As the deadline for EU Member States to implement the NIS 2 Directive looms closer in October 2024, organizations conducting business in Europe are urged to prepare for the substantial changes it brings to cybersecurity compliance.
The NIS 2 Directive, an evolution of the original Network and Information Systems (NIS) Directive introduced in 2016, aims to strengthen the cybersecurity resilience of EU member states in response to the escalating cyber threats witnessed in recent years. With cyber-attacks, especially ransomware incidents, reaching industrial proportions and geopolitical tensions exacerbating security concerns, the need for more robust regulations became imperative. For instance, a hacking group linked to the Kremlin targeted a pathology lab utilized by the UK’s National Health Service, demanding a hefty ransom and subsequently leaking stolen data when payment was refused.
Not only EU Member States but also non-EU companies operating within the EU or providing services to EU entities will be affected by the NIS 2 Directive. While current national regulations may not be as comprehensive as the directive, it is advised for non-EU companies to anticipate further changes in local laws corresponding to the evolving EU legislation.
The NIS 2 Directive introduces several key updates and expansions from the original NIS Directive. It broadens the scope of covered entities to include essential and important entities categorized based on sector criticality, encompassing sectors like wastewater, healthcare supply chains, and digital infrastructure. Moreover, organizations involved in the supply chain and those providing critical support services are explicitly covered, highlighting the significance of securing interconnected networks.
In terms of cybersecurity standards, the NIS 2 Directive mandates essential cybersecurity measures such as basic cyber hygiene, vulnerability management, supply chain security, encryption, asset management, access control, and zero trust security. It also imposes stringent incident handling and reporting requirements to ensure consistent responses to cyber threats throughout the EU. Additionally, the directive increases accountability by holding senior management personally liable for non-compliance and enforcing fines of up to €10 million or 2% of global turnover for organizations failing to adhere to the directive.
The sectors covered by the NIS 2 Directive have expanded compared to the original NIS Directive, emphasizing the directive’s broad reach and impact. This necessitates businesses to reevaluate and enhance their cybersecurity practices to comply with the directive’s requisites. Allocating sufficient resources and updating cybersecurity budgets to meet the directive’s standards is paramount, as estimates suggest businesses may need to increase cybersecurity budgets by up to 22% for newly covered entities.
To prepare for NIS 2 compliance, organizations are advised to assess their applicability under the directive, understand jurisdictional obligations, implement cybersecurity risk management processes, strengthen supply chain security, develop an incident response plan, and engage senior management in compliance strategies. By understanding the key updates and taking proactive measures to ensure compliance, businesses can safeguard themselves against the escalating cyber threats.
As the deadline approaches, senior management and IT security professionals must prioritize NIS 2 compliance, utilizing resources such as the Sophos NIS 2 Directive whitepaper to guide their compliance efforts effectively. By adhering to the directive’s standards, organizations can enhance their cybersecurity resilience and mitigate the risks posed by cyber-attacks in Europe and beyond.