EU Directive Network and Information Security (NIS2): Modernizing security compliance

Often perceived as a necessary evil in the past, organizations are taking an increasingly proactive and committed approach to the regulation of technology and cybersecurity. Many are even going a step further by embracing independent standards to fill any gaps legislation may not address or, while waiting for laws to catch up with new developments.

Given today’s searing pace of change, characterized by the rapid rise of technologies like GenAI, this marks a positive way forward for businesses that care about their customers as well as their profits.

Encouragingly, today’s business leaders recognize stakeholders are well-informed about the ramifications of non-compliance and poor security. Whereas these obligations might once have been seen as a checkbox exercise confined to security and compliance departments, they now require awareness and, importantly, responsibility at a management level. Modern regulations reflect this emphasis on accountability as evidenced by DORA, the EU’s recent legislation for the finance industry. DORA mandates that the board of directors and CEO must understand and assess digital risks, ensuring appropriate measures are in place to protect customers and consumers. It goes as far as holding senior executives personally responsible for failure to comply. In the worst-case scenario this could mean fines and criminal proceedings. 

NIS2 as a security template

It underscores the need for an effective, enterprise-wide security framework that can act as a solid foundation for current legislation, and make it easier to adopt, and adapt to, new regulations in the future. This is where the recently updated EU Directive Network and Information Security (NIS2) can provide a template for all organizations to follow.

NIS2 aims to improve the security and resilience of critical infrastructure across various sectors, ensuring the networks and systems used to deliver services attain a high level of cybersecurity. Organizations must have governance structures in place to manage cybersecurity, comply with breach reporting obligations, implement risk management practices, and monitor the supply chain for cybersecurity risks. Entities defined as essential, including the energy, transport, health, digital infrastructure, and cloud sectors, are subject to greater scrutiny with regulators given the authority to perform audits and carry out inspections. Fines for non-compliance can be as much as €10,000,000 or 2 percent of total annual turnover. Those classed as important entities, such as providers of medical devices, chemicals, electronic and social networks, are subject to investigation only if there is evidence of non-compliance. Fines are lower, but still substantial at up to €7,000,000 or at least 1.5 percent of annual turnover.

Taking heed of new threats

While an unlimited budget would probably be needed to follow NIS2 to the letter, it still provides invaluable guidance, drawing attention to emerging security trends and the importance of staying aware of the evolving threat landscape. There has been disquiet that the original version didn’t bring the desired level of cybersecurity consistency across all member states, but it’s still a widely respected framework. Realistically, it is unlikely the EU can ever enforce a completely uniform standard as each member state has to adopt the Directives into their laws. So, getting harmony across countries is always going to take time and have local variations. But that shouldn’t detract from its overall value.

Also, the scope NIS2 is becoming more inclusive, extending its reach to include medium-sized enterprises and more industries. Additionally, NIS2’s latest iteration highlights the growing risk posed by third parties, requiring organizations to ensure their suppliers and contractors adhere to appropriate security measures, which may involve contractual requirements, security audits, and monitoring. Drawing attention to these emerging trends with corresponding guidance is a vital aspect of NIS2. It should help motivate organizations to keep reviewing their security strategies.

Regulatory compliance is never a one-off, one-size-fits-all exercise. And NIS2 could provide further value if it had a regular schedule, say annually, for review and updates. By providing systematic guidance and terminology applicable to today’s challenges, it would help imbue a culture of ongoing security assessment and awareness. This more dynamic approach could overcome drawbacks of older legislation, such as GDPR and the Data Protection Act, which can seem outmoded and not entirely fit for purpose. For example, neither specifically mentions GenAI. Therefore, organizations have to almost retrofit what’s happening in today’s digital world to meet regulations that are showing their age.

Beyond legal obligations

Adherence to both new and older legislation is imperative, but organizations must also take a modern approach to cybersecurity that is comprehensive, agile, and adaptable. The shifting nature of cyber threats demands a proactive and forward-thinking strategy, not just a reactive attitude. This involves continuous assessment and improvement of security measures, investment in cutting-edge defense solutions, as well as nurturing a culture of cybersecurity awareness among employees. By doing more than the minimum for compliance, organizations can safeguard their systems and data for the future, ensuring the protection of their assets, customers, and workforce. 

A dynamic and resilient cybersecurity posture positions organizations to swiftly respond to emerging and unforeseen threats. This is crucial for longevity and success in what could become an increasingly volatile digital era.

Image Credit: Si Le / Dreamstime.com

Chris Rogers, Senior Technology Evangelist at Zerto.