In a recent interview with Help Net Security, Roland Palmer, VP Global Operations Center at Sumo Logic, shed light on the significant challenges and innovations introduced by the NIS2 Directive in the realm of cybersecurity. With the aim of standardizing cybersecurity practices across sectors, the NIS2 Directive mandates minimal cybersecurity requirements for member companies, encompassing policies on risk information system security, crisis management measures, and cybersecurity training.
The NIS2 Directive seeks to address the need for a standardized approach to combat the increasing sophistication of cyberattacks. The new guidelines aim to replace the EU’s existing NIS1 directive and combine cybersecurity measures with a risk-based approach. Noteworthy features of the NIS2 Directive include a comprehensive regulatory framework and the inclusion of new sectors, such as healthcare, transportation, and digitally operated companies, that pose a critical security risk.
Furthermore, the NIS2 Directive introduces new measures and incentives to encourage compliance. These measures include strict penalties, obligatory incident reporting requirements, increased monetary fines for noncompliance, and heightened responsibility for management bodies. The directive also emphasizes EU-wide collaboration and a vulnerability-sharing program to increase transparency across organizations.
Among the specific cybersecurity measures and risk management strategies mandated by the NIS2 Directive are established policies on risk information system security and risk analysis, crisis management and continuity measures (e.g., backup management), cyber hygiene and cybersecurity practices and training, and the assessment of risk management procedures and their effectiveness. The introduction of these measures aims to enhance overall cybersecurity resilience and prepare organizations for effective incident management and reporting.
One of the most notable updates in the NIS2 Directive is the shortened security incident reporting window, with companies now required to provide a warning within 24 hours of becoming aware of the incident. This is followed by a mandatory description of the event within 72 hours and a comprehensive account of the incident within one month of its occurrence. To prepare for these new obligations, organizations are advised to conduct an internal risk analysis, create an incident response plan, and prioritize security training and awareness.
The global nature of cybersecurity threats underscores the implications of the NIS2 Directive for multinational companies and cross-border collaboration in cybersecurity. The directive applies not only to companies based in the UK/EU but also to organizations that offer services in the region, regardless of their physical location. This calls for greater collaboration and information-sharing among organizations and national authorities to ensure compliance and respond effectively to cyberattacks or security incidents.
Looking beyond 2024, it is anticipated that the NIS2 Directive will continue to evolve in response to the ever-changing global threat landscape. With the rise of advanced technology and the need for more uniform and efficient security protocols, regulatory bodies are expected to step up efforts to improve security measures. The SEC has also implemented new guidelines, and similar trends may be observed in other countries and entities in the near future. Overall, the NIS2 Directive signals a step toward a more secure and regulated cybersecurity sector, with the potential for further developments in response to the evolving threat landscape.