The NIS2 Directive officially came into force today, as the European Commission adopted the Directive’s first rules, which outline strict cybersecurity requirements.
NIS2 Directive builds on foundations of NIS
The Directive, which marks the first piece of EU-wide legislation on cybersecurity, builds upon the foundations laid out by the original Network and Information Systems (NIS) Directive, which came into force in 2016.
The NIS2 Directive brought a greater number of sectors into its scope including energy, healthcare, transport and digital infrastructure, for companies categorised as ‘essential’ or ‘important’ entities, alongside stricter requirements for areas such as risk management, accountability and incident reporting. Companies must also conduct mandatory risk assessments.
Having formally adopted the regulation today, companies providing digital services including Cloud computing service providers, data centre service providers, online marketplaces, search engines and social networking platforms are subject to the requirements. For each category of service provider, the legislation outlines when an incident is considered significant, to whom it needs to be reported and to what timeframe.
In the announcement, Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age said: “Cybersecurity is one of the main building blocks for the protection of our citizens and our infrastructure. In today’s cybersecurity landscape, stepping up our capabilities, security requirements and rapid information sharing with up-to-date rules is of paramount importance.
“I urge the remaining Member States to implement these rules at national level as fast as possible to ensure that the services which are critical for our societies and economies are cyber secure.”
Importance of compliance
For companies that fail to comply according to the requirements, they will be issued fines of up to €10 million or 2% of their global annual revenue, whichever is greater, and certainly nothing to scoff at. Senior management can also be held liable for security breaches owing to negligence. It represents a shift in who is responsible for security, from the IT department to the wider company, particularly as individual employees and their lack of awareness or education around what constitutes a threat (such as clicking on a link in a phishing email, for example) has been highlighted as a major security risk.
Industry experts in the space welcomed the Directive for providing a guideline for cybersecurity within businesses, while warning the importance of compliance and being prepared.
“The driver for this legislation is plain to see – in recent years we’ve seen the NHS cyberattack, the CrowdStrike outage, and the SolarWinds hack impact the public’s day-to-day lives. People and societies dependent on software must become more resilient,” said Ilkka Turunen, Field CTO at Sonatype. “The scope of NIS2 extends to anyone trading in the EU, requiring many UK businesses to comply. Under the directive, companies have 24 hours to report major cybersecurity incidents, with updates due within 72 hours, and a final report needed in 30 days. They must also demonstrate and generate several policies from vulnerability monitoring to information security training that extends far beyond current requirements.”
Turunen compared it to GDPR in serving as a “baseline” for cybersecurity globally: “UK companies should take the opportunity to get ahead of this regulatory wave, rather than trying to play catch up. Having tools like a Software Bill of Materials will keep software secure, accountable, and competitive in today’s landscape. With personal and no-fault liability coming down the turnpike, this will keep businesses selling software compliant.”
“NIS2 is a welcome roadmap for the future of cybersecurity, putting further guardrails in place to safeguard digital operations amid the fast pace of technology evolution. Cyber threats are becoming increasingly frequent and sophisticated, demanding a proactive approach to cybersecurity that prioritises safety and privacy,” commented Sridhar Iyengar, Managing Director at Zoho Europe.
He stressed the importance of “full awareness” of the regulations, particularly with the possibility of receiving penalties for non-compliance.
“Steps businesses can take to prepare … include considering the recommended use of multi-factor authentication, introducing a robust browser to help minimise exposure to ransomware attacks, offering a robust password management solution and ensuring systems offer control measures to manage conditional access to confidential data,” added Iyengar. “It is also important that organisations create awareness of the new regulations among their entire employee-base and host any new training required to ensure guidelines are followed by all. This corporate accountability is not just the right thing to do, but also forms part of the new Directive.”
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.