The updated Network and Information Security Directive is a step forward in boosting cybersecurity. How will it impact your organization?
One of the biggest threats organizations face today is supply chain attacks. Even if internal security is tight, a third party may have weaker security and provide an easier route for hackers to exploit.
With the European Union’s new NIS2 cyber directive in force, all organizations doing business in the EU will have to meet minimum cybersecurity standards.
Like the General Data Protection Regulation (GDPR), the effects of NIS2 will likely be felt outside of the EU’s borders because all enterprises doing business in the European Union will need to comply.
NIS2 basics Other new risks addressed by NIS2 include 5G technology security, as well as risks that have more recently grown due to the rapid digitalization and cloud adoption caused by the COVID-19 pandemic.
Importantly, NIS2 emphasizes the need for computer security incident response teams to be able “to monitor the entity’s internet-facing assets, both on and off premises, in order to identify, understand and manage the entity’s overall organizational risks as regards newly identified supply chain compromises or critical vulnerabilities. Other aspects of NIS2 include:
- significant changes, including new obligations and risk management measures; a wider range of involved stakeholders and in-scope entities; and potentially hefty fines
- according Member States more flexibility to respond to cybersecurity incidents and to protect critical infrastructure with a higher level of resilience.
- regulation of the cybersecurity measures that covered organizations must take; and their reporting obligations
- an important change: significant expansion of coverage to include any sectors considered critical, including energy; transport; banking; finance; health; digital infrastructure; public administration, and certain aspects of infrastructure. Under the old directive, it was up to Member States to determine which organizations were considered in-scope.
- a threshold for defining medium sized companies: 50 employees and an annual turnover exceeding €10,000,000
- a timeframe of 24 hours from when an entity first becomes aware of a cyber incident to submit an initial notification, then a formal incident report no later than 72 hours; and a final report no later than one month after the incident. Failure to comply with NIS2 requirements, could result in substantial fines up to €10 million or 2% of the entities’ total turnover worldwide, whichever is higher
EU member states have until 17 October 2024 to implement the NIS2 measures as national legislation.
Preparing for NIS2
Any organization that does business in the EU needs to analyze its cyber defence posture to make sure it has full visibility of internal digital ecosystems and their compliance with the new quick reporting requirements.
In addition to the new legal ramifications of a breach, organizations affected by the new cyber directive face other financial costs, in addition to reputational damage. Additionally:
- Organizations should continuously monitor internal and external networks so that they can quickly identify, validate, and rank risk, as well as remediate any cyber security issues where appropriate.
- Issues like ransomware and malware need to be swiftly addressed. It is imperative to quickly deploy patches for critical issues and maintain IT hygiene across the infrastructure.
- When it comes to supply chains, organizations need to make sure they know which vendors, suppliers, and other third parties are being used, and what network and data access they may have, to implement a solid strategy to address supply chain cyber security challenges.
- The best solution is to continuously monitor the organization’s supply chain to identify, prioritize and remediate critical issues such as unpatched systems or IT hygiene issues.
When lapses are discovered, organizations should contact the affected third party directly to guide the mitigation effort and ensure remediation occurs. Handling third-party risk internally can be time consuming and costly, so organizations may want to consider outsourcing the activities.