NIS2 Insights: Expert Tips On Compliance And Business Impact

NIS2 is the revised version of the EU's NIS (Network and Information Security) Directive, which came into force in 2016. The directive aimed to ensure a high common level of cybersecurity in the EU by requiring operators of essential services (e.g. energy supply, healthcare) and digital service providers to meet strict security requirements.

The innovations of NIS2 compared to the original NIS directive include:

• Extension of the scope of application: NIS2 applies to a wider range of companies and sectors, including health, financial markets, waste water and waste management, public administrations and certain digital service providers.
• Stricter reporting requirements: Companies must report serious cyber incidents within 24 hours. There are stricter requirements for risk assessment and management.
• Higher penalties: The penalties for violating the NIS2 directive are stricter and can be as high as €10 million or 2% of a company's global annual revenue in the worst case.
• Increase in accountability: Company management is explicitly responsible for cybersecurity measures and must ensure that appropriate technical and organizational precautions are taken.
• Stronger cooperation between member states: The EU is committed to improving coordination and information sharing between national authorities.

See also: How to Achieve NIS2 Compliance: What Businesses Need to Know

Even though smaller companies are not directly covered by the NIS2 directive, there are many advantages to improving their cybersecurity measures:

• Protection against attacks: Cybercriminals often attack smaller companies because they are often less well-protected. Improved security measures can reduce the risk of such attacks.
• Trustworthiness with business partners: Many larger companies and suppliers subject to the NIS2 Directive prefer partners that meet regulatory requirements and have appropriate information security measures in place. Smaller companies can thus increase their competitiveness.
• Protect sensitive data: By improving their cybersecurity, small businesses can better protect confidential customer and company data, which protects their reputation and minimizes legal risks.
• Prepare for future regulations: Cybersecurity requirements are becoming increasingly stringent. Investing in security technologies at an early stage prepares companies for possible future legal requirements.

To meet the requirements of the NIS2 directive in good time, companies should take the following steps:

1. Raise awareness: Management and the IT department should take a close look at the requirements of the NIS2 directive and apply them to their own organization.
2. Conduct a risk assessment: A comprehensive risk assessment helps to identify potential cybersecurity vulnerabilities. This should include both technical and organizational risks.
3. Develop a cybersecurity strategy: Based on the risk assessment, a security strategy should be developed that sets clear goals and responsibilities.
4. Implement reporting processes: Organizations should implement security incident reporting processes to ensure cyberattacks are reported within the given deadlines.
5. Offer training: Training for employees is crucial to raise awareness of cybersecurity risks and ensure that security policies are understood and adhered to.
6. Enlist external help: It is advisable to enlist external help to ensure compliance with NIS2.

Organizations that comply with cybersecurity requirements early on can benefit from several advantages:

• Maersk case study: Maersk, one of the largest logistics groups, suffered significant losses as a result of the “NotPetya” attack in 2017, which caused massive business interruptions and cost the company billions. This incident highlighted the far-reaching consequences of a lack of cybersecurity measures. As a result, Maersk invested heavily in improving its security infrastructure and now has one of the most advanced cybersecurity architectures in the logistics sector. Had the company already adhered to stricter cybersecurity standards in advance, the impact of the attack could have been reduced.
• Lessons learned from incidents like “NotPetya”: The attack on Maersk also highlights how vulnerabilities in the supply chain or with external partners can put companies at risk. From such incidents, companies can learn that tighter security management, including monitoring of partners and suppliers, is crucial to fend off similar attacks in the future.

To embed cybersecurity throughout the organization, companies should:

• Ensure clear communication of responsibility: Senior management must make cybersecurity a priority and communicate its importance across all departments.
• Provide regular training: All employees should receive regular training in cybersecurity practices, particularly in areas such as phishing defense, password management, and handling sensitive information.
• Build a culture of security: Cybersecurity should be part of the corporate culture, in which employees take responsibility for protecting data and systems.

Including supply chains and external partners in the cybersecurity strategy is crucial because many cyberattacks occur through vulnerabilities in the supply chain. The NIS2 directive plays a central role here because it extends responsibility for cybersecurity measures to critical suppliers and service providers. Companies must ensure that their partners maintain similar security standards to minimize the risk of an attack.

Some measures are:

• Auditing and vetting partners: Companies should conduct regular security audits of their partners to ensure that they are implementing adequate cybersecurity measures.
• Contractual agreements: Security requirements should be included in contracts to ensure that suppliers and service providers adhere to the same security standards.
• Joint contingency plans: Companies and their partners should develop joint plans for handling security incidents to ensure a rapid response in the event of an emergency.