The NIS2 Directive is a recently released set of cybersecurity guidelines and requirements established by the European Union (EU) to improve the overall level of cybersecurity across its member states. The directive was published in the Official Journal of the EU on December 27, 2022, giving member states 21 months, until September 2024, to transpose the directive into national law.
The NIS2 Directive aims to improve the resilience and incident response capacities of both the public and private sectors, as well as the EU as a whole. It replaces the previous Directive on Security of Network and Information Systems (NIS Directive) and introduces several changes, such as expanding the scope to cover more sectors and services and updating the security obligations and incident notification requirements to be more stringent. NIS2 also aims to reduce the regulatory burden for competent authorities and compliance costs for public and private entities.
One of the significant changes introduced by NIS2 is the obligation to report a loss within 72 hours, enabling authorities to react quickly and contain the cyber threat. The directive also mandates more comprehensive powers for competent authorities, allowing them to penalize non-compliant organizations with fines equal to a fixed amount or 2% of worldwide turnover for essential services.
The NIS2 Directive emerged from a review process built into the original NIS Directive, addressing identified deficiencies in the original legislation. After the provisional agreement on the directive in mid-May 2022, the text was finalized on a technical level, meaning lawyers’ linguists worked on further details and consistency of the text that was published in December 2022.
In summary, the NIS2 Directive is a significant update to the EU’s cybersecurity regulations, aiming to improve the overall cybersecurity posture across member states. It expands the scope of the previous NIS Directive, introduces more stringent security obligations and incident notification requirements, and mandates increased powers for competent authorities. The directive provides a valuable opportunity for Chief Information Security Officers (CISOs) to strengthen their position within organizations and ensure compliance with the updated requirements
The NIS2 Directive, which updates the EU’s cybersecurity regulations, has implications for both Chief Information Security Officers (CISOs) and Chief Technology Officers (CTOs).
For CISOs, the NIS2 Directive provides an opportunity to strengthen their position within organizations by ensuring compliance with updated security obligations and incident notification requirements. CISOs will need to adapt their organizations’ security strategies and practices to align with the new regulations, as well as ensure proper incident reporting within the 72-hour timeframe. Furthermore, CISOs will need to maintain close communication with the competent authorities designated by the NIS2 Directive, such as ANSSI in France, BSI in Germany, and CCB in Belgium.
For CTOs, the NIS2 Directive impacts their role in overseeing the development and implementation of technology solutions to meet the updated cybersecurity requirements. CTOs must ensure that their organizations’ technology infrastructure complies with the new regulations and is capable of meeting the more stringent security obligations. Additionally, CTOs should collaborate with CISOs and other stakeholders in the organization to develop and implement strategies to address potential vulnerabilities and risks.
In summary, the NIS2 Directive has implications for both CISOs and CTOs. CISOs will need to ensure compliance with updated security obligations, incident reporting requirements, and maintain communication with competent authorities. CTOs will be responsible for overseeing the development and implementation of technology solutions that comply with the new regulations and support organizational cybersecurity strategies.
The NIS2 Directive has implications for both CEOs and board members, as they are responsible for ensuring that their organizations meet the updated cybersecurity requirements and adopt the necessary security measures.
For CEOs, the NIS2 Directive means that they must ensure their organizations address and implement the seven elements specified in the regulation. These elements include risk analysis and information system security policies, incident handling, business continuity and crisis management, and supply chain security. CEOs should work closely with their CISOs, CTOs, and other senior executives to develop and execute strategies to comply with the directive, as well as allocate appropriate resources to meet the new security obligations.
For board members, the NIS2 Directive requires them to maintain a high level of awareness and understanding of the organization’s cybersecurity posture and risks. Board members should ensure that the organization’s risk management and cybersecurity policies are in line with the NIS2 Directive and that they are actively monitoring the organization’s efforts to comply with the new requirements. They should also work with the CEO and senior executives to develop and oversee cybersecurity strategies, ensuring that the organization is prepared to address potential vulnerabilities and respond effectively to incidents.
In summary, the NIS2 Directive has implications for both CEOs and board members. CEOs must ensure that their organizations address and implement the required security measures, while board members need to maintain oversight of the organization’s cybersecurity posture and efforts to comply with the new regulations. Both CEOs and board members should collaborate with senior executives and other stakeholders to develop and implement strategies to ensure compliance with the NIS2 Directive.
The NIS2 Directive will also have significant implications for small to medium enterprises (SMEs) across Europe. What do SMEs need to know?
The NIS2 Directive is a new set of cybersecurity obligations for organizations across many sectors deemed critical to the economy. All 27 EU Member States are required to incorporate these new obligations into their national laws before September 2024. The NIS2 Directive aims to increase the cyber resilience of a broad range of EU-based enterprises operating in all relevant industries and performing essential activities.
In terms of what the NIS2 Directive means for SMEs specifically, it is a challenging and costly task to ensure compliance with the new requirements. SMEs may face difficulties in implementing these cybersecurity obligations due to limited resources and expertise and should engage a suitable Managed Service Provider (MSP) for guidance on and help with potential solutions.
It is important to note that the exact impact of the NIS2 Directive on SMEs may vary depending on the sector and specific requirements that apply to them. However, in general, it is expected that SMEs will need to invest in cybersecurity measures to comply with the NIS2 Directive and ensure the protection of their data and systems.