Thapana - stock.adobe.com

EU cyber security bill NIS2 hits compliance deadline

The EU’s NIS2 bill will harmonise how companies and member states approach cyber security, but its success will depend on how well it is implemented and enforced

The European Union’s (EU) landmark cyber security bill NIS2 has come into full force, meaning companies must now comply with its requirements or face hefty fines.

Under the directive, which aims to harmonise cyber security rules and procedures across the bloc, EU-based businesses operating in critical sectors – including energy, transport, water, financial services and healthcare – must now implement stringent cyber security safeguards and report serious cyber threats to the appropriate authorities.

Given their importance in a range of supply chains, IT vendors such as search engines, cloud computing companies and online retailers will also be expected to follow these rules, while EU member states themselves will need to set up their own computer security incident response team (CSIRT), as well as a national network and information systems authority, if they have not already done so.

UK businesses supplying their products and services to EU-based customers must also comply with NIS2 requirements to maintain operations and market access with the EU, as it applies to any essential or important entities providing services or carrying out their activities within the EU, regardless of whether the entity has an establishment within its borders.

Failure to comply with the regulation’s the cyber security risk management and reporting obligations could see organisations fined a minimum of €7,000,000 (or 1.4% of the global annual revenue), or a  maximum of €10,000,000 (or 2% of the global annual revenue). In either case, the company will be fined whichever amount is higher.

Bart Salaets, field chief technology officer (CTO) for EMEA at F5, said NIS2 will apply to a much broader range of organisations that may not have previously prioritised cyber security: “One of the biggest challenges of an intensified regulatory spotlight on security is the added complexity of both securing and monitoring digital infrastructures that increasingly span multiple clouds and in-house datacentres.

“To navigate the legislation, organisations should create  centralised visibility and unified reporting across security platforms. The need for integrated solutions and sophisticated reporting tools – potentially AI-driven – will be essential in helping organisations meet their reporting obligations under NIS2.”

Mike Smith, director of engineering and security at Qodea, added that companies will need to be aware that NIS2 includes much more granular definition of who needs to be held accountable to the regulation, given the new classifications for different companies.

“Even if an organisation was not subject to NIS1, they may now fall under the scope of NIS2. That might be a steep learning curve for some organisations,” he said. “Those who have already invested significantly in modern security infrastructures should have a relatively easy time adapting – but those who haven’t are going to quickly find themselves falling even further behind.”

According to David Higgins, senior director at CyberArk’s field technology office, article 21 of NIS2 in particular means companies will have to put in place “robust cyber security measures in to secure their supply chains and enforce zero-trust access”, meaning that identity security following zero-trust principles will take centre stage from a compliance point of view.

“This is especially important since organisations have to protect a huge network of threats under NIS2, including subcontractors and service providers. Companies also need to tick off important NIS2 Article 21 requirements related to handling and reporting incidents,” he said.

“Having a solid identity security strategy is important here, to not only protect vital infrastructure against those inevitable future attacks, but also to track and manage the handling of critical information in real-time.”

Commenting on NIS2’s implementation deadline, Tim Wright, a partner and technology lawyer at Fladgate, said that “the implementation status varies significantly across the bloc”, with just a handful of countries having transposed it into their national laws.

While member states are expected to publish national laws that comply with the directive before the compliance deadline of 17 October 2024, so far only six member states have integrated NIS2 into their national statues. These are Belgium, Croatia, Greece, Hungary, Latvia and Lithuania.

Although most other EU countries have begun the legislative process to transpose NIS2, three – Bulgaria, Estonia and Portugal – are yet to begin the process.

Wright added that the effectiveness of NIS2 will ultimately depend on its “consistent implementation and enforcement across member states”, and that while it should drive significant improvements in the bloc’s overall cyber posture, cyber security is an arms race.

“NIS2 should make the EU a harder target, but determined adversaries will keep probing for weaknesses,” he said. “The directive’s success depends on how well it is implemented and whether it can foster a true culture of cyber security, not just compliance.”

Read more about cyber security laws and compliance

Read more on Security policy and user awareness