The European Union’s NIS2 directive entered into force on January 16, 2023, and member states had until October 17, 2024 to translate it into national law. However, two years after approval, many organizations still do not meet the required standards.
A survey conducted by backup shop Veeam just before the deadline found that as many as two-thirds (66%) Your organization may miss the October 17 deadline. I’ve been blocking it.
Moreover, only two of the 27 EU member states have fully transposed the Directive into national law: Croatia and Italy. Estonia and Portugal have not yet started the process, while other countries are at various stages, according to the DNS Research Foundation’s tracker.
According to Veeam’s research, the lack of panic or panic when it comes to meeting deadlines is primarily due to competing priorities of the organizations involved and disregard for penalties associated with non-compliance.
This position is confusing given that the penalties associated with NIS2 failures include significant fines and personal liability for individuals in management and decision-making positions.
overview
NIS2 builds on the work of NIS1, the first EU-wide cybersecurity law introduced in 2018, and aims to implement a common set of security standards for all member states.
The new regulations expand in scope, so more organizations will have to follow the rules. Generally, if your organization provides essential services or falls within the NIS2 extended scope sector, has more than 50 employees, or has an annual turnover of €10 million ($10.8 million) , NIS2 may apply.
Critical infrastructure operators were bound by NIS1 and also bound by NIS2. Organizations in the digital services sector, space companies, postal services, network operators, chemical manufacturers/distributors, and some manufacturers are all currently bound by NIS2. Targeted organizations are classified into “material entities” and “material entities.” All are considered important sectors, but some are more important than others. This classification determines specific requirements that an organization must meet.
It is important to determine whether each organization needs to be NIS2 compliant. This is not only because of the potential penalties that are on the table, but also because the regulations require different things for different areas. Although NIS2 aims to bring security standards across many industries to a common level, compliance requirements are not the same across the board.
what’s new?
In addition to targeting more organizations, the new regulations have four main pillars and introduce more robust requirements in key areas. Corporate responsibility. Mandatory incident reporting. and business continuity.
Managers of covered organizations must fully understand and oversee compliance with this Directive, and are responsible for identifying and addressing cyber risks.
Reporting of security incidents to a database maintained by ENISA, the EU’s cybersecurity agency, must be completed within 24 hours of detection. This is a positive step toward a deeper understanding of attack campaigns and helps inform defenders working on mitigation strategies.
This also involves the establishment of EU-CyCLONe, the European Network of Cyber Crisis Liaison Organizations. This is a new body made up of experts from member states, tasked with assisting member states in the event of a major incident.
There is also a focus on risk management. Organizations in scope will minimize threats to network and supply chain security, improve access controls (using MFA), employ encryption for communications, and improve incident management in the event of a major attack. You must ensure that appropriate steps are taken to ensure that plans are readily available.
Organizations must also ensure that they have the appropriate measures in place to ensure business continuity in the event of a devastating cyber attack.
compliance checklist
Given the different requirements of the various organizations covered, it is impossible to create a checklist that is comprehensive and applicable to all organizations. That said, here are some basic starting blocks.
Check if your organization is within the scope of NIS2
Understand your requirements and determine your current level of compliance
Secure the necessary budget for necessary changes
Determine which laws of other Member States and EU cybersecurity laws apply to your organization
Conduct a cyber risk assessment to understand your exposure to vulnerabilities and other threats
Assess third-party cyber risks and establish appropriate risk management procedures
Develop a comprehensive plan for incident response, business continuity, and overall cybersecurity
Implement necessary security measures such as MFA
Ensure employees receive up-to-date cybersecurity training
Penalties and barriers for violations
Remember how organizations in scope are divided into “essential” and “critical” entities? Well, not only are the requirements different, but so are the penalties for non-compliance.
The most significant organizations found to be in violation of NIS2 will be subject to fines of at least 10 million euros ($10.8 million) or the equivalent of 2% of their annual global turnover.
“Significant” companies, on the other hand, will be exempt from slightly less severe, but still substantial fines of at least 7 million euros ($7.5 million) or 1.4% of annual global turnover.
Because NIS2 requires leadership teams to ensure NIS2 compliance, failure to comply can also have legal repercussions for individual business leaders who are deemed to have fallen short of expectations.
Policy experts at Big Four audit firm EY predict that the national rollout of NIS2 in Ireland will include provisions such as the possibility of prison sentences.
It remains to be seen how strictly these penalties will be enforced. Since the introduction of the GDPR, dizzying fines have been imposed, but they are far less common than many thought before it took effect in 2018.
It is puzzling that survey respondents report being unfazed by the possibility of punishment, including large fines and the possibility of jail time, especially given the fines already imposed, and the consequences of violations are clear. be.
By last week’s deadline, some companies had come to similar conclusions about their violation rates. Jesper Olsen, chief security officer for Northern Europe at Palo Alto Networks, said targeted organizations have not received the necessary support from national authorities to comply with the new rules and need clearer educational materials. said.
“From the approval of the NIS2 directive two years ago to this week’s deadline, the lack of guidance from authorities has left many organizations in limbo,” he said last week. “As implementation deadlines approach, businesses are left confused about their responsibilities.
“Organizations directly targeted by the requirements are currently unaware of their next steps, creating a significant gap in preparedness. Additionally, with limited support, many organizations are unable to comply with regulatory compliance requirements. There are doubts about the preparedness of the aid and the urgency is further diminished.
“Companies want to understand what this regulation means for their business, how they can comply, and what technology is needed to implement these measures.”
No matter the reason for missing deadlines, compliance is a must. The NIS2 Directive has been warmly welcomed across the industry, even as employers struggle to meet deadlines amid the growing cybercrime threat to the global economy and the security of critical services.
“NIS2 provides an important framework for assessing your current security posture and implementing changes that will significantly improve the resiliency of your data,” said Edwin Weijdema, EMEA Field CTO, Veeam. .
“Compliance alone does not guarantee complete security, but it does require proactive protection against vulnerabilities.As threats grow globally, business leaders need to act now to protect their operations. If you fail to do so, you will face serious personal and professional consequences.”
