Time is running out for businesses to prepare for looming new EU cyber security legislation and risk severe penalties for noncompliance.
The Network and Information Systems Directive 2022/0383 – shortened to NIS2 – has been introduced by the EU to strengthen the bloc’s existing cybersecurity policies. It sets a minimum level of requirement for certain organisations to ensure basic cyber security safeguards and is the second iteration of NIS1, which was introduced in 2016 and had a much narrower scope.
Under the new rules, companies could face fines of up to €10m or 2% of their global yearly revenue – whichever is greater. Individual managers could also be penalised, and companies ordered to cease activities deemed non-compliant.
Member states have until October 17, 2024, to transpose the new rules into national law and legislation will demand action in the four following areas:
Risk Management: Organisations impacted by NIS2 must take steps to minimise cyber risks. Measures could include stronger supply chain security, better incident management and enhanced encryption.
Corporate Accountability: The legislation demands that management oversee and be trained on their organisation’s cybersecurity defences. Breaches could result in penalties for management, this could include liability and even a potential temporary ban from management positions.
Reporting Obligations: Organisations must have processes in place for swift reporting of security incidents which have a major impact on their services.
Business Continuity: Plans must be in place for how organisations can ensure business continuity in the case of major cyber incidents.
There are specific steps organisations need to take to ensure compliance, at a basic level these include:
- Determine if they fall under NIS2 and which aspects of their business could be impacted.
- Evaluate existing security measures and change any security policies which need to be adapted before time runs out.
- Integrate required new security measures and incident reporting obligations into their existing supply chain.
While the deadline may not be here just yet, the time required to prepare for its arrival means there is not a second to lose.
SANS expert Bojan Zdrnja warned that firms need to start taking actions such as training staff, implementing risk assessments, and bringing in appropriate security controls – but they need to do it now.
“Companies need a robust cybersecurity program, both for defence and offensive. And it needs to be aligned with best practices. They must start doing risk assessments, implementing security controls, and training appropriate personnel. The sooner organisations start, the easier it will be to get to the right maturity level once everything is mandatory. As complying with the new directive isn’t something that can be done overnight.”
SANS has created a range of resources designed to help businesses avoid the pitfalls of noncompliance, enabling them to get ready for the changes. They include training for management and staff, as well as expert advice regarding compliance, executive cyber exercises, skill and risk assessments, and in-depth critical infrastructure exercises.
SANS is currently conducting a survey regarding preparedness which companies are invited to take part in here.
For more information about NIS2 and what SANS can do to help you prepare, visit here.