Is The NIS2 Directive A Step In The Right Direction? 

Uploaded on 2024-09-18 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

The NIS2 Directive - the new EU-wide legislation on cybersecurity - provides legal measures to boost the overall level of cybersecurity across the EU.  

Set to come into force on October 17, 2024, the timeline was proposed to allow organizations time to assess their readiness from a compliance perspective; by undertaking internal security audits and evaluations to ensure they meet the requirements outlined in the Directive. 

Businesses identified as operators of essential services in key sectors will have to take appropriate security measures and notify relevant national authorities of serious incidents to comply with NIS2. Also, key digital service providers, such as search engines, cloud computing services and online marketplaces, must comply with the security and notification requirements under the Directive. 

So, is this a big advance in the quest to keep organisations safe from harm?  

In a word, yes. No one could have predicted the rapid strides made in digitalising business because of the pandemic, and legislation already struggles to keep pace with savvy cyber criminals. 

The rapid need to pivot to digital solutions also drove a spike in cybercrime and fraud, hence the need for stronger legislation to ensure better EU-wide security. 

The EU feels that the original directive, NIS, (Network and Information Systems Regulations) didn’t go far enough. NIS2 extends the remit of that 2016 legislation, to new sectors and entities, which now applies to fifteen sectors from chemicals to waste management. 

NIS2 will further improve the resilience of critical infrastructure in the EU against cybersecurity risks, for all our benefit. It is designed to improve the overall level of cybersecurity in the EU –-something that is welcomed and required. 

While risk averse and well-prepared organisations will have a solid cyber security strategy in place, NIS2 aims to catch those lagging behind with stringent compliance orders, audits, threat notifications to customers, and in the most serious instances, administrative fines of €10million or 2% of global annual revenue –- whichever is higher. 

Security Designed To Avoid Disaster 

This might seem draconian, but most of the sectors covered under the new NIS2 directive are considered critical national infrastructure. Organisations working in these sectors now have a stronger burden of proof to demonstrate they have all the requisite security in place to avoid a cyberattack that could have disastrous national-level consequences. 

NIS2 mandates entities to adopt ten baseline security measures designed to mitigate specific types of cyber threats, based around risk management, corporate accountability, reporting obligations and business continuity. 

Undertaking the necessary cyber security audits will touch on both establishing appropriate cybersecurity technology solutions and cybersecurity policy processes. For this reason, it is important to partner with an organisation – such as Obrela -- that can impartially and honestly assess the effectiveness of both. 

NIS2 emphasises the importance of a comprehensive risk management approach. This includes not only the implementation of advanced technological safeguards but also the integration of a robust cybersecurity culture within the organization. Training employees on cybersecurity best practices, ensuring regular updates and patches, and conducting frequent penetration testing are all critical components of this approach. 

Supply Chain Security 

The Directive also recognizes the interconnected nature of the digital economy and the importance of supply chain security. From October, organizations must ensure that their suppliers and partners also adhere to stringent cybersecurity standards. This comprehensive approach helps to create a more secure digital ecosystem, reducing the potential for weak links that cybercriminals can exploit. 

In 2023, the number of supply chain-related cybersecurity breaches in the EU significantly increased. A notable example is the MOVEit hack in May 2023, where a ransomware group exploited a vulnerability in the MOVEit software, impacting over 2,300 entities and more than 65 million individuals globally, with a financial impact exceeding $10 billion​ (Foley & Lardner LLP)​. 

The frequency of supply chain breaches rose by 26% from 2022 to 2023. The average number of such breaches per organization increased from 3.29 in 2022 to 4.16 in 2023​, according to figures from Supply Chain Brain​. Nearly all companies (98%) reported being negatively affected by cybersecurity breaches within their supply chains. As supply chains become more complex with multiple network tiers and numerous digital endpoints, the sophistication and severity of cyber attacks is also growing. And reports suggest 40% of these supply chain attacks stem from unauthorized network access​. 

This highlights the urgent need for enhanced supply chain cybersecurity measures. Organizations must adopt comprehensive risk management frameworks, conduct thorough due diligence on vendors, and implement continuous monitoring and detection mechanisms to mitigate the risks​ – and this process is now being fast tracked by the need to conform with NIS2.  

A New Era Of Collaboration  

Another critical aspect of NIS2 is its redoubled focus on enhancing cooperation and information sharing between member states. By fostering a collaborative environment, the Directive aims to create a unified front against cyber threats. This includes establishment of the European Cyber Crises Liaison Organisation Network (EU-CyCLONe), which will play a pivotal role in coordinating cross-border incident response efforts. 

The Directive underscores the importance of rapid incident reporting. Organizations are required to report significant cybersecurity incidents to national authorities within 24 hours of detection. This swift reporting mechanism ensures authorities can respond quickly to mitigate the impact of an incident and prevent its spread to other sectors or member states. 

The NIS2 Directive represents a significant step forward in the EU’s efforts to enhance cybersecurity across the region. By setting higher standards, extending the scope of covered entities, and fostering greater cooperation, it aims to build a more resilient and secure digital environment.

For organizations, this means not only compliance with new regulations but also an opportunity to strengthen their cybersecurity posture, contributing to a safer digital landscape for all. 

Yannis Velitsikakis is product manager at Obrela 

Image: ideogram

You Might Also Read: 

Protecting OT With MDR:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Unlocking A Unified Digital Identity For Europe
2024 US Presidential Election: Nation State Cyber Threats »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Jumpsec

Jumpsec

Jumpsec provides penetration testing, security assessments, social engineering testing, cyber incident response, training and consultancy services.

2Keys

2Keys

2Keys designs, deploys and operates Digital Identity Platforms and Cyber Security Platforms through Managed Service and Professional Service engagements.

Rocheston

Rocheston

Rocheston is an innovation company with cutting-edge research and development in emerging technologies such as Cybersecurity, Internet of Things, Big Data and automation.

apiiro

apiiro

apiiro invented the industry-first Code Risk Platform™ that uses developers and code behavior analysis to accelerate delivery and automatically remediate product risk.

Fasken

Fasken

Fasken is one of the largest business law firms in Canada and a recognized leader in privacy and cybersecurity law.

Enso Security

Enso Security

Enso is the first Application Security Posture Management (ASPM) solution, helping security teams everywhere eliminate their AppSec chaos with application discovery, classification and management.

Netography

Netography

Netography provides a scalable and reliable platform for detection & remediation of cyber threats found on your network.

Stefanini Group

Stefanini Group

Stefanini is a global IT services company providing a broad range of solutions for digital transformation including automation, cloud, IoT and cybersecurity.

BastionZero

BastionZero

BastionZero is leveraging cryptography to reimagine the tools used to manage remote access to servers, containers, clusters, applications and databases across cloud and on-prem environments.

ORS Consulting

ORS Consulting

ORS Consulting is a specialist provider of risk management advisory services supporting asset-intensive industries such as chemicals, energy, power and utilities, defence and maritime.

Cryptr

Cryptr

Cryptr provides plug and play authentication to manage all your authentication strategies in one place with just a few lines of code.

FluidOne

FluidOne

FluidOne are an award-winning Connected Cloud Solutions provider. We design tailored solutions to help customers and partners digitally transform their IT and communications.

63 Moons Technologies (63MT)

63 Moons Technologies (63MT)

63 Moons Technologies is a world leader in providing next-generation technology ventures, innovations, platforms, and solutions.

Zeus Cloud

Zeus Cloud

Zeus Cloud provide clients with world-class web hosting services to businesses both big and small.

ABPCyber

ABPCyber

ABPCyber offers holistic cybersecurity solutions spanning DevSecOps, advisory and consultancy, designing and integration, managed operations, and cybersecurity investment optimization.

Paramount Defenses

Paramount Defenses

Paramount Defenses have unrivaled capability in two of the most critical areas in cyber security today – Active Directory Security and Privileged Access.