With the new NIS2 Directive from the EU, cybersecurity has been raised to a whole new level. The Directive will make a number of new demands on companies, which must be ready to comply with them in just eighteen months.
In the autumn of 2024, the new NIS2 Directive will become effective. It will help set a new and higher level for common data security across the EU. The new Directive regulates companies and authorities within the field of cyber- and information security and will embrace a number of sectors that have not previously been subject to regulation. They are sectors within food, wastewater, and waste as well as selected sectors in the manufacturing industry. Nixu's Senior Advisor Mette Nikander, says, ‘Although there are still eighteen months to go, it is not too early to get started. Becoming compliant with the new Directive is not something you do from one day to the next.’ Market Unit Lead Henrik Engqvist completely agrees with that view. He welcomes the new Directive, and although there are probably some companies that think it will make everyday life more difficult, he sees it as an opportunity to secure companies’ business activities.
Henrik Engqvist says, ‘My advice to the companies is to see the NIS2 Directive, which will include far more types of companies than the current NIS1 Directive, as a business enabler. The idea behind the Directive is that it will increase safety across the companies’ value and supplier chains. As a supplier, you may risk being dismissed if your customer expects you to be NIS2 compliant, but you are not.’ Both he and Mette Nikander draw attention to the fact that it is likely that not enough attention is paid to this fact down through the supplier chain. However, it will be a necessity, because with NIS2 the focus is really on cybersecurity as intended by the EU. In addition to the risk of being dismissed as a supplier, there is also a risk of financial sanctions if a company does not comply with the Directive.
The whole organization must be involved
‘You don’t talk about it so much, but there are companies that take a lack of cybersecurity as a calculated risk in the hope of not experiencing security breaches, but that’s over now. Either you are compliant, or you are not,’ says Mette Nikander. Both she and Henrik Engqvist add that NIS2 is not only about cybersecurity as seen from a technological point of view, but also from an organizational point of view. ‘Everyone must know their role in the company and understand how important it is that cybersecurity is also about employee behaviour and preparedness. Acting wisely and well-considered must be part of the company’s DNA. It is equally important for us to advise our customers about this when we deliver solutions to them,’ explains Henrik Engqvist. He goes on to say that at Nixu they can see that the companies have already heard about NIS2 and therefore take an increased interest in their security.
An investment in security
Henrik Engqvist explains, ‘Denmark is one of the most digitized societies in the world. That is why we are also utterly exposed when it comes to the risk of security flaws. Regardless of whether it is personal data, customer data, or other forms of business-critical data, an attack can be catastrophic and ultimately cost the company its existence.’ He emphasizes the importance of becoming NIS2 compliant as soon as possible. Mette Nikander adds that it is about not seeing the new EU Directive as an obstruction, but rather as a competitive parameter. It is about the company seeing security upgrades as an investment against compromise, loss, or theft of data. At the same time, the company must be aware that this is not a one-off exercise. Managing security is an ongoing process that, in principle, never ends.
What is NIS2?
The NIS2 Directive is a modernization of the NIS Directive (Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures to ensure a high common level of security for network and information systems throughout the Union). NIS2 includes organizations in sectors that handle important and/or socially critical infrastructure including, among others, sectors in energy, transport, health, drinking water, wastewater, food supply, waste management, and public administration, but may also be relevant for subcontractors to these.
(Source: The Attorney General, Denmark)
Many manufacturing technology companies advise companies to have a ‘zero trust’ policy when it comes to cybersecurity. It supports the new requirements for cybersecurity in NIS2, and five pieces of good advice from Nixu for improved IT security are:
- Know what needs to be protected.
- Understand the security controls that have already been established.
- Incorporate new tools and modern architecture.
- Adopt and follow detailed policies.
- Monitor and be alert.
The original article was written by Henrik Malmgreen, Editor in Chief at Business Insights.
Read the original article here in English:
Read the original article here in Danish: