Some experts are calling European Union legislation one of the biggest security challenges for businesses, along with generative AI and Ransomware as a Service. While the last two are somewhat obvious, you might be wondering why legislation is a leading issue.
About the NIS-2 directive
NIS-2, DORA, the Critical Entities Resilience Directive (CER), the Cyber Resilience Act (CRA), and the AI Act are key EU initiatives aimed at bolstering cybersecurity, operational resilience, and the ethical use of artificial intelligence. Each of these measures is at different stages of implementation, with their impact varying based on the cybersecurity maturity of each company and the specific applicability of the regulations. But overall, you will soon start to notice massive changes to the security landscape from new EU mandates.
Out of all new acts and directives, NIS-2 (Network and Information Systems Directive) has the widest coverage and the biggest urgency for businesses that are EU-based or operating in Member States. NIS-2 directive is a follow up of NIS-1, which was only applicable to a few types of organizations. The new version, however, came up with a broader scope of the organizations and their supply chain, stricter security requirements, fines, supervisory measures, and management responsibility.
The directive is aimed at improving the resilience of companies against cyber threats to ensure uninterrupted functioning of services critical for society. Some businesses may not consider their services as being “critical” for society. But, since almost everything these days is digitized and interconnected, every company is more vulnerable. Therefore, businesses must be more resilient, able to withstand new types of threats and minimize interruptions.
As NIS-2 is a directive, it should be first transposed into national law before it is applicable in each Member State. This means 27 EU member states should pass it to local legislation by 17 October 2024. Although it may sound like there is still time, the best strategy is to start preparing now by taking these steps:
Understand the scope
NIS-2 is applicable for:
- Medium and large companies
- Essential and important services (according to a list provided in the NIS-2) and their supply chain
- Companies carrying out activities or providing services within the EU
Conduct a gap analysis
The cybersecurity risk-management measures, which also include supply chain security and cyber hygiene policies, are named in NIS-2. Companies can use those checklists as guidance and input for their gap analysis and action plans.
Consider certifications
NIS-2 recommends the use of European and international standards relevant to security. Companies certified with ISO 27001 will have an advantage, as many of NIS-2 requirements are already embedded in the standard itself. For those who don’t have any certifications, this could be the time to consider certifying.
Involve management
According to NIS-2, management of a company should oversee security in an organization. Companies need to make sure management is aware of NIS-2 requirements and involved in approval of the cybersecurity risk-management measures.
Have an incident notification process
Companies should have an incident notification process, which enables an organization to meet requirements for reporting according to NIS-2.
Implementing these actions will be different for each organization. For some it will mean starting from scratch. For the others, it involves moving from nice-to-have to must-have mode in dealing with security. Some will be working on improving their processes, changing their mentality, and embedding security on different levels of organization.
Whatever your journey is, we advise being prepared for the NIS-2 directive before it is enforced.
If you want to learn more, please let Hein Hop know or reach out via info@levi9.com.
