The European Union’s latest cybersecurity legislation, the Network and Information Security (NIS2) Directive, has officially taken effect. This new directive is designed to strengthen cybersecurity across a wide range of critical infrastructure sectors in the EU, impacting numerous organizations.
Andrea Carcano, Co-founder and Chief Product Officer at Nozomi Networks, stresses the seriousness of non-compliance. “Non-compliance with NIS2 could result in fines amounting to €10 million or 2% of global turnover for essential entities and €7 million or 1.4% of global turnover for important entities.” This regulatory shift is said to be more encompassing than the Digital Operational Resilience Act (DORA), which primarily targets the banking sector.
The NIS2 Directive requires businesses to align their cybersecurity strategies with the scale and scope of the services they offer. Carcano believes that the directive will necessitate significant changes in security focus, especially within operational technology. He highlights the need for increased asset visibility, regular risk assessments, and an expanded approach to risk management that goes beyond IT to include operational technology.
Moreover, Carl Leonard, EMEA Cybersecurity Strategist at Proofpoint, sheds light on the empowering capabilities granted to authorities under the directive. They possess the capability to halt poor practices, make public disclosures of organizational shortcomings, and instigate corrective measures. Leonard warns of the stringent reporting requirements, stating, “Authorities can order organisations to stop poor practice, make public their mistakes, and initiate corrective action.” He notes that while organizations must report incidents within 24 hours—quicker than the GDPR’s 72-hour window—the fines under GDPR are more severe. Nevertheless, Leonard sees NIS2 as a benchmark for acceptable cybersecurity, pushing organizations to aim above the minimum standards for a competitive edge.
Beyond financial penalties, the directive emphasizes personal accountability of business leaders, marking a shift towards corporate responsibility in cybersecurity. This aligns with the view of Tim Grieveson, SVP and Global Cyber Risk Advisor at Bitsight, who underlines the necessity of understanding the expanded scope of the directive and adopting tools to ensure comprehensive visibility of third-party and supply chain risks.
A survey revealed that 66% of businesses might miss the NIS2 compliance deadline. Edwin Weijdema, EMEA Field CTO at Veeam, sees this as a crucial opportunity for business leaders to bolster data resilience through proactive security practices, especially given the increasing global threats.
In conclusion, the NIS2 Directive marks a transformative period for cybersecurity in Europe. Despite the challenges, the regulation’s focus on strengthening resilience, integrating new technologies, and enhancing collaboration is a significant step towards securing the EU’s digital infrastructure.
