Following years of escalating threats within Europe, especially nation-state-affiliated digital attacks that parallel physical wars and threats of war — the risks of cyberattacks that threaten the critical infrastructure that underpins modern society have risen. With the initial deadlines for the Network and Information Systems Directive 2 (NIS2) coming next month, the European Union is taking action, hoping it will make companies that serve its critical infrastructure more resilient to attack. By Oct. 17, EU member states must have national laws based on the directive, and covered organizations must be NIS2 compliant.
At its essence, NIS2's framers see the directive's requirements as increasing digital resilience — the ability to withstand, adapt to, and rapidly recover from cyber incidents — throughout the EU. EU regulators hope that NIS2 will not turn out to be just another compliance effort simply but that it will prove successful in actually fortifying Europe's critical infrastructure against digital attacks. That's a tall order, and while security experts are hopeful and believe NIS2 will bring some improvements, they're not very confident NIS2 will fully succeed.
“It's a move in the right direction," said John Price, founder and CEO at cybersecurity services provider SubRosa. "I don't think there's a foolproof way to solve these challenges, but anything that can push security awareness and culture down throughout the organization from the board level will help build up a security culture," he said. "But these things move slowly. Cybersecurity a decade ago wasn't getting the boardroom recognition it should have been, and arguably even now it's not to some degree," Price added.
NIS2 substantially expands on its predecessor and increases the number of sectors deemed essential to an effective cybersecurity posture, including an increased focus on management accountability and third-party risk. NIS2 requires covered organizations to have strong risk management capabilities, including consistent security assessments, detailed incident response plans in place, and effective ways to safeguard their software supply chains.
"It's raising the bar for cybersecurity within the EU by mandating certain critical things, such as risk management, security incident reporting, and improving supply chain security. They're kind of the trio of must-haves for many organizations now."
—John Price, SubRosa
One of the notable changes from NIS2 is how it stresses accountability on management boards to ensure cybersecurity readiness. The hope is that making the board responsible will foster a security culture throughout individual organizations. Experts have mixed feelings about how well that hope may play out in practice.
"It's raising the bar for cybersecurity within the EU by mandating certain critical things, such as risk management, security incident reporting, and improving supply chain security. They're kind of the trio of must-haves for many organizations now," says Price.
As Price explains, those areas — risk management, security incident reporting, and supply chain security — are often looked over by companies that have yet to build mature security programs. "That will, hopefully, reduce their vulnerability and improve resiliency through these efforts," said Price.
Jonathan Sword, director at Agility Cyber, agreed but sees hurdles ahead. "NIS2 is certainly an encourager to be more proactive with cyber security. It extends far further than the original NIS across more sectors and has greater repercussions if ignored. There are also a few items in NIS2 that are more lifecycle-based, such as regular testing and auditing of security measures designed to result in action rather than mere compliance," he said.
As for hurdles?
"The challenge with NIS2 is that it's another regulation that not everyone knows, and different countries are moving in different directions. For instance, the UK will not be implementing NIS2; instead, it's producing its own cybersecurity and resilience bill," Sword said.
While Sword said he expects NIS2 to have plenty of exposure in boardrooms, the actions that those boards take may not match the level regulators expect. "Most boards, especially at the smaller and mid-size organizations level, do not have any representation for cybersecurity," he said. Those companies could be expected to turn to temporary CISOs to manage the risk and to review agreements with IT services providers to ensure the proper levels of security are in place, Sword explained.
Also, as Sword explained, while larger enterprises tend to have cybersecurity expertise at the senior leadership levels, whether CISOs or equivalent, there's often no permanent representation at the board level.
"I suspect NIS2 will drive a change in this area, and we will find board-level holders of cyber security responsibility, perhaps alongside their other roles," Sword said. However, he holds concerns that boards will try to place cybersecurity responsibility on the shoulders of a specific person. "The principle of compartmentalizing the risk from the rest of the board to a nominated individual will still take place in my experience," he warned.
Also, those organizations that need to get the message of NIS2 may be the least likely to hear it. "Those who are aware of NIS2 are likely at the more proactive end of the market and already have ISO 27001 and other certifications, meaning the impact of NIS2 will not be that great," Sword explained. "The expected driver to meet NIS2 and associated regulations is to ensure businesses operations are resilient from a security perspective, but this translates into a compliance objective, of solely meeting NIS2, often when discussed in the boardroom," Sword said.
Still, how it's implemented may come down to how aggressively it's enforced, added Price. With so much at stake and the hope that NIS2 will have a far-reaching impact, the organizations it covers must increase their cybersecurity spending to meet NIS2's required cybersecurity status, such as the more proficient response capabilities to be able to report significant data breaches within 24 hours. And penalties for not complying with NIS2 are steep. Fines can be up to €10 million or 2% of global revenue turnover for covered organizations.
Another area that could increase EU resiliency to digital attacks includes NIS2's recognition that resilience extends beyond individual entities. NIS2 promotes information sharing and cooperation between member states, creating a more unified front against cyber threats. Establishing the European Cyber Crisis Liaison Organization Network (EU-CyCLONe) is an example of a move toward such collective resiliency.
In the meantime, organizations that are still short of meeting NIS2 compliance may already have some of the necessary controls in place throughout their environments, including third-party relationships.
"Areas such as resilience and meeting security baselines may already be there in their cloud infrastructure, for example," he advised. "It is also worth looking at the supplier contracts, particularly if the IT service is outsourced, as this often includes cyber security provisions. Where provisions are specified, now would be a good time to ensure they're aligned to NIS2 and do a gap analysis for future required actions," said Sword.
With resilience being the desired end state—including response preparation and activities such as tabletop exercises—experts advise that organizations strive for cybersecurity readiness rather than just meeting regulatory compliance requirements. Following such exercises, enterprises may find where to bolster themselves before real-world threats test them.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.
