With the introduction of the EU’s Network and Information Security Directive (NIS2) less than a year away, businesses stand at a critical juncture and must focus on the necessary preparations to ensure they are compliant with the landmark legislation.
NIS2 builds on previous NIS regulations introduced in 2018, and aims to improve overall levels of cyber security and resilience across the European Union. The deadline for implementation is set for 17 October 2024.
The new regulations mean that all public and private organizations operating in the EU – or transacting with EU partners – will be required to implement more robust security measures both internally and across their supply chains.
This includes new requirements for organizations to improve incident management and risk assessment capabilities, as well as penetration testing.
NIS2 will also place a strong focus on bolstering resilience among organizations working in critical infrastructure sectors, such as energy, finance, and healthcare.
Change for the better or a case of the baddies upping their response game?
The introduction of the legislation is a positive step to creating a more secure business landscape, according to Rubrik field CISO Richard Cassidy.
“I think it’s a very positive move,” he says. “A lot of legislation and frameworks can be seen as quite laborious, quite cumbersome, and require a lot of resources to tick boxes essentially. They don’t necessarily provide the value that organizations are looking for.”
He adds: “What I like about this is it really does help organizations tighten their grip on security controls.”
Cassidy believes that while businesses face an increasingly perilous threat landscape, efforts to improve security practices through NIS2 could play a key role in mitigating future threats.
Recent analysis from the Identity Theft Resource Center (ITRC) shows that more than 233 million people globally have been affected by data breaches so far in 2023.
While the ITRC data points to a decrease in breaches compared to the previous year, the figures still highlight a stark reality for businesses worldwide; threat actors are still highly determined and growing in sophistication.
In particular, the use of generative AI among threat actors represents a serious escalation, Cassidy warns, and will pose heightened risks for organizations moving forward.
Research from Mandiant in August revealed that threat actors are increasingly leveraging generative AI to conduct more sophisticated social engineering attacks while the use of AI tools in phishing attacks has spiked.
High-profile data breaches over the last year also showcase the increasingly dangerous threat landscape organizations face. The MOVEit breach, for example, affected hundreds of organizations globally.
“We’ve seen breaches proliferate at a rate of knots,” says Cassidy. “And that’s a story we’ve seen over the last decade or so. We’re seeing a lot more enablement in the threat landscape. Attackers are able to use sophisticated tool sets in a way that wasn’t previously possible.”
NIS2, Cassidy adds, represents an opportunity for industry to counter key threats and establish a robust framework to bolster resilience.
Better information sharing to thwart attacks
The legislation will provide organizations with a “concise, converged control set” to enable them to improve cyber security practices in key areas and repel threats more effectively through combined action and information sharing.
Under NIS2, increased cooperation between member states will be a key focus, and information sharing on security incidents and cyber threats will be required.
This collaborative approach to emerging threats is a positive move from EU lawmakers, Cassidy believes, and one that will encourage increased cooperation. Ultimately, he believes, we’ll end up with a more resilient business landscape.
“If a breach does happen, the quicker you can share information amongst your peers and other organizations to provide a multi-agency response to an incident the better,” he says.
“We’re really seeing a lot of improvements around information sharing,” Cassidy adds.
Compliance with NIS2 regulations could also become a key competitive advantage for some organizations, Cassidy suggests.
Those compliant with the regulation and able to operate within the framework and transact with EU companies will undoubtedly have an edge over those who fail to adhere to the new standards.
“Looking at what NIS2 is mandating that organizations fall in alignment to, there will be a huge competitive advantage for organizations that are able to align with this.”
The time is now to prepare for NIS2
With the deadline for implementation approaching, Cassidy notes that many organizations will be “stressing” over preparations.
The good news is that NIS2 won't require a comprehensive “overhaul” of practices and capabilities compared to previous regulatory changes, such as GDPR.
However, Cassidy strongly recommends organizations begin accelerating their plans.
“Given that we're looking at an October deadline of next year, the time is now,” he says.
“But let’s be realistic - is NIS2 a forklift overhaul of your entire cyber security strategy? The good news is that it’s not. However, if you fall within the NIS2 framework as an organization, you’ve got until October next year to reach compliance.”
A recent study from SailPoint found that three-quarters of UK firms are unprepared for NIS2 regulations. 76% of respondents said they have yet to assess the efficiency of existing security measures and practices, while 80% said they still need to properly secure supply chains.
Cassidy warns that those who haven’t achieved compliance will be unable to transact within the framework, which could harm their ability to operate in the EU and result in hefty fines.
“For all essential organizations in the NIS2 directive we’re looking at a fine of 2% of worldwide annual turnover for the preceding financial year,” he says. “And NIS2 is mandating whichever is higher.”
“It’s going to be at least a 10 million euro fine for essential organizations,” Cassidy adds. “I don’t know many organizations that would need to spend anywhere near that amount to get into NIS2 compliance capabilities.”
For individuals at non-compliant organizations, the stakes are even higher. New rules pertaining to personal liability could see senior management held liable for cyber security failings or regulatory infringements.
The “obvious takeaway”, Cassidy adds, is that organizations risk falling foul of serious financial repercussions if they fail to comply.
NIS2 – and how to get ready for it – was the main focus of a recent webinar hosted by ITPro in association with Rubrik. Click here for more information and to watch the webinar.
