The European Union’s ( EU) landmark cyber security bill Companies today have to follow the requirements of NIS2 in full because it is now in effect, or they could face severe fines.
EU-based businesses operating in important sectors, including energy, transport, water, financial services, and healthcare, must then implement strict cyber security safeguards and report significant digital threats to the appropriate authorities in accordance with the directive, which aims to harmonise cyber security rules and procedures across the bloc.
IT vendors such as search engines, cloud computing companies, and online retailers are expected to adhere to these guidelines, while EU member states themselves will be required to establish their own; however, given their importance in a range of supply chains, these organizations will even be required to do so. computer security incident response team ( CSIRT), as well as a national network and information systems authority, if they have not already done so.
Any important or significant entities that provide services or carry out their activities within the EU, irregardless of whether the entity has an establishment within its borders, must also comply with NIS2 requirements to maintain operations and market access to the EU.
Organizations that fail to adhere to the regulation’s requirements for cyber security risk management and reporting could face fines of at least €7,000,000 ( or 1 ). 4 % of the global annual revenue ), or a maximum of €10,000,000 ( or 2 % of the global annual revenue ). In either case, the business will be subject to a fine, regardless of the higher fine.
NIS2 will apply to a much wider range of organizations, according to Bart Salaets, field chief technology officer ( CTO ) for EMEA at F5.
“To navigate the legislation, organisations should create centralized control and unified reporting across security platforms. Organizations must help meet their reporting obligations under NIS2 by requiring included solutions and advanced reporting tools, which might be AI-driven. ”
Given the fresh classifications for various companies, Mike Smith, director of engineering and security at Qodea, added that businesses will need to be aware that NIS2 has much more specific definitions of who must be held responsible for the regulation.
“An organization may presently fall under the purview of NIS2 even if it was not previously content to NIS1”. That might be a steep learning curve for some organisations, ” he said. Those who have already made significant investments in contemporary security infrastructures should have a relatively easy time adjusting, but those who have n’t will quickly find themselves falling even further behind. ”
According to David Higgins, top director at CyberArk’s field technology office, article 21 of NIS2 specifically mandates companies to implement “robust cyber security measures in to secure their supply chains and enforce zero-trust access,” meaning that compliance with zero-trust principles will take center stage.
This is particularly crucial because organizations must protect a sizable network of threats, including subcontractors and service providers, under NIS2. Additionally, he said, businesses must tick off crucial NIS2 Article 21 requirements for handling and reporting incidents.
Being well-versed in identity security is crucial in this situation, as well as being able to monitor and manage the handling of crucial information in real-time. ”
Tim Wright, a partner and technology lawyer at Fladgate, commented on NIS2’s implementation deadline, noting that “only a few nations have transposed it into their national laws.
Just six member states have yet to incorporate NIS2 into their regional statues, despite the fact that member states are expected to publish federal laws that comply with the directive before the 17 October 2024 deadline. These are Belgium, Croatia, Greece, Hungary, Latvia and Lithuania.
Although most another EU nations have already started the process of passing the NIS2 legislation, three others, including Bulgaria, Estonia, and Portugal, are still in the process.
Wright added that while NIS2 should lead to significant improvements in the bloc’s overall cyber posture, it will ultimately depend on its “consistent implementation and enforcement across member states. ”
“NIS2 should make the EU a harder target, but determined adversaries will keep probing for weaknesses, ” he said. “The directive’s success depends on how well it is implemented and whether it can foster a true culture of cyber security, not only compliance. ”
