What NIS2 implementation means for enterprises [Q&A]

As cyberattacks across sectors continue to rise, businesses face pressure to enhance their security postures amid budget restraints and operational challenges.

In the EU, the new Network and Information Security Directive (NIS2) is making it mandatory for companies in Europe -- and those doing business with Europe -- to not only invest in cybersecurity, but to prioritize it regardless of budgets and team structures.

We spoke to Mark Flegg, global director of security services at CSC, about the impact NIS2 could have on the stability of society’s infrastructure and three strategies that
organizations can employ for smoother implementation.

BN: Can you briefly explain the purpose of the NIS2 directive and its intended impact on the security of society’s infrastructure?

MF: Implemented in 2016, the first NIS Directive was the EU's endeavor to unify cybersecurity strategies across its member states. The original NIS focused on improving cybersecurity for several sectors, such as banking and finance, energy and healthcare. NIS2 expands that scope to other entities, including digital services, such as domain name system (DNS) service providers, top-level domain (TLD) name registries, social networking platforms and data centers; food; manufacturing of critical products, such as pharmaceuticals, medical devices and chemicals; postal and courier services; administration; and wastewater and waste management.

The goal of these new regulations is for organizations to implement more robust cyber risk management practices, including incident reporting, risk analysis and auditing, resilience/business continuity and supply chain security. NIS2 is in place to strengthen supervision and enforcement mechanisms, requiring national authorities to monitor compliance, investigate incidents and impose penalties for non-compliance.

BN: NIS2 went into effect several months ago, how are organizations faring with implementation? Have you noticed any major challenges?

MF: There were mixed reactions to the launch of NIS2 in October 2024. Some organizations were ready to prove their compliance while many others admittedly had left NIS2 on the backburner. There was also a third category of businesses who did not initially believe they’d be impacted by NIS2 and therefore had to begin playing catch up.

All this said, NIS2's requirements for businesses to establish stronger security defenses should not be viewed as empty threats or suggestions. Failing to comply can lead to severe financial penalties and legal implications, and many security and GRC leaders are paying close attention to how penalty enforcement plays out this year. Some member EU states have been seeking extensions, which may be helpful to those actively pursuing compliance while creating a false sense of security for companies who do not plan to act as urgently as they should. If organizations don't demonstrate compliance, or at least show progress toward becoming compliant, I believe we will see the long-term consequences soon.

BN: How does domain security factor into NIS2, and why is this crucial for organizations to strengthen their overall cybersecurity posture?

MF: NIS2’s expanded scope includes entities within digital services, such as DNS service providers and TLD name registries. The directive therefore evaluates the risk management policies of these entities for securing domains and domain name system (DNS) services.
Requiring organizations to bolster their domain security in compliance with NIS2 is crucial to the overall cybersecurity posture of an organization because domains are, in many ways, like a gateway to an organization’s digital ecosystem. Domains are the source of critical business infrastructure -- like websites, emails, service applications, and client, supplier, or partner portals. Domains and subdomains are also generated for temporary initiatives -- like marketing campaigns. In fact, many proactive organizations register as lookalike or ‘homoglyph’ domains that resemble legitimate ones as a defense mechanism to avoid malicious third parties buying and exploiting their affiliation with the brand.

Cybercriminals know the value of domains and are perpetually scouring the internet for opportunities to exploit them. Businesses must implement domain monitoring and enforcement mechanisms to effectively secure their domain ecosystems, remove fraudulent content, prevent initial exploitation, and stop malicious activity before it begins.

BN: What are your recommendations for organizations looking to improve their domain security to align with a stronger NIS2 implementation?

MF: There are three key strategies that organizations can leverage for smoother implementation:

• Consider Your Business Partners -- NIS2 is not just about strengthening one business' security, but it also demands businesses to thoroughly evaluate every entity they engage with in their supply chain. A chain is only as strong as its weakest link, and the same can be said for businesses and their partners' overall security. It is essential for organizations to audit their partners to ensure every entity they do business with meets NIS2 requirements.
• Consistently Manage Your Domains -- Taking a more consistent, consolidated approach to managing and securing a business's domains helps strengthen the organization's overall domain security and checks one more task off the team's compliance checklist.
• Stay Security-Minded as a Team -- With new NIS2 requirements, businesses must report cybersecurity incidents within 24 hours. This shift in awareness and timely reporting doesn't happen overnight, but working with partners that are security-minded helps organizations stay a step ahead in their security.

BN: Have you seen NIS2 implementation significantly impact any partnerships between organizations in Europe or organizations doing business with Europe?

MF: Since we are still in the early stages of implementation, it is a bit soon to determine the direct impact of NIS2 on business partnerships. However, ahead of any penalty rollouts for noncompliance, I anticipate companies will begin developing stricter processes for evaluating their partners -- specifically within their supply chains -- to ensure that any third-party access to company systems and data remains secure.

Image credit: lucadp/depositphotos.com