Next year on 18th October 2024, a new directive for Network and Information Security (NIS) will come into force in Europe, NIS2. Due to the increase in cyber threats and the massive social dependence on IT, it has become apparent that the current guidelines are no longer sufficient, making stricter requirements from the EU necessary. NIS2 therefore follows-on from the NIS guideline that has existed since 2018 and will 'force' more organizations to have their cyber security in order. Yes, most likely yours too.
NIS is the European directive with the aim of improving the resilience and security of the network and information systems within the EU. The NIS directive focuses on essential sectors such as water, energy and telecoms. If companies in these sectors fail, they often have a disruptive impact on the economy and society. The first NIS directive had to ensure that companies in these sectors implemented appropriate measures to ensure the security and continuity of their network and information systems. For example, there was an obligation to report data leaks to supervisory authorities and fines followed if things turned out not to be in order.
Now it is the case that each EU country must determine the implementation and compliance with those rules. The NIS2 guideline was therefore published at the end of last year and gives Member States until 17th October 2024 to implement the changes and adapt legislation and regulations. It makes sure that:
1. EU countries will become much more consistent with stronger requirements particularly in the field of cyber security and supply chain security and the enforcement by the supervisory authorities.
2. The list of sectors in scope increases and a distinction is made between essential and important companies:
• Essential companies are companies with 250 employees or a net turnover of more than €50 million and a balance sheet total of €43 million. These companies will be proactively monitored by the regulatory authorities.
• Major companies employ more than 50 people and have an annual turnover of more than €50 million. These companies can expect an audit once in a while.
• Exception: Smaller than 50 employees and €50 million, but if you are a provider of trust services (digital services that guarantee the confidentiality, integrity and authenticity of electronic transactions, communications and documents), then your organization must also comply with NIS2.
If your company falls under the scope of the NIS2 guideline, then there are consequences:
1. Compliance: You MUST comply with the security measures and reporting obligations. Think having the right security measures and reporting serious incidents to the relevant authorities.
2. Increased liability: Companies that fail to comply with the NIS2 guideline and lose sensitive information as a result may be held liable for the consequences. This includes financial losses, reputational damage and legal liability.
3. Costs: You will most likely have to incur additional costs to comply with the guideline. Think about adapting existing systems and processes, but also training new people and implementing new tooling and monitoring potential threats.
Reporting those potential threats is a drastic measure. Where the first NIS guideline required you to report incidents within 24 hours, to the new NIS2 requires you to report potential threats. This means that your IT department will have to work proactively with monitoring and reporting.
It is not yet entirely clear how you will have to report and the deadline in Q4 2024 still seems quite far away, but from experience we know that active monitoring is incredibly time-consuming, let alone having the optimal security systems in place. You may already have the latter under control, but don't wait until the end of next year to get your security and procedures in place and start checking through the following aspects:
1. Risk analysis: Check which systems and services of your organization are most important and therefore
run the greatest risk in the event of a hack.
2. Business continuity: Do you have good backup plans, including disaster recovery and crisis management?
3. Supply chain security: What potential risks does your organisation run from external suppliers and service providers?
4. Security of network and information systems: How are they set up and how are vulnerabilities dealt with?
5. Incident handling: How are incidents currently handled and possibly registered?
6. Effectiveness: What about policies and procedures for testing the effectiveness of cybersecurity?
7. Human factors: How well is everyone aware of the IT and security policies within the organization and are they being adhered to?
8. Cryptography and encryption: What about policies and procedures surrounding the use of cryptography and encryption?
9. Physical security: From personnel, access control policies and asset management.
10. Multi-factor authentication: Apply it to all accounts that are reachable from the internet, have administrative rights, and
to accounts of critical systems.
As you can see, there is a lot involved in setting up and complying with solid security. It not only concerns the technology, but also the processes within the company and the people who work there. The “to do” list above will help you determine which measures you still need to implement or improve to be as NIS2-compliant as possible.
If you would like to know more about this subject or learn how Insight can help you prepare and be ready for NIS2, please do not hesitate to contact me.