Is The NIS2 Directive A Step In The Right Direction? 

Uploaded on 2024-09-18 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

The NIS2 Directive - the new EU-wide legislation on cybersecurity - provides legal measures to boost the overall level of cybersecurity across the EU.  

Set to come into force on October 17, 2024, the timeline was proposed to allow organizations time to assess their readiness from a compliance perspective; by undertaking internal security audits and evaluations to ensure they meet the requirements outlined in the Directive. 

Businesses identified as operators of essential services in key sectors will have to take appropriate security measures and notify relevant national authorities of serious incidents to comply with NIS2. Also, key digital service providers, such as search engines, cloud computing services and online marketplaces, must comply with the security and notification requirements under the Directive. 

So, is this a big advance in the quest to keep organisations safe from harm?  

In a word, yes. No one could have predicted the rapid strides made in digitalising business because of the pandemic, and legislation already struggles to keep pace with savvy cyber criminals. 

The rapid need to pivot to digital solutions also drove a spike in cybercrime and fraud, hence the need for stronger legislation to ensure better EU-wide security. 

The EU feels that the original directive, NIS, (Network and Information Systems Regulations) didn’t go far enough. NIS2 extends the remit of that 2016 legislation, to new sectors and entities, which now applies to fifteen sectors from chemicals to waste management. 

NIS2 will further improve the resilience of critical infrastructure in the EU against cybersecurity risks, for all our benefit. It is designed to improve the overall level of cybersecurity in the EU –-something that is welcomed and required. 

While risk averse and well-prepared organisations will have a solid cyber security strategy in place, NIS2 aims to catch those lagging behind with stringent compliance orders, audits, threat notifications to customers, and in the most serious instances, administrative fines of €10million or 2% of global annual revenue –- whichever is higher. 

Security Designed To Avoid Disaster 

This might seem draconian, but most of the sectors covered under the new NIS2 directive are considered critical national infrastructure. Organisations working in these sectors now have a stronger burden of proof to demonstrate they have all the requisite security in place to avoid a cyberattack that could have disastrous national-level consequences. 

NIS2 mandates entities to adopt ten baseline security measures designed to mitigate specific types of cyber threats, based around risk management, corporate accountability, reporting obligations and business continuity. 

Undertaking the necessary cyber security audits will touch on both establishing appropriate cybersecurity technology solutions and cybersecurity policy processes. For this reason, it is important to partner with an organisation – such as Obrela -- that can impartially and honestly assess the effectiveness of both. 

NIS2 emphasises the importance of a comprehensive risk management approach. This includes not only the implementation of advanced technological safeguards but also the integration of a robust cybersecurity culture within the organization. Training employees on cybersecurity best practices, ensuring regular updates and patches, and conducting frequent penetration testing are all critical components of this approach. 

Supply Chain Security 

The Directive also recognizes the interconnected nature of the digital economy and the importance of supply chain security. From October, organizations must ensure that their suppliers and partners also adhere to stringent cybersecurity standards. This comprehensive approach helps to create a more secure digital ecosystem, reducing the potential for weak links that cybercriminals can exploit. 

In 2023, the number of supply chain-related cybersecurity breaches in the EU significantly increased. A notable example is the MOVEit hack in May 2023, where a ransomware group exploited a vulnerability in the MOVEit software, impacting over 2,300 entities and more than 65 million individuals globally, with a financial impact exceeding $10 billion​ (Foley & Lardner LLP)​. 

The frequency of supply chain breaches rose by 26% from 2022 to 2023. The average number of such breaches per organization increased from 3.29 in 2022 to 4.16 in 2023​, according to figures from Supply Chain Brain​. Nearly all companies (98%) reported being negatively affected by cybersecurity breaches within their supply chains. As supply chains become more complex with multiple network tiers and numerous digital endpoints, the sophistication and severity of cyber attacks is also growing. And reports suggest 40% of these supply chain attacks stem from unauthorized network access​. 

This highlights the urgent need for enhanced supply chain cybersecurity measures. Organizations must adopt comprehensive risk management frameworks, conduct thorough due diligence on vendors, and implement continuous monitoring and detection mechanisms to mitigate the risks​ – and this process is now being fast tracked by the need to conform with NIS2.  

A New Era Of Collaboration  

Another critical aspect of NIS2 is its redoubled focus on enhancing cooperation and information sharing between member states. By fostering a collaborative environment, the Directive aims to create a unified front against cyber threats. This includes establishment of the European Cyber Crises Liaison Organisation Network (EU-CyCLONe), which will play a pivotal role in coordinating cross-border incident response efforts. 

The Directive underscores the importance of rapid incident reporting. Organizations are required to report significant cybersecurity incidents to national authorities within 24 hours of detection. This swift reporting mechanism ensures authorities can respond quickly to mitigate the impact of an incident and prevent its spread to other sectors or member states. 

The NIS2 Directive represents a significant step forward in the EU’s efforts to enhance cybersecurity across the region. By setting higher standards, extending the scope of covered entities, and fostering greater cooperation, it aims to build a more resilient and secure digital environment.

For organizations, this means not only compliance with new regulations but also an opportunity to strengthen their cybersecurity posture, contributing to a safer digital landscape for all. 

Yannis Velitsikakis is product manager at Obrela 

Image: ideogram

You Might Also Read: 

Protecting OT With MDR:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Unlocking A Unified Digital Identity For Europe
2024 US Presidential Election: Nation State Cyber Threats »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Micro Systemation AB (MSAB)

Micro Systemation AB (MSAB)

MSAB is a leader in the provision of forensically secure tools for the extraction and analysis of data from mobile devices.

Information Systems Security Partners (ISSP)

Information Systems Security Partners (ISSP)

ISSP is a specialized system integrator focused on the information security needs of its corporate clients and providing best in class products and services for securing organizational information.

Sothis

Sothis

Sothis is an information technology services company offering a range of solutions including cybersecurity, managed security services, information governance and compliance.

DestructData

DestructData

DestructData is a leading independent provider of End of Life data destruction/security solutions.

u-blox

u-blox

u-blox deliver leading wireless technology to reliably and securely locate and connect people and devices.

Internet Infrastructure Investigation

Internet Infrastructure Investigation

Internet Infrastructure Investigation offers a bespoke Internet Governance Solution to your brands online infringement problems.

Cygenta

Cygenta

Cygenta brings a new approach to cybersecurity. We understand that true security means having digital, human and physical security working in harmony.

ARIA Cybersecurity Solutions

ARIA Cybersecurity Solutions

The ARIA ADR Automatic Detection & Response solution was designed to find, verify, and stop all types of attacks - automatically and in real time.

Infostream

Infostream

Infostream is a leading integrator of Digital Transformations Solutions (DTS); Public, Private, and Hybrid Cloud; Cybersecurity; Data Integrity; DevOps, DevSecOps, and Infrastructures.

BigBear.ai

BigBear.ai

BigBear.ai delivers high-end analytics capabilities across the data and digital spectrum to deliver information superiority and decision support.

Oman Technology Fund (OTF)

Oman Technology Fund (OTF)

Oman Technology Fund aims to make Oman the preferred destination for emerging tech companies in the region, and an attractive and stimulating destination for venture capital.

Kirk ISS

Kirk ISS

Kirk ISS are the leading provider of IT services in the Cayman Islands. We offer best-in class hardware, software, communications and cloud computing, all backed by professional services support.

Appknox

Appknox

Appknox is the world’s most powerful plug-and-play security platform that helps developers, security researchers, and enterprises to build a safe and secure mobile ecosystem.

NORMA Cyber

NORMA Cyber

NORMA Cyber delivers centralised cyber security services to Norwegian shipowners and other entities within the Norwegian maritime sector.

Tamnoon

Tamnoon

Tamnoon is the Managed Cloud Detection and Response platform that helps you turn CNAPP and CSPM alerts into action and fortify your cloud security posture.

STACK Cybersecurity

STACK Cybersecurity

STACK Cybersecurity serves as a strategic partner, guiding you through the intricate and dynamic cybersecurity landscape.