To increase cyber resilience, the EU is launching a new directive NIS2 (Network and Information System Security). In addition to setting tighter sanctions and stricter requirements, the directive will require company-wide attention and awareness on cybersecurity, as well as a systematic way to meet all the requirements.
In less than two years, many European companies will hit a wall – a wall that is visible already now.
The revised European Network and Information Security Directive, NIS2, has already entered into force. However, as EU Member states have until September 2024 to transpose the directive into national law, many companies affected are not even fully aware of it.
NIS2 will set the common baseline for cybersecurity risk management measures and reporting obligations across many sectors. In case of failure to comply with these requirements, the NIS2 directive allows for fines of up to 10 million euros or up to 2% of the total annual worldwide turnover of the company, whichever is higher. Additionally, top managers and C-level executives may be held personally liable for a breach.
These two fear factors have dominated the discussion around NIS2. However, there will be many positive outcomes, too. After all, NIS2 aims at a better, harmonized, and resilient international cybersecurity. A common language will increase mutual trust and learning from good practices and experiences. Aligned and more transparent cybersecurity capabilities will make us together stronger in fighting against the bad guys.
Compliance will require actions in three main areas: governance, incident detection and response, and infrastructure and application security. Governance means attention and investments in cybersecurity management, training, and risk management. Incident detection and response requirements focus not only on incident handling and reporting but also on business continuity and crisis management. Infrastructure and application security requirements may mean changes in network security, application development practices, as well as identity and access controls.
All this is a lot of work. NIS2 compliance is not something one can order today and get delivered and implemented next week. With a few exceptions, we estimate that it will take anything between 9 and 15 months for a company to become NIS2 compliant.
It may sound tempting to wait for the national law. However, by the time September 2024 draws closer, we will run out of time and resources. Skilled cybersecurity professionals are low in supply already now.
We challenge every CEO, CIO, and CISO to answer the following questions:
- Does NIS2 affect you, directly or indirectly?
- Do you want your customers to trust you and your cybersecurity measures?
- Do you prefer well-reasoned decisions instead of rushed and hasty ones?
If the answer is yes, it's time to start taking action on NIS2. Not later this year, not next year. Now.