By Shira Landau, Editor-in-Chief, CyberTalk.org.
Within the U.K., France and Germany, just a handful of organizations (34%) are prepared for the EU’s updated Network and Information Security Directive (NIS2). Three-quarters of organizations have yet to fully address the five core compliance requirements.
Enacted in January of 2023, the deadline by which member states must comply is October 24th 2024. If that looks like a long time from now, there’s a lot to comply with…
What is NIS2?
In 2016, the EU passed the original NIS Directive, which became law in most member states by 2018. However, the original directive drew criticism due to its ambiguity, as it resulted in divergent interpretations across EU nations.
NIS2 is an update to the rules, but it’s also more than that. It will function as an overhaul of past rules, helping to ensure that cyber security measures are unified, robust and adaptive.
The legislation applies to all organizations with over 250 employees and an annual turnover of €10 million or more.
NIS2 enterprise complacency
Thus far, organizations have been relatively slow to comply. This may be the case because compliance involves investments in technologies, personnel, training programs and administrative functions.
In terms of progress against requirements, the breakdown below illustrates where organizations are in their compliance journeys:
- 80% of organizations still need to properly secure their supply chains.
- 76% of organizations still need to assess the efficiency of existing cyber security protocols.
- 76% of organizations still need to implement HR security.
- 74% of organizations need to add new risk management measures.
- 72% of organizations still need to offer cyber security training to staff.
Experts warn against enterprise complacency when it comes to addressing these areas, as each one takes an average of 5 months to fully address.
NIS2 compliance failure
Inability to comply with the NIS2 Directive can result in fines of up to €10m ($10.5m) or 2% of an organization’s global annual revenue.
Organizations are advised to plan well across the next few months, and to avoid the same mistakes that many made in failing to adequately prepare for GDPR.
The financial penalties aren’t mere punitive measures; risks of non-compliance go beyond financial loss. Non-compliance can result in the revocation of operating licenses and can expose executives to personal liability.
Rather than viewing NIS2 as a bureaucratic hurdle to be cleared, consider this a transformative opportunity through which to significantly strengthen cyber security measures, thereby mitigating multi-dimensional risks and increasing overall resilience.
Due to the complexity and wide-ranging implications of the NIS2 Directive, external consultation with legal advisors and cyber security experts can provide invaluable insights.
See the NIS2 Directive as the ultimate CISO wishlist. Embrace the Directive in order to drive lasting improvements, which can position organizations as leaders in a digital world where security and trust are irreplaceable.
For more on NIS2, please see CyberTalk.org’s past interview with Check Point’s VP of Engineering, Peter Sandkuijl. Lastly, to receive timely cyber security insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter.