Businesses are racing against the clock to ensure compliance with the impending new EU cyber security legislation, known as the Network and Information Systems Directive 2022/0383 (NIS2). This legislation, introduced by the EU to bolster cybersecurity measures across the bloc, imposes strict requirements on certain organisations to enhance their cyber security safeguards. Failure to comply with the new rules could result in hefty fines of up to €10 million or 2% of their global yearly revenue, whichever is greater. Individual managers could also face penalties, and companies may even be ordered to halt non-compliant activities.
The deadline for member states to transpose these new rules into national law is looming, with an expiration date of October 17, 2024. To ensure compliance, businesses must take action in four key areas: Risk Management, Corporate Accountability, Reporting Obligations, and Business Continuity. Organisations impacted by NIS2 must implement measures to minimize cyber risks, oversee cybersecurity defences, swiftly report security incidents, and ensure business continuity in the event of cyber incidents.
In order to meet these requirements, organisations must first determine if they fall under the scope of NIS2 and evaluate how different aspects of their business could be affected. They must then assess their existing security measures and make any necessary adjustments before the deadline. Additionally, businesses must integrate new security measures and incident reporting obligations into their supply chain to ensure full compliance.
Although the deadline for compliance is not immediate, businesses must act promptly to meet the requirements set forth by NIS2. According to expert Bojan Zdrnja from SANS, firms should prioritize actions such as training staff, conducting risk assessments, and implementing security controls without delay. Building a robust cybersecurity program aligned with best practices is essential, and taking proactive steps now will ease the transition to mandatory compliance in the future.
To assist businesses in preparing for the changes brought about by NIS2, SANS has developed a range of resources and training programs. These resources include training for both management and staff, expert guidance on compliance, executive cyber exercises, skill and risk assessments, and critical infrastructure exercises. Additionally, SANS is conducting a survey to gauge preparedness among companies, inviting businesses to participate and assess their readiness for the new legislation.
For more information on NIS2 and how SANS can support businesses in their compliance efforts, interested parties can visit the SANS website. By taking proactive steps now to align with the requirements of NIS2, businesses can avoid the pitfalls of non-compliance and ensure they are well-prepared for the impending changes in EU cyber security legislation.