What Security Teams Need To Know About The EU’s NIS 2 Directive

Uploaded on 2024-10-25 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

The deadline to get compliant with the EU’s NIS 2 Directive is here. And this isn’t just a minor update from its NIS 1 predecessor—it’s a major expansion that carries with it new challenges and obligations.

The directive now covers a whopping 300,000 organizations, up from just 20,000 under NIS 1. Sectors like aerospace, public administration, digital services, postal and courier services, and food production are now included. Organizations are classified into “essential” or “important” entities based on size and criticality to the economy.

Security teams need to determine where their organization fits. If your company is classified as essential, with more than 250 employees or €50 million in revenue, you’re looking at regular security audits and ongoing monitoring. Important entities will face audits, but only when there’s suspicion of violations.

Regardless of where your company is classified, it’s critical to know what the new mandates entail and what areas of security they will impact.

Supply Chain Security & Risk Management

Software supply chain attacks have become a major concern. Gartner recently released a report, entitled “Mitigate Enterprise Software Supply Chain Security Risks” that supports echoing this sentiment. They project a 200% rise in the cost of these attacks to $138 billion by 2031. Even more alarming statistics reveal that nearly two-thirds of U.S. businesses fell victim to such breaches between May 2022 and April 2023.

And these risks are all too real. High-profile incidents like the SolarWinds Orion attack in 2020, which compromised 18,000 organizations globally, the Kaseya ransomware attack of 2021 affecting up to 1,500 businesses, and the far-reaching Log4j vulnerability have demonstrated just how exposed our software supply chains are—and the devastating consequences that follow.

To mitigate these challenges, the NIS 2 is placing a strong emphasis on securing ICT supply chains, Security teams must now assess the risks posed by third-party service providers and suppliers, ensuring they have robust cybersecurity policies in place. It’s not just about internal security anymore—it’s about the entire ecosystem of partners your organization relies on.

Companies should review and update contracts with suppliers to include cybersecurity risk management clauses. They should make sure vendors are meeting the same security standards as your organization, and regularly evaluate their practices to identify and mitigate vulnerabilities in your supply chain.

Incident Reporting and Management Accountability
One of the most critical changes under NIS 2 is the new incident reporting requirements. Organizations must submit an early warning within 24 hours of discovering a significant incident, followed by an incident notification within 72 hours, and a final report within a month. This rapid timeline requires security teams to have a well-prepared incident response plan that enables swift action and clear communication.

NIS 2 also imposes direct obligations on management bodies, including the C-suite and board of directors. Senior leaders must be involved in cybersecurity decision-making, approve risk management measures, and undergo cybersecurity training.

Failure to meet these obligations could result in hefty fines and personal liability, so it’s crucial that security teams ensure their leadership is actively engaged in cybersecurity strategy.

Extraterritorial Reach and Compliance
Like the GDPR, NIS 2 has extraterritorial implications. Even if your organization is not based in the EU, you may still fall under the directive’s scope if you provide services within the EU. This means that companies outside Europe cannot afford to ignore NIS 2.

It is critical for organizations to assess whether their business activities in the EU bring them within the directive’s scope and to take steps to ensure compliance with its requirements.

Fines & Penalties
Non-compliance with NIS 2 can lead to substantial fines, similar to those imposed under the GDPR. Violations can result in fines of up to €10 million or 2% of an organization’s total global turnover, whichever is higher. Given these penalties, it’s essential that security teams take NIS 2 seriously, especially smaller companies that lack the resources to incur such hefty fines.

What Security Teams Can Do to Prepare

Assess Scope: Determine whether your organization qualifies as an “essential” or “important” entity under NIS 2 and review which obligations apply to you.

Review Incident Response Plans: Ensure you can meet the 24-hour, 72-hour, and one-month reporting requirements for significant security incidents.

Engage Leadership: Make sure your C-suite and board are aware of their responsibilities under NIS 2, and that they are actively involved in approving and overseeing cybersecurity risk management efforts.

Secure the Supply Chain: Audit your supply chain for vulnerabilities and ensure contracts with suppliers include adequate cybersecurity provisions.

Monitor Member State Progress: Keep an eye on the implementation status of NIS 2 in each EU member state to ensure compliance with local variations of the directive.

NIS 2 Directive brings significant changes and increased obligations for organizations across the EU and beyond.

Security teams must act now to assess their classification, strengthen supply chain security, ensure compliance with incident reporting requirements, and engage senior leadership in cybersecurity efforts. By preparing for these new mandates, organizations can avoid costly penalties and bolster their overall security posture.

Graham Rance is VP Global Pre-Sales at CyCognito

Image: Ideogram

You Might Also Read:

DORA: Compliance With The EU Digital Resilience Act:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.