As cyber threats continue to grow, Europe, with its highly digitalized economy, has become a prime target. In fact, the number of cyberattacks on European businesses has soared to unprecedented heights, with a 108% increase in attacks against key sectors since 2020. To combat this alarming trend, the European Parliament has introduced NIS2, a new cybersecurity directive aimed at enhancing the Union’s cyber resilience.
NIS2 brings tighter requirements and a renewed emphasis on risk management and incident response, forever changing the way EU businesses tackle cybersecurity. In this blog post, we’ll delve into the far-reaching consequences of NIS2 for European cybersecurity and provide essential insights to help businesses adapt and thrive in this new regulatory landscape.
Unpacking The NIS2 Directive
NIS2, short for Network and Information Security Directive, is a new EU cybersecurity directive aimed at improving cybersecurity in the European Union. Adopted and entered into force on 16 January 2023, the directive sets out new cybersecurity requirements for organizations categorized as critical infrastructure.
Building on its predecessor NIS1, which was adopted in 2016, NIS2 expands its coverage to include sectors such as energy, transport, healthcare, finance, public administration, water supply, and many more. While the previous directive only focused on so-called essential services and digital service providers, NIS2 eliminates this distinction and instead divides affected entities into two categories: essential entities and important entities, where size, societal function/sector, and annual turnover is the deciding factor for whether NIS2 applies to a given organization.
In addition, NIS2 strengthens requirements for risk management, incident reporting, and cooperation between EU Member States in case of cyber incidents. Overall, NIS2 represents a significant step forward in EU cybersecurity regulations, and organizations that fall under its scope should take note of the new requirements to ensure compliance.
How NIS2 Will Impact EU Cybersecurity
NIS2 is set to have a significant impact on EU cybersecurity by mandating far-reaching security measures to improve risk management and incident response practices, increasing regulatory oversight, and introducing an unprecedented element of management compliance accountability. Some of the ways NIS2 will change EU cybersecurity include:
New cybersecurity requirements for businesses:
- NIS2 introduces a core set of 10 minimum measures that organization must implement to manage risk, including measures such as access control, incident management, and business continuity management.
- Businesses are required to conduct due diligence on the security of supply chains to ensure that third-party suppliers also adhere to NIS2 security standards.
- Early-warning reports must be submitted within 24 hours of an incident.
Increased focus on risk management and incident response:
- Businesses must develop incident response plans that cover various scenarios and conduct regular security assessments to identify vulnerabilities and weaknesses.
- Reporting of incidents to competent authorities is required, and must include all relevant information, such as the scope and impact of the incident, the systems and data affected, and the measures taken to contain and mitigate the incident.
Greater regulatory oversight and enforcement:
- Designated national authorities will be responsible for ensuring compliance with the directive through audits and inspections.
- The authorities will have the power to request information, conduct investigations, and issue fines or penalties for non-compliance.
Personal liability for management bodies:
- Management bodies, including directors and senior managers, may face personal liability for cybersecurity incidents resulting from their failure to implement security measures or to respond adequately to a cyber threat.
- This means that they may be held accountable and face legal or financial consequences for their actions or inactions related to cybersecurity.
- The personal liability requirement aims to encourage management bodies to take cybersecurity seriously and to prioritize the implementation of appropriate security measures to protect EU citizens’ personal data.
NIS2 and EU businesses: Implications and Opportunities
The overall impact of NIS2 on EU businesses is going to be massive.
With an estimated 160.000 affected entities across 15 different sectors, critical infrastructure organizations across all of Europe will have to address this new regulatory reality.
What’s more, all third-party suppliers providing services to these organizations must also meet the new requirements, multiplying the actual number of affected companies. Adding to the seriousness of this major policy change, executive teams will be forced to put cybersecurity on the board agenda because of the unprecedented introduction of management compliance accountability, which makes management bodies personally liable for non-compliance.
These changes will undoubtedly cause a surge in cybersecurity investments, compliance consulting, and relevant cybersecurity training as boards realize the potential business-crippling, legal consequences of negligence and non-compliance.
NIS2 will be a reality check for organizations that have been lacking in their security efforts. The directive will usher in a new security standard that – if widely implemented – will increase European businesses’ ability to withstand the destructiveness of tomorrow’s cyberthreats.
How To Prepare for NIS2
To prepare for compliance with NIS2, European critical infrastructure operators and providers in their supply chain must first conduct comprehensive risk assessments. This will help identify vulnerabilities and weaknesses that needs to be addressed following the new NIS2 standards. It will also provide insights into the effectiveness of existing security measures, which is another crucial element of the new requirements.
Member States have until 17 October 2024 to transpose the directive into national law. This gives affected organizations 16 months to assure that their cyber defense level is on par with the directive’s requirements.
Denmark-based business password management solution, Uniqkey, has published the infosite nis2directive.eu, offering accessible information on NIS2 to the public. The site includes all information relevant to the NIS2 directive, sourced from official, public sources, and curated for easy consumption. They also offer a practical whitepaper on the subject for anyone looking for tangible, tool-specific suggestions for how to achieve NIS2 compliance.
If you’re a European business operating within any of the 15 covered sectors – or providing services to any such organization – getting familiar with the Directive’s requirements will be essential to surviving the upcoming regulatory transition.