Is The NIS2 Directive A Step In The Right Direction? 

The NIS2 Directive - the new EU-wide legislation on cybersecurity - provides legal measures to boost the overall level of cybersecurity across the EU.  

Set to come into force on October 17, 2024, the timeline was proposed to allow organizations time to assess their readiness from a compliance perspective; by undertaking internal security audits and evaluations to ensure they meet the requirements outlined in the Directive. 

Businesses identified as operators of essential services in key sectors will have to take appropriate security measures and notify relevant national authorities of serious incidents to comply with NIS2. Also, key digital service providers, such as search engines, cloud computing services and online marketplaces, must comply with the security and notification requirements under the Directive. 

So, is this a big advance in the quest to keep organisations safe from harm?  

In a word, yes. No one could have predicted the rapid strides made in digitalising business because of the pandemic, and legislation already struggles to keep pace with savvy cyber criminals. 

The rapid need to pivot to digital solutions also drove a spike in cybercrime and fraud, hence the need for stronger legislation to ensure better EU-wide security. 

The EU feels that the original directive, NIS, (Network and Information Systems Regulations) didn’t go far enough. NIS2 extends the remit of that 2016 legislation, to new sectors and entities, which now applies to fifteen sectors from chemicals to waste management. 

NIS2 will further improve the resilience of critical infrastructure in the EU against cybersecurity risks, for all our benefit. It is designed to improve the overall level of cybersecurity in the EU –-something that is welcomed and required. 

While risk averse and well-prepared organisations will have a solid cyber security strategy in place, NIS2 aims to catch those lagging behind with stringent compliance orders, audits, threat notifications to customers, and in the most serious instances, administrative fines of €10million or 2% of global annual revenue –- whichever is higher. 

Security Designed To Avoid Disaster 

This might seem draconian, but most of the sectors covered under the new NIS2 directive are considered critical national infrastructure. Organisations working in these sectors now have a stronger burden of proof to demonstrate they have all the requisite security in place to avoid a cyberattack that could have disastrous national-level consequences. 

NIS2 mandates entities to adopt ten baseline security measures designed to mitigate specific types of cyber threats, based around risk management, corporate accountability, reporting obligations and business continuity. 

Undertaking the necessary cyber security audits will touch on both establishing appropriate cybersecurity technology solutions and cybersecurity policy processes. For this reason, it is important to partner with an organisation – such as Obrela -- that can impartially and honestly assess the effectiveness of both. 

NIS2 emphasises the importance of a comprehensive risk management approach. This includes not only the implementation of advanced technological safeguards but also the integration of a robust cybersecurity culture within the organization. Training employees on cybersecurity best practices, ensuring regular updates and patches, and conducting frequent penetration testing are all critical components of this approach. 

Supply Chain Security 

The Directive also recognizes the interconnected nature of the digital economy and the importance of supply chain security. From October, organizations must ensure that their suppliers and partners also adhere to stringent cybersecurity standards. This comprehensive approach helps to create a more secure digital ecosystem, reducing the potential for weak links that cybercriminals can exploit. 

In 2023, the number of supply chain-related cybersecurity breaches in the EU significantly increased. A notable example is the MOVEit hack in May 2023, where a ransomware group exploited a vulnerability in the MOVEit software, impacting over 2,300 entities and more than 65 million individuals globally, with a financial impact exceeding $10 billion​ (Foley & Lardner LLP)​. 

The frequency of supply chain breaches rose by 26% from 2022 to 2023. The average number of such breaches per organization increased from 3.29 in 2022 to 4.16 in 2023​, according to figures from Supply Chain Brain​. Nearly all companies (98%) reported being negatively affected by cybersecurity breaches within their supply chains. As supply chains become more complex with multiple network tiers and numerous digital endpoints, the sophistication and severity of cyber attacks is also growing. And reports suggest 40% of these supply chain attacks stem from unauthorized network access​. 

This highlights the urgent need for enhanced supply chain cybersecurity measures. Organizations must adopt comprehensive risk management frameworks, conduct thorough due diligence on vendors, and implement continuous monitoring and detection mechanisms to mitigate the risks​ – and this process is now being fast tracked by the need to conform with NIS2.  

A New Era Of Collaboration  

Another critical aspect of NIS2 is its redoubled focus on enhancing cooperation and information sharing between member states. By fostering a collaborative environment, the Directive aims to create a unified front against cyber threats. This includes establishment of the European Cyber Crises Liaison Organisation Network (EU-CyCLONe), which will play a pivotal role in coordinating cross-border incident response efforts. 

The Directive underscores the importance of rapid incident reporting. Organizations are required to report significant cybersecurity incidents to national authorities within 24 hours of detection. This swift reporting mechanism ensures authorities can respond quickly to mitigate the impact of an incident and prevent its spread to other sectors or member states. 

The NIS2 Directive represents a significant step forward in the EU’s efforts to enhance cybersecurity across the region. By setting higher standards, extending the scope of covered entities, and fostering greater cooperation, it aims to build a more resilient and secure digital environment.

For organizations, this means not only compliance with new regulations but also an opportunity to strengthen their cybersecurity posture, contributing to a safer digital landscape for all. 

Yannis Velitsikakis is product manager at Obrela 

Image: ideogram

You Might Also Read: 

Protecting OT With MDR:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Unlocking A Unified Digital Identity For Europe
2024 US Presidential Election: Nation State Cyber Threats »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Business Intelligence Associates (BIA)

Business Intelligence Associates (BIA)

BIA's TotalDiscovery is a defensible and cost-effective corporate preservation and legal compliance software solution.

Sopra Steria

Sopra Steria

Sopra Steria is a leading European information technology consultancy.

Intensity Analytics

Intensity Analytics

Intensity Analytics is a software firm that develops next-generation, physical user and entity behavioral authentication ("physical UEBA") security software technology.

Coursera

Coursera

Coursera provides universal access to the world’s best education, partnering with top universities and organizations to offer courses online. Subject areas include Computer Security & Networks.

Agility Networks

Agility Networks

Agility Networks is a technology company providing integrated services and solutions for Digital Transformation and Cyber Security.

Netlawgic Legal Services

Netlawgic Legal Services

Netlawgic is exclusively focused on delivering cyber law solutions to the industry. We provide our clients with specialized attention and problem solving in all aspects of cyber law.

Glilot Capital Partners

Glilot Capital Partners

Glilot Capital Partners is an Israeli seed and early-stage VC. We specialize in businesses which disrupt enterprise technology, mainly in the fields of AI, big data and cybersecurity.

FireCompass

FireCompass

FireCompass SAAS platform helps CISOs & Security Teams in continuous risk assessment by mapping your attack surface and knowing the “unknown unknowns”.

SecureStack

SecureStack

SecureStack helps software developers find security & scalability gaps in their web applications and offers ways to fix those gaps without forcing those developers to become security experts.

Hong Kong Broadband Network (HKBN)

Hong Kong Broadband Network (HKBN)

HKBN are a leading integrated telecom and technology solutions provider that offers a comprehensive range of premier ICT services to both the enterprise and residential markets.

Amidas Hong Kong

Amidas Hong Kong

Amidas is your trusted companion on the road to Digital Transformation. We provide a full range of Information Technology Solutions and Professional Services to Enterprise customers.

MTI

MTI

MTI is a solutions and service provider, specialising in data & cyber security, datacentre modernisation, modern workplace, IT managed services and IT transformation services.

inSOC

inSOC

inSOC is an enterprise-grade AI-driven SOCaaS solution detecting breaches 24/7 with vulnerability management built-in. Designed for MSPs and MSSPs.

turingpoint

turingpoint

turingpoint GmbH is a tech enabled boutique consultancy. It was founded by security experts with a focus on cyber security and software solutions.

Secure Blink

Secure Blink

Secure Blink provides automated application and API security solutions that empower developers and security engineers to protect critical assets from exploitation.

HYCU

HYCU

HYCU was born of the need to simplify data protection and provide equivalent levels of backup and recovery support across on premises, public cloud, and SaaS workloads.