by the implementation of NIS2 in a year’s time, the directive creates additional obligations and responsibilities.
NIS2 will require certain security procedures for employees with access to sensitive or important data, including policies for data access, cyber security training and a practice for basic computer hygiene.
Additionally, organisations must have a plan for managing business operations during and after a security incident. This includes ensuring that backups must be up to date, as well as requirements for ensuring access to IT systems and their operating functions during and after a security incident.
Some organisations find the shift to zero-trust architecture, and the other changes necessitated by the NIS2, to represent a major overhaul in the way they approach cyber security.
However, the good news is that there is still time to prepare. To ensure compliance once October 2024 arrives, organisations that are in scope should conduct a review of their current methods and work with supply chain partners to establish the steps they need to take.
While it might come with some challenges, businesses should consider NIS2 as a positive impact on European cyber security, ultimately making the EU more resilient to the ever-evolving cyber threats of the digital age.
