Is The NIS2 Directive A Step In The Right Direction? 

Uploaded on 2024-09-18 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

The NIS2 Directive - the new EU-wide legislation on cybersecurity - provides legal measures to boost the overall level of cybersecurity across the EU.  

Set to come into force on October 17, 2024, the timeline was proposed to allow organizations time to assess their readiness from a compliance perspective; by undertaking internal security audits and evaluations to ensure they meet the requirements outlined in the Directive. 

Businesses identified as operators of essential services in key sectors will have to take appropriate security measures and notify relevant national authorities of serious incidents to comply with NIS2. Also, key digital service providers, such as search engines, cloud computing services and online marketplaces, must comply with the security and notification requirements under the Directive. 

So, is this a big advance in the quest to keep organisations safe from harm?  

In a word, yes. No one could have predicted the rapid strides made in digitalising business because of the pandemic, and legislation already struggles to keep pace with savvy cyber criminals. 

The rapid need to pivot to digital solutions also drove a spike in cybercrime and fraud, hence the need for stronger legislation to ensure better EU-wide security. 

The EU feels that the original directive, NIS, (Network and Information Systems Regulations) didn’t go far enough. NIS2 extends the remit of that 2016 legislation, to new sectors and entities, which now applies to fifteen sectors from chemicals to waste management. 

NIS2 will further improve the resilience of critical infrastructure in the EU against cybersecurity risks, for all our benefit. It is designed to improve the overall level of cybersecurity in the EU –-something that is welcomed and required. 

While risk averse and well-prepared organisations will have a solid cyber security strategy in place, NIS2 aims to catch those lagging behind with stringent compliance orders, audits, threat notifications to customers, and in the most serious instances, administrative fines of €10million or 2% of global annual revenue –- whichever is higher. 

Security Designed To Avoid Disaster 

This might seem draconian, but most of the sectors covered under the new NIS2 directive are considered critical national infrastructure. Organisations working in these sectors now have a stronger burden of proof to demonstrate they have all the requisite security in place to avoid a cyberattack that could have disastrous national-level consequences. 

NIS2 mandates entities to adopt ten baseline security measures designed to mitigate specific types of cyber threats, based around risk management, corporate accountability, reporting obligations and business continuity. 

Undertaking the necessary cyber security audits will touch on both establishing appropriate cybersecurity technology solutions and cybersecurity policy processes. For this reason, it is important to partner with an organisation – such as Obrela -- that can impartially and honestly assess the effectiveness of both. 

NIS2 emphasises the importance of a comprehensive risk management approach. This includes not only the implementation of advanced technological safeguards but also the integration of a robust cybersecurity culture within the organization. Training employees on cybersecurity best practices, ensuring regular updates and patches, and conducting frequent penetration testing are all critical components of this approach. 

Supply Chain Security 

The Directive also recognizes the interconnected nature of the digital economy and the importance of supply chain security. From October, organizations must ensure that their suppliers and partners also adhere to stringent cybersecurity standards. This comprehensive approach helps to create a more secure digital ecosystem, reducing the potential for weak links that cybercriminals can exploit. 

In 2023, the number of supply chain-related cybersecurity breaches in the EU significantly increased. A notable example is the MOVEit hack in May 2023, where a ransomware group exploited a vulnerability in the MOVEit software, impacting over 2,300 entities and more than 65 million individuals globally, with a financial impact exceeding $10 billion​ (Foley & Lardner LLP)​. 

The frequency of supply chain breaches rose by 26% from 2022 to 2023. The average number of such breaches per organization increased from 3.29 in 2022 to 4.16 in 2023​, according to figures from Supply Chain Brain​. Nearly all companies (98%) reported being negatively affected by cybersecurity breaches within their supply chains. As supply chains become more complex with multiple network tiers and numerous digital endpoints, the sophistication and severity of cyber attacks is also growing. And reports suggest 40% of these supply chain attacks stem from unauthorized network access​. 

This highlights the urgent need for enhanced supply chain cybersecurity measures. Organizations must adopt comprehensive risk management frameworks, conduct thorough due diligence on vendors, and implement continuous monitoring and detection mechanisms to mitigate the risks​ – and this process is now being fast tracked by the need to conform with NIS2.  

A New Era Of Collaboration  

Another critical aspect of NIS2 is its redoubled focus on enhancing cooperation and information sharing between member states. By fostering a collaborative environment, the Directive aims to create a unified front against cyber threats. This includes establishment of the European Cyber Crises Liaison Organisation Network (EU-CyCLONe), which will play a pivotal role in coordinating cross-border incident response efforts. 

The Directive underscores the importance of rapid incident reporting. Organizations are required to report significant cybersecurity incidents to national authorities within 24 hours of detection. This swift reporting mechanism ensures authorities can respond quickly to mitigate the impact of an incident and prevent its spread to other sectors or member states. 

The NIS2 Directive represents a significant step forward in the EU’s efforts to enhance cybersecurity across the region. By setting higher standards, extending the scope of covered entities, and fostering greater cooperation, it aims to build a more resilient and secure digital environment.

For organizations, this means not only compliance with new regulations but also an opportunity to strengthen their cybersecurity posture, contributing to a safer digital landscape for all. 

Yannis Velitsikakis is product manager at Obrela 

Image: ideogram

You Might Also Read: 

Protecting OT With MDR:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Unlocking A Unified Digital Identity For Europe
2024 US Presidential Election: Nation State Cyber Threats »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Metasploit

Metasploit

Metasploit penetration testing software helps find security issues, verify vulnerabilities and manage security assessments.

Versa Networks

Versa Networks

Versa is a software-defined networking vendor providing an end-to-end solution that both simplifies and secures the WAN/branch office network.

XignSYS

XignSYS

XignSys develops innovative password-free and user-friendly Authentication solutions and electronic signature systems for B2B and B2C applications.

SmartCyber

SmartCyber

SmartCyber is a company specializing in custom IT projects and Cybersecurity.

oneM2M

oneM2M

oneM2M is a global organization creating a scalable and interoperable standard for communications of devices and services used in M2M applications and the Internet of Things.

White Bullet

White Bullet

White Bullet’s risk profiling AI detects, dynamically scores and flags unsafe domains, apps and advertising.

Sierra Ventures

Sierra Ventures

Sierra Ventures is an early-stage venture firm investing globally with a focus on Next Generation Enterprise and Emerging Technologies.

360° Online Brand Protection

360° Online Brand Protection

360° Online Brand Protection have developed a response to monitor counterfeiting and piracy activity at the online point of sale.

Microchip Technology

Microchip Technology

Microchip Technology Inc. is a leading provider of smart, connected and secure embedded control solutions.

OnSecurity

OnSecurity

OnSecurity replaces the overhead of traditional penetration testing firms with a simple online interface, making it easy to book tests as and when needed.

CatchProbe Intelligence Technologies

CatchProbe Intelligence Technologies

CatchProbe provides actionable web intelligence, OSINT, deception systems, threat intelligence, and digital crime analytics solutions and products through an AI-Driven intelligence platform.

Bastion Technologies

Bastion Technologies

All your cyber defense. One platform. Keep your business assets and employees safe under one roof. Manage your cyber defense quickly, easily & efficiently.

Allstate Identity Protection

Allstate Identity Protection

Allstate make it easy to provide complete identity protection, so everyone can live more confidently online.

Centric Consulting

Centric Consulting

Centric Consulting is an international management consulting firm with unmatched expertise in business transformation, AI strategy, cyber risk management, technology implementation and adoption. 

Staley Technologies

Staley Technologies

Staley Technologies is a US nationwide structured cabling, technology integrator, and Managed IT & Cyber Security provider.

Vorlon

Vorlon

Vorlon's agentless patent-pending solution facilitates risk profiling of apps, and provides AI-driven behavioral analytics with response recommendations.