charles taylor - stock.adobe.com

How UK firms can get ready for the implementation of NIS2

Many British companies will need to adhere to NIS2’s cyber security risk management and reporting requirements if they want to continue operating in the EU market and avoid huge fines

The European Union’s landmark cyber security bill NIS2 is just months away from coming into force. With a compliance deadline of 17 October, the law aims to improve the bloc’s ability to fight rising levels of cyber crime by ensuring all member states follow the same cyber security rules and procedures. 

Under this directive, each EU member state must establish its own computer security incident response team (CSIRT) and a national network and information systems authority if they haven’t already done so. Meanwhile, the EU will create an NIS Cooperation Group to facilitate collaboration on cyber security matters between its member states. 

Along with increased scrutiny of EU member states, the NIS2 directive will also force EU-based businesses operating in critical sectors such as energy, transport, water, financial services and healthcare to implement stringent cyber security safeguards and report serious cyber threats to the appropriate authorities.

Since many businesses fall victim to cyber breaches due to security holes in their supply chains, IT vendors such as search engines, cloud computing companies and online retailers will also be expected to follow these rules. With this in mind, many UK companies that sell their products and services in the EU will be affected by NIS2, regardless of Brexit. So, how can they comply with NIS2 in such a tight timeframe? 

Essential for UK businesses

The enforcement of NIS2 by the European Union will have a “ripple effect” on UK businesses similar to that of the General Data Protection Regulation (GDPR), according to Neil Thacker, chief information security officer (CISO) EMEA at cloud software firm Netskope.

The law compels European organisations to strengthen the cyber security of their supply chains. So, if UK businesses supply their products and services to EU-based customers, they must comply with NIS2 requirements. Thacker says this is key to allowing them to “maintain operations and relationships with EU clients and partners”.

Due to the interconnected nature of today’s global economy, Thacker adds that NIS2 generally encourages organisations operating outside of the EU to adopt a similar set of risk management policies to bolster their collective cyber security posture. Doing so will help foster a “unified standard of cyber security” globally and means NIS2-mandated policies are “quickly becoming the norm worldwide”, he says. 

“While Brexit has altered the legal landscape, UK businesses may still need to comply with NIS 2 due to its ripple effect,” he adds. “This compliance is driven by the need for cyber security consistency, market access, and international cooperation throughout the global supply chain.”

Complying with the NIS2 directive is more than just an essential tick-box exercise for UK firms trading in Europe. Ben Todd, regional vice-president of EMEA security sales at cloud security firm Dynatrace, argues that it can help them in the long term. 

He argues that it will enable British companies to streamline their operations across the bloc, maintain access to its thriving market, and contribute towards a strong and secure global economy. Todd tells Computer Weekly: “In fact, alignment with NIS2 can help UK businesses avoid potential trade barriers and foster trust with EU partners and customers.”

Complying with the directive

The first step in achieving NIS2 compliance is understanding its requirements and how they apply to each business, according to Crystal Morin, cyber security strategist at cloud security firm Sydsig

After understanding these policies and their organisational relevance, she says business and security leaders should work together to ensure they have implemented the correct policies and procedures. 

If this isn’t the case, they must work on a comprehensive implementation plan before the October compliance deadline. Morin adds: “This might include the use of end-to-end encryption, a disaster recovery plan, and/or the designation of security officers.”

When it comes to researching the NIS2 directive, Thacker recommends that UK businesses focus on reviewing Articles 20 and 21 of Chapter 3. These sections detail the governance and cyber security risk management measures that must be adopted by UK firms with EU business interests, from handling cyber security incidents to supply chain security issues. 

Although it’s vital that businesses understand and implement these requirements, Thacker warns that this isn’t simply a reading exercise. Rather, firms must continually improve their cyber security controls and measures as new risks emerge.

This is where a few key cyber security principles and practices can help, the first of which is zero-trust. Thacker explains that developing and enforcing a zero-trust strategy will let businesses verify anyone attempting to enter their networks and computing assets, protecting them from malicious parties. 

Second, he recommends extending device configuration procedures to cover internet of things (IoT) and operational technology (OT) devices, as well as traditional devices, to achieve “comprehensive security coverage”.

Third, Thacker says businesses can strengthen their identity and access management programs by combining them with asset management measures and using real-time coaching to improve employees’ awareness of cyber security issues. 

Finally, he urges businesses to take a multifaceted threat management approach. Instead of simply using signature-based malware detection techniques, Thacker suggests adding insider threat and social engineering tactics to the mix. 

He tells Computer Weekly: “The goal is to improve the overall maturity of your organisation’s cyber security practices, building on existing fundamentals and enhancing them to meet NIS2 standards.”

Learn more about NIS2

A fundamental step in the NIS2 compliance journey is getting buy-in and support from members of the C-Suite, says Rayna Stamboliyska, CEO of advisory firm RS Strategy. She says this is particularly important for businesses that weren’t subjected to NIS1 in the past or if they don’t currently view cyber security as a top priority. 

As part of this process, Stamboliyska advises cyber security teams and senior leadership to identify critical services, processes and assets that must be covered by NIS2’s risk management and mitigation approaches. 

“Throughout your compliance journey, you need to involve top management as NIS2 has a specific focus on governance and awareness that embraces the whole of the business’ directorship and not only the cyber security team or roles,” she says.

As well as involving executives in the compliance process, she says cyber security teams must also ensure their incident management and reporting procedures follow the NIS2 guidelines. This is because the directive has “precise timelines and requirements” regarding these matters. 

Rob O’Connor, technology lead and CISO at American enterprise tech solutions provider Insight, says businesses that had to overhaul their operations to adhere to GDPR shouldn’t struggle with NIS2 compliance. 

“They will have implemented stronger security measures, better encryption and beefed up their reporting,” he says. “They will have overhauled business continuity plans to ensure that they’re better placed to recover from incidents.”

However, for businesses new to such a process, O’Connor recommends evaluating their existing cyber threat management processes and finding ways they can be improved in light of NIS2. After identifying any gaps, they should create and implement a robust incident response plan in accordance with the directive. 

He adds that they should strive to report cyber incidents to governing bodies as quickly as possible, adopt encryption and multi-factor authentication for added protection, as well as provide organisation-wide cyber security awareness training. 

Challenges to overcome

Businesses starting their NIS2 compliance journey may face various challenges along the way. Sebastian Gerlach, senior director for policy and public sector enablement in EMEA at cyber security giant Palo Alto Networks, describes it as a paradigm shift for small and medium businesses.  

“Often lacking the resources and legal expertise of their larger counterparts, these entities face a steeper learning curve in understanding and adhering to the new regulations,” says Gerlach.

Bharat Mistry, technical director of UK & Ireland at cloud security platform Trend Micro, agrees that many UK firms are likely to struggle with NIS2 adherence due to the level of investment, recruitment and training it requires companies to undertake. 

He warns that updating legacy IT infrastructure, integrating newer technologies into existing systems and setting up sophisticated incident response procedures are necessary but complex steps of the NIS2 directive for businesses to carry out. Mistry adds: “Additionally, ensuring supply chain compliance and addressing sector-specific challenges add further difficulties, especially for digital or software supply chains.”

What’s more, IT security teams may find it challenging to encourage executives to see the value of investing in cyber security defences and awareness training. However, it’s a fight they must win to ensure the company meets its NIS2 obligations. 

Tom Ascroft, CISO of enterprise software maker Unit4, notes that NIS2 requires board members and senior leadership to understand cyber threats by undertaking industry courses and training. 

“Providing training at this level can be challenging to pitch at the right level,” he says. “That said, it is an opportunity to further strengthen your security posture by highlighting this need and engaging with these stakeholders.”

Regardless of these challenges, businesses must take all necessary steps to overcome them and achieve NIS2 compliance by the October deadline. Otherwise, they face the prospect of hefty fines and the reputational damage that comes with regulatory action. 

“Those who do not already have continuous monitoring or incident response plans needed to get moving yesterday,” concludes Morin. “The penalties for non-compliance are steep and not worth chafing up against; up to either €10,000,000 or 2% of the global yearly revenue, whichever is higher.”

Read more on Regulatory compliance and standard requirements