Is The NIS2 Directive A Step In The Right Direction? 

The NIS2 Directive - the new EU-wide legislation on cybersecurity - provides legal measures to boost the overall level of cybersecurity across the EU.  

Set to come into force on October 17, 2024, the timeline was proposed to allow organizations time to assess their readiness from a compliance perspective; by undertaking internal security audits and evaluations to ensure they meet the requirements outlined in the Directive. 

Businesses identified as operators of essential services in key sectors will have to take appropriate security measures and notify relevant national authorities of serious incidents to comply with NIS2. Also, key digital service providers, such as search engines, cloud computing services and online marketplaces, must comply with the security and notification requirements under the Directive. 

So, is this a big advance in the quest to keep organisations safe from harm?  

In a word, yes. No one could have predicted the rapid strides made in digitalising business because of the pandemic, and legislation already struggles to keep pace with savvy cyber criminals. 

The rapid need to pivot to digital solutions also drove a spike in cybercrime and fraud, hence the need for stronger legislation to ensure better EU-wide security. 

The EU feels that the original directive, NIS, (Network and Information Systems Regulations) didn’t go far enough. NIS2 extends the remit of that 2016 legislation, to new sectors and entities, which now applies to fifteen sectors from chemicals to waste management. 

NIS2 will further improve the resilience of critical infrastructure in the EU against cybersecurity risks, for all our benefit. It is designed to improve the overall level of cybersecurity in the EU –-something that is welcomed and required. 

While risk averse and well-prepared organisations will have a solid cyber security strategy in place, NIS2 aims to catch those lagging behind with stringent compliance orders, audits, threat notifications to customers, and in the most serious instances, administrative fines of €10million or 2% of global annual revenue –- whichever is higher. 

Security Designed To Avoid Disaster 

This might seem draconian, but most of the sectors covered under the new NIS2 directive are considered critical national infrastructure. Organisations working in these sectors now have a stronger burden of proof to demonstrate they have all the requisite security in place to avoid a cyberattack that could have disastrous national-level consequences. 

NIS2 mandates entities to adopt ten baseline security measures designed to mitigate specific types of cyber threats, based around risk management, corporate accountability, reporting obligations and business continuity. 

Undertaking the necessary cyber security audits will touch on both establishing appropriate cybersecurity technology solutions and cybersecurity policy processes. For this reason, it is important to partner with an organisation – such as Obrela -- that can impartially and honestly assess the effectiveness of both. 

NIS2 emphasises the importance of a comprehensive risk management approach. This includes not only the implementation of advanced technological safeguards but also the integration of a robust cybersecurity culture within the organization. Training employees on cybersecurity best practices, ensuring regular updates and patches, and conducting frequent penetration testing are all critical components of this approach. 

Supply Chain Security 

The Directive also recognizes the interconnected nature of the digital economy and the importance of supply chain security. From October, organizations must ensure that their suppliers and partners also adhere to stringent cybersecurity standards. This comprehensive approach helps to create a more secure digital ecosystem, reducing the potential for weak links that cybercriminals can exploit. 

In 2023, the number of supply chain-related cybersecurity breaches in the EU significantly increased. A notable example is the MOVEit hack in May 2023, where a ransomware group exploited a vulnerability in the MOVEit software, impacting over 2,300 entities and more than 65 million individuals globally, with a financial impact exceeding $10 billion​ (Foley & Lardner LLP)​. 

The frequency of supply chain breaches rose by 26% from 2022 to 2023. The average number of such breaches per organization increased from 3.29 in 2022 to 4.16 in 2023​, according to figures from Supply Chain Brain​. Nearly all companies (98%) reported being negatively affected by cybersecurity breaches within their supply chains. As supply chains become more complex with multiple network tiers and numerous digital endpoints, the sophistication and severity of cyber attacks is also growing. And reports suggest 40% of these supply chain attacks stem from unauthorized network access​. 

This highlights the urgent need for enhanced supply chain cybersecurity measures. Organizations must adopt comprehensive risk management frameworks, conduct thorough due diligence on vendors, and implement continuous monitoring and detection mechanisms to mitigate the risks​ – and this process is now being fast tracked by the need to conform with NIS2.  

A New Era Of Collaboration  

Another critical aspect of NIS2 is its redoubled focus on enhancing cooperation and information sharing between member states. By fostering a collaborative environment, the Directive aims to create a unified front against cyber threats. This includes establishment of the European Cyber Crises Liaison Organisation Network (EU-CyCLONe), which will play a pivotal role in coordinating cross-border incident response efforts. 

The Directive underscores the importance of rapid incident reporting. Organizations are required to report significant cybersecurity incidents to national authorities within 24 hours of detection. This swift reporting mechanism ensures authorities can respond quickly to mitigate the impact of an incident and prevent its spread to other sectors or member states. 

The NIS2 Directive represents a significant step forward in the EU’s efforts to enhance cybersecurity across the region. By setting higher standards, extending the scope of covered entities, and fostering greater cooperation, it aims to build a more resilient and secure digital environment.

For organizations, this means not only compliance with new regulations but also an opportunity to strengthen their cybersecurity posture, contributing to a safer digital landscape for all. 

Yannis Velitsikakis is product manager at Obrela 

Image: ideogram

You Might Also Read: 

Protecting OT With MDR:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Unlocking A Unified Digital Identity For Europe
2024 US Presidential Election: Nation State Cyber Threats »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Gigamon

Gigamon

Gigamon provides intelligent Traffic Visability solutions that provide unmatched visbility into physical & birtual networks without affecting the performance or stability of production environments.

Qualitest Group

Qualitest Group

Qualitest is the world’s largest pure play Quality Assurance and software testing company.

vArmour

vArmour

vArmour is the industry’s first distributed security system that provides insight and control for multi-cloud environments.

Volatility Foundation

Volatility Foundation

Volatility is an open source memory forensics framework for incident response and malware analysis.

Connectitude

Connectitude

Connectitude IIoT Platform ™ is a complete solution for industrial IIoT.

IntaPeople

IntaPeople

IntaPeople are IT and engineering recruitment specialists. We have specialist teams for job sectors including Cybersecurity, IT infrastructure and DevOps.

Cryptoloc

Cryptoloc

Cryptoloc's core business is developing solutions designed to protect businesses from all kinds of security threats using a unique patented cryptography.

ThreatModeler

ThreatModeler

ThreatModeler is an automated threat modeling solution that fortifies an enterprise’s Software Development Lifecycle by identifying, predicting and defining threats.

Deepnet Security

Deepnet Security

Deepnet Security is a leading vendor in Multi-Factor Authentication (MFA) and Identity & Access Management (IAM).

Datacentrix

Datacentrix

Datacentrix provides end-to-end cybersecurity services for the operational technology (OT) and IT environments to monitor, assess and defend our customers' information assets.

AEWIN Technologies

AEWIN Technologies

AEWIN is professional in the fields of Network Appliance, Cyber Security, Server, Edge Computing and an ODM/OEM expert.

Stryve

Stryve

Stryve is a leading carbon-neutral provider of specialist cloud and cybersecurity services in Europe.

Vana Solutions

Vana Solutions

Vana Solutions is an Information Technology Services company. We help commercial & federal organizations select, adapt, and integrate the right technology solution so you can move faster.

Trium Cyber

Trium Cyber

Trium Cyber - Expert Cyber Underwriting and Claims Management. Based in the US and UK. Backed by Lloyd’s of London.

Internet Watch Foundation (IWF)

Internet Watch Foundation (IWF)

Since the early days of the internet, our job has been to help child victims of sexual abuse by hunting down and removing any online record of the abuse.

Hilltop Technologies

Hilltop Technologies

Hilltop Technologies is a cybersecurity company specialized in managed security services and consulting tailored for all sectors from higher education to publicly traded companies.