NIS2: Why organisations need a unified cybersecurity standard
Patrick Scholl, head of OT at Infinigate, shares some thoughts about the best strategy to take over the European directive
Since 2016, the European Union (EU) has been trying to unify legal standards and requirements for cybersecurity. Now, with the adoption of the Network and Information Security Directive (NIS2), these efforts reach their culmination point. The aim of the directive is to align cybersecurity best practices across countries and sectors and fill in some of the gaps in the regulatory ecosystem, across both countries and sectors. The directive is so promising that even states outside the EU are working on adapting it into their respective legal frameworks.
The need for a unified approach
Although cybersecurity is high on organisations’ agendas, many don’t have the defences in place that regulators and governments now recommend and require. At the same time, organisations are facing an increasing number of threats. For instance, research shows that in 2022, the number of cyberattacks in Europe rose by 26% compared to 2021.
Research from the EU sheds more light on the situation: 37% Operators of Essential Services (OES) and digital service providers do not operate a Security Operations Centre. Additionally, OES IT budgets dedicated to Information Security in 2022 are lower compared to 2021, down to 6.7% from 7.7%.
NIS2 provides organisations with a list of measures to build robust cyber defences, helping them mitigate the risk of cyberattacks and ensure they know what to do when an attack happens. These measures include:
- Preparedness – this requires organisations to be appropriately equipped. For example, this includes having a Computer Security Incident Response Team and a competent national network and information systems authority.
- Developing a proactive cybersecurity culture – developing this culture is crucial for sectors that are vital for the European economy and society and that rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.
Regulation will not be enough
Following regulations is not enough to prevent cyberattacks. Organisations need to invest in the right cybersecurity technologies and seek guidance from expert specialists, adopting a proactive security culture.
The channel opportunity
Any new regulation brings with it risks and rewards. For organisations the risks of non-compliance are considerable. Once in place, fines can go up to €10 million or 2% of global annual revenue (for essential entities) or €7 million or 1.4% of global annual revenue (for important entities). On top of this, management can be held personally liable over NIS2 failures, with regulators also having the power to potentially suspend operations.
The deadline for compliance is Autumn 2024. For the channel this brings opportunity, and organisations need to act now. Vendors, distributors and most importantly value-added resellers have the opportunity to offer advice and services that enable organisations to achieve compliance and ultimately strengthen their cybersecurity posture. The channel has the opportunity to truly partner with CISOs to help sustainably strengthen cybersecurity and ensure that management teams fully understand the risks their organisations face.