The European Union’s (EU) Network and Information Security Directive 2 (NIS2) came into force across Europe on 17 October 2024, aiming to strengthen cybersecurity across various sectors, including critical infrastructure and digital services. It was built on the foundations of NIS, adopted in 2016, as a direct response to the changing, increasingly complex threat landscape, and aims to minimise cyber risk, as well as increase and standardise cybersecurity measures across the expansive European economic landscape.
To comply, organisations will need to implement a range of measures, including risk assessments, incident response plans, and robust security practices. Failure to adhere to NIS2 could result in significant penalties, including legal challenges against an organisation’s managers and executives. With responsibility once again called into question, it’s even more important that organisations, from the board down, take cyber seriously.
Affected organisations will have until the end of 2028 to fully implement the new requirements and submit their first audit. However, some regulations will come into effect sooner. For instance, if a cyberattack occurs, the organisation must comply with NIS2’s disclosure and reporting obligations immediately. Ultimately, it’s crucial for businesses to start preparing now. By understanding the directive’s requirements and taking proactive steps, organisations can minimise their exposure to cyber threats and ensure compliance with the new regulations.
The Ripple Effect: Does NIS2 Affect UK Businesses?
While the UK and Northern Ireland are no longer part of the EU, the NIS2 directive will apply to many UK businesses. This is because NIS2 applies to any organisation that trades within the EU. This includes exporters, importers, and companies with subsidiaries or operations within EU member states. As a result, NIS2 (and the principles set out by the directive) will likely affect thousands of British businesses. It is thought that approximately 160,000 organisations across 15 sectors will have to comply with the directive as they fall into the extended organisational categories.
As stated previously, UK businesses that operate in the EU are legally required to adhere to the directive to ensure that they are not subject to penalties or sanctions from EU authorities. NIS2 imposes stringent cybersecurity standards, empowering businesses to safeguard their operations from cyberattacks and minimise the risk of incidents. Adhering to these regulations can bolster a company’s reputation and trustworthiness, providing a competitive advantage within the EU market. So, what does NIS2 mean for British organisations looking to get ahead?
NIS2 and Rising Security Maturity Levels
While well-intentioned, the NIS2 Directive presents a challenge for organisations due to its lack of concrete, legally defined minimum requirements. This ambiguity makes it difficult for organisations to fully comprehend their obligations and implement necessary measures, even for information security experts.
While NIS2 doesn’t provide a checklist, it does outline an expected level of protection. This likely includes fundamental security measures such as firewalls, intrusion prevention systems, endpoint protection, multi-factor authentication, data encryption, and access controls.
Despite these initial hurdles, NIS2 is poised to positively impact the EU’s cybersecurity landscape. It will elevate the importance of robust security programs, foster collaboration between legal and information security teams, and distinguish the roles of CISO and Data Protection Officer (DPO). Ultimately, NIS2 aims to raise the overall information security maturity of affected organisations, empowering CISOs to become essential strategic advisors to management. However, this calls into question accountability (and liability) once again.
The Rising Risk of Litigation
Since the introduction of GDPR in 2015, European corporations have faced significant fines for IT security breaches. These penalties have become increasingly severe, with serious breaches potentially costing up to €10 million or 2% of global annual turnover. There are several high-profile cases where large organisations have been fined large amounts for general GDPR non-compliance like Meta, Amazon, and WhatsApp.
However, NIS2, for the first time, puts executives and managers in the direct line of fire regarding litigation in the face of cybersecurity failures. While we have seen CISOs face litigation in high-profile cases globally (like in the case of the 2016 Uber cyberattack), NIS2 widens the scope of personal responsibility, which may be a big concern for executives and managers. In the event of gross negligence and proven misconduct, managers, including c-suite executives, are held liable (in the directive, these individuals are referred to as ‘management bodies’). In some cases, the directive suggests that management could even be removed from their positions until NIS2 compliance is achieved.
Under NIS2, management must prove the existence and implementation of robust cybersecurity risk management measures. They are also responsible for notifying affected parties and authorities in the event of a cyberattack. To fulfil these obligations, management must undergo regular cybersecurity training to identify and assess risks and implement appropriate measures. Failure to do so could result in personal liability.
As previously stated, the NIS2 directive is widely undefined and will vary from member state to member state. As a result, the severity of penalties will vary across EU member states, but they must be “effective, proportionate, and dissuasive.”
It’s crucial for management, including those outside of information security, to familiarise themselves with NIS2, understand its core principles, and grasp the full extent of its requirements, but how?
What Management Need To Do Now
Compliance can often set a minimum level of security, so it is important to balance what is needed with the real risks you see in your business and also align with what the business wants to achieve in terms of change, i.e., Digital Transformation. That balance is both hard and critically important to achieve.
The new NIS2 directive aims to bolster security efforts across the board to significantly reduce cyber risks across the EU. As a result, it is crucial that both information security and broader management teams work together to ensure—and go beyond—compliance, but where to start?
Awareness is key, especially when personal liability hangs in the balance. Management and security teams must understand their responsibilities and what the directive means for their organisation. It is important to keep ahead of updates and gain a fundamental understanding of cyber risk. Speaking to information security experts can make the directive easier to understand.
Auditing is also important to assess the cyber risks organisations face. Leaders must conduct critical reviews of different business areas regularly to ensure compliance continues to be met. Regular audits must also ensure the full adoption of NIS2, and ongoing audits must be done in accordance with NIS2 standards.
Organisations must also create a flexible information security team to meet NIS2’s demands. Appointing both a DPO and CISO to oversee data and information security is a necessary step. However, these roles should remain distinct to ensure effective responsibility distribution.
Finally, the way incidents (if they do occur) are responded to is critical. In the event of an incident, it is important to notify affected partners, suppliers, customers, and national authorities promptly. Rapid response measures post-event must be in place to ensure reduced risk. Initial notification to authorities should occur within 24 hours of detection, followed by a detailed report within 72 hours. A final report should be submitted one month after the initial notification.
Getting Ahead
The adoption of NIS2 is not a simple project. It’s an ongoing struggle for enhanced security across the EU and beyond. It’s a long-term effort, and from 2028, organizations will have to prove the compliance of their IT infrastructure every year. Organizations can get ahead now by auditing their existing measures, defining responsibility and key personnel, and raising awareness of cybersecurity within their organizations.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
