Networks Generation

NIS2 - GDPR Revisited?

Steve Broadhead
Steve Broadhead
Broadband Testing

NIS2 – have we another “GDPR” on our hands in its own way here?

That’s to say, another “does this apply to us?” mentality that led to an almighty scramble at the last minute (and beyond) for relevant companies – and there were millions – to achieve compliance.

Well. it looks like we might have, if the findings of a survey commissioned by cybersecurity consultancy Green Raven are anything to go by, For those in the dark here, NIS2 stands for the Network and Information Systems Directive,an EU regulatory framework that aims to improve cybersecurity across its member states. The survey consisted of 200 respondents from among the UK’s 1,930 organisations with at least 1000 employees. All respondents described their role as CISO/director/head/manager within  their organisation’s cybersecurity team. And the primary conclusion was that senior cybersecurity professionals at over a fifth of the UK’s largest businesses are  still “not sure” whether the EU’s NIS2 directive even applies to their organisation or not.

Morten Mjels, CEO of Green Raven, put this into perspective “NIS2 came into force in January 2023 – almost two years ago – so for senior cybersecurity professionals at the companies most likely to be impacted to not know if it even applies… wow. “

As Mjels noted, it doesn’t matter what level of thinking they are compliant(ish) or are actively working on being so they are at, it’s ultimately the potential failure to be compliant that is going to significantly impact the ability of these organisations to do business in Europe, or at least incur a serious fine for failing to be compliant. Previous research had indicated a far higher level of awareness, but right now, that looks to have been over-optimistic. Or simply wrong!

The survey also asked respondents for their reaction to the Cyber Security and Resilience Bill announced in July of this year. This new bill is expected to build upon the foundations laid by the EU’s NIS directive and is commonly seen as the UK’s response to the NIS2 directive – wasn’t is so much easier when the UK was an EU member – ahen!

Anyway, here are the key takeaways, in terms of the response to asking what they had heard or read about the new Act:

  • 37% of respondents hope that the new Cyber Security and Resilience Bill won’t apply to their organisation, but almost 80% expect that it will.
  • 46% of respondents expect the bill to make unwanted demands of UK businesses, but over 82% expected the bill to make reasonable demands of UK businesses. A similar proportion agreed that the bill would make necessary demands of UK businesses.
  • almost 88% of respondents agreed with the statement “The UK Cyber Security and Resilience Bill will improve the UK’s overall cyber resilience”. Not a single respondent disagreed with the statement, despite the acknowledgement of the additional demands and overheads the new bill is likely to bring.

As Mjels noted, while there is little in the way of detail, other than the common conviction that t will be the UK’s equivalent of NIS2, the overriding takeaway is that every cybersecurity professional asked, clearly believes that there is more that organisations can, and will, be forced – via legislation – to do to improve their cybersecurity posture and resilience.

Being a man of my heart he rightly concluded: “As a cybersecurity professional in an organisation likely to be in scope, I wouldn’t be waiting for legislation.”

I mean, have these guys never heard of breaches, attacks, ransomware…. Maybe we’re back to the old allusion re: insurance – no one ever bought it until it was too late.

Personally, I think it’s time that IT teams stopped ticking cyber security boxes to appease their board, and actually became pro-active about a) preventing breaches and b) understanding the impact of a breach. Otherwise – as they say – it’ll all end in tears; and maybe a visit to the Job Centre…