NIS 2 Preparedness
It’s getting Risky out there…
The protection of our networks and systems is of utmost importance, now more than ever. Attackers are increasingly sophisticated and attack with increasing frequency and ferocity. Only a Superhero (in the guise of an EU directive) can help us. Is it a bird? Plane? An A.I. drone, gone bonkers?
Nope …it’s NIS2. You see, The EU is replacing its first Network and Information Systems Directive (NIS 1) with an improved, more robust version. The NIS-2.
NIS 2 Summary
What the Hake is NIS 2? In short, a beefed-up, super-sized version of NIS 1. NIS 2 seeks to forge a common, coordinated and cooperative approach. One that improves information security across EU member states and beyond.
What’s changed is that NIS 2 is a lot tougher than its predecessor. It’s also more costly. More complex. But it’s also a smarter way to protect essential and important information assets, keeping what matters running while raising cybersecurity standards across the board. Here’s why it’s going to make a difference: the thing has teeth. Big ones.
Unlike NIS 1, NIS 2 is armed with far heftier fines (and more compliance standards) than its predecessor. Entities within its scope must expect ad-hoc audits, expensive implementation costs and, if they don’t buckle up and comply, eye-watering fines of up to $10 million. Got your attention yet?
The Price of NIS 2 Non-Compliance
At Risk Crew, we never use Fear, Uncertainty and Doubt (FUD) tactics — our goal is to empower with knowledge. However, here are the facts for non-compliance.
NIS 2 introduces new fines as an “incentive” to encourage entities to take security measures seriously (and to report incidents promptly to the competent authorities). For Essential entities, fines could reach up to €10 million or 2% of global turnover, whichever is greater. For Important Entities, it’s €7 million or 1.4% of global turnover.
But financial penalties are not the only cost to consider. Implementing the necessary measures for NIS 2 compliance will require time and considerable expense. Companies should prepare for a dramatic budgetary swell, approximately an additional 12% of the existing (ICT) Information and Communications Technology spend for those already subject to NIS1, and a whopping 22% increase for organisations new to NIS.
Comprehensive Cybersecurity Risk Management
The directive urges organisations to be proactive about risk management. It mandates controls in business continuity and crisis management, supply chain security, incident reporting and supervision. Entities must promptly report any incident that significantly impacts their services to their (CSIRT) Computer Security Incident Response Team, issuing early warnings, incident notifications, intermediate reports and final reports within specific timeframes.
That’s the bad news. The good? NIS-2 is designed to enhance cybersecurity across EU member states, with a particular focus on safeguarding critical infrastructure. It’s the information security equivalent of NATO.
Supply chain security is a significant focus area. Entities, regardless of their direct involvement, could be affected because of the mandatory requirements for Essential and Important entities to assess the cybersecurity practices of their suppliers and service providers.
Moreover, in-scope entities are encouraged to incorporate risk management measures into their contractual arrangements, and they are urged to conduct rigorous due diligence when selecting their managed security providers.
There’s an ancient Chinese curse ‘May you live in interesting times’. You don’t need a crystal ball to see that times are already ‘interesting’, and likely about to get even more so. NIS 2 aims to help EU member states weather the coming storm, whatever form that takes.
Who is Affected and What is the Timeline for Compliance
Entities operating within the EU that fall under ‘Essential’ or ‘Important’ sectors, with the exclusion of ‘small’ and ‘micro’ businesses. Essential sectors range from energy and transport to banking, health, digital infrastructure, public administration, and space. Meanwhile, Important Entities include postal and courier services, waste management, food production, manufacturing, digital providers, and research organisations, among others.
Is there a timeline? Yes and no. The timeframe for the transposition of NIS 2 into the national laws of the 27 member states of the EU is 17 October 2024. But this is the deadline for transposition into national law for member states, not the compliance date for entities subject to NIS 2. As yet, the compliance date for entities remains unspecified. The directive advises that ‘Member States shall require entities referred to in paragraph 1 to submit the following information to the competent authorities by 17 January 2025.’ The ‘following information’ requested is much like an application to Companies House and includes basic information only.
What You Can Do Now
Ultimately, the goal of the new directive is to harmonise the cyber resilience of member states and foster a shared understanding of cybersecurity threats and challenges, centring on essential services (and their third-party service providers). In other words: we’re stronger together (but only if we truly cooperate). To start preparing now we suggest:
- Get familiar with the 10 cybersecurity management measures in Article 21
- Educate your senior leadership on the penalties of NIS 2 and get their buy-in on a budget to begin your compliance project.
- Prepare for training. NIS 2 mandates regular training and risk ownership for all executives.
- Document your Incident Response Plan. NIS 2 increases obligations for response and shortens timeframes.
- Assess your Supply Chain.
- Create a Vulnerability Disclosure Policy. Put procedures in place to receive vulnerability notifications from third parties.
- Promote secure DevOps
Risk Crew can help you start readying your organisation today – and take the preliminary security measures that are required. Get ahead of the game and speak to one of our experts to discuss your NIS 2 readiness.