NIS2 is a hugely ambitious directive designed to increase cybersecurity resilience. By expanding beyond “essential” to “important” organizations, it will bring more than 160,000 entities into scope and increase the number of verticals from seven to 17.
The directive also set a new precedent, with the board and senior management potentially held personally accountable in the event of a breach, if they are found to have been negligent or not implemented and maintained oversight of risk management controls. And NIS2 seemingly has real teeth, with punitive actions and fines of up to 10m Euros or 2% of worldwide annual turnover for essential entities and 7m Euros or 1.4% of worldwide annual turnover for important entities, whichever is higher (although it’s worth pointing out here that no fines were ever levied under NIS despite regulators having the powers to do so up to a maximum of £17m).
Despite these strides, there’s widespread concern that NIS2 could become a paper tiger, in that many organizations may simply go through the motions. The regulations aim to improve risk management and incident reporting processes and, in the event of a significant incident, an early notification needs to be issued within 24 hours, followed by a formal disclosure in 72 hours and a full report within a month. But when it comes to providing technical details, the regulations are light on the details beyond stating the need for appropriate and proportionate technical, operational and organizational measures. While this is not uncommon for risk-based, outcome-driven standards, most of those are aimed at large organizations and assume a certain level of cyber maturity.
Why compliance might be more difficult for some
In the case of NIS2, such an approach is likely to be particularly difficult for those coming into scope for the first time and medium-sized entities that generally have a less mature cybersecurity posture and limited resources. Compliance will prove more expensive for them, with some estimates suggesting the regulations could cost the continent 31.2b euros per year. So, understandably, they’ll be looking for the most efficient and cost-effective ways to comply, but they should not look to make a token effort, especially given the potential ramifications.
Consequences for non-compliance, ahead of or alongside the fines mentioned above, include warnings, instructions to remedy areas of non-compliance, orders to cease or desist the infringement(s), meet certain risk management remedial obligations in a specified timeframe, or to inform affected parties. The entity could be subjected to onsite inspections, targeted security audits (to be carried out by a third party and charged back to the entity), security scans, requests for information or access to additional data or documents, and/or have to surrender evidence of compliance with cybersecurity policies – all of which could prove damaging to the entity’s reputation as well as its bottom line.
Ways in which to comply effectively
There are ways in which these entities can comply economically, however. Those that adhere to other frameworks such as ISO 27001, ISO 22301, and the CIS critical controls can avoid duplication of effort by looking for overlapping areas while those operating in or supplying the financial services sector will find that DORA takes precedence so will not need to satisfy NIS2.
In terms of technical controls, entities can use a Security Incident and Event Management (SIEM) or an outsourced provider of such services to centralize log management and automate threat detection and incident response (TDIR). Further efficiencies can also be gained by combining related incidents within case management software, together with threat intelligence, enrichment and other investigations, to establish the severity of the incident. Such solutions can also generate audit trails and reports to prove compliance.
There’s much to be gained from ensuring compliance with NIS2 that goes beyond satisfying the regulators. Better risk management and TDIR will improve the ability of these entities to mitigate and remediate threats, which will have other knock-on effects such as driving down cyber insurance costs. Additionally, cybersecurity and risk will become front-and-center in the boardroom.
If the regulations achieve their aims, we can also expect the cybersecurity bar to be significantly raised across the European Union, creating a minimum level of cyber hygiene and a greater level of transparency. Authorities need to not only gather intelligence from the rapid disclosure of security incidents but also share what they learn with organizations working to bolster their defenses.
NIS2 holds significant promise if it can be adopted without becoming a major compliance burden and if its overseers ensure that the tiger not only has but uses its teeth.