In 2016, the EU introduced Directive (EU) 2022/2555, also known as the NIS Directive, on the Security of Network and Information Systems. As the name suggests, NIS2 is the second version of this directive and focuses on further implementing the approach initiated by the Commission in the first version. In very basic terms, NIS2 contains three important changes compared to the first version, namely an expansion of the scope, an expansion of the duty of care, and adjustments to the reporting obligation for entities.
More sectors are included in the new directive, with medium-sized and large companies in some sectors required to take security measures. Member states can also identify smaller high-risk companies.
Duty of care
The duty of care means that companies falling within the scope of the directive must put and keep their digital infrastructure in order with proper security monitoring.
Obligation to report
The obligation to report means that companies must independently report security incidents. This mandatory notification already applies to data breaches, but it will also become mandatory to report, for instance, a ransomware attack or abuse of a vulnerability. Companies will also soon have to publicly report security incidents more quickly so that affected third parties can take action. What is new compared to NIS1 is that violating the duty to report will result in a fine.
CISOs need to take action
As a CISO, it is important to understand the requirements of the NIS2 directive and ensure that your company is compliant in a timely manner. This article explains what NIS2 is and how to prepare for it as a company. Below, we share some advice for CISOs and people responsible for security within your company.
Processes and procedures
Any company that falls under the scope of the NIS2 directive will need to have technical and organisational measures in place around cybersecurity. If these are already in place, you only need to check that they are going to comply with the new legislation. Are these measures not in place yet? Then you need to get started. You can think about drawing up incident reporting procedures and a plan for continuous compliance with these procedures. Since NIS2 affects the whole company, it is also about cooperation between departments and stakeholders; everyone must understand their responsibilities and work towards compliance.
Companies must also ensure that organisational measures are in place. You can think about awareness training for employees. This includes knowing what to look out for in phishing emails, what they should do if they have accidentally clicked on a wrong hyperlink anyway, and how to address unknown people without a visible visitor pass on the premises.
When researching NIS2 online, you will find much information about personal liability. But what is meant by this? In general terms, it is the board's responsibility to ensure that a good security posture is in place. If this is not yet in place, then it is important that this is on the board's agenda. In this regard, it is important that there are authorities for the responsibility.
It is not yet known how enforcement will be carried out. The legislation is still being drafted and must be completed by October 17, 2024. This gives companies time to prepare.
It is highly likely that companies that do not comply with the NIS2 directive will receive a fine or other punishment. This includes possible legal liability for damage caused by a security incident that could have been prevented if the necessary measures had been taken. Companies must take specific measures to ensure security. If this is not done, companies may take legal action against customers, regulators or other stakeholders within the digital ecosystem.
Companies that comply with the NIS directive not only protect their own systems and assets, but also those of their customers and partners. This can reduce the risk of costly security incidents and improve the overall digital security posture of the company.
If a company can demonstrate compliance with the NIS directive, it enhances the reputation and credibility of the company. This demonstrates that the company takes cybersecurity seriously and is committed to protecting the security and privacy of its customers' information.
Implementing NIS guidelines can help companies comply with their contractual obligations and avoid any legal disputes with customers or partners.
Assessment of systems
As a CISO, it is important to have an understanding of the current state of security for network and information systems. Once this is known, you can create a map of areas where improvement is needed. This allows you to prioritise and quickly get to work on the security of the most important areas.
Collaboration with stakeholders
As mentioned earlier, compliance with the NIS Directive requires the involvement of various stakeholders. These are different individuals, for example, employees within your company. They must be familiar with the security procedures so that they report a security incident to the right person. Customers and companies in your ecosystem must also be aware of the requirements of the NIS Directive and the possible consequences.
Getting started with NIS2
We often work with companies who want to take steps in their cybersecurity. Since the end of 2022, NIS2 has been increasingly mentioned in these conversations. It's not surprising, as many CISOs haven't yet mapped their networks and information systems and processes to comply with the NIS2 directive.
Together with our team of cybersecurity experts, we help companies with the inventory of their systems and the creation of a priority list. Once this is done, we assess whether existing solutions are sufficient or need to be renewed or replaced. This may include NGFW, SOAR, SIEM, or MFA.
We're seeing more and more CISOs choose to outsource their cybersecurity. They may not have enough knowledge and resources in-house and opt for a managed security solution, such as a managed SOC or managed detection and response (MDR).
Does your company comply with the NIS2 directive?
Do you want to know if your company complies with the NIS2 directive? Then please contact us. We are happy to help you keep your company secure and connected.