The impact of NIS2 on company security – what will change?

Jun 24, 2024

The Network and Information Security Directive 2 (NIS2) aims to strengthen the cybersecurity framework across the European Union by addressing the shortcomings of the original NIS Directive (NIS1) and responding to the evolving cyber threat landscape. This directive introduces more stringent measures and broadens the scope of its applicability, making it a significant update from its predecessor. Companies within the EU will need to adapt to these changes to ensure compliance and enhance their overall security posture.

Broader Scope and Applicability

One of the key changes is its broader scope, covering more sectors and types of services, including public administration entities and a wider range of critical sectors like energy, transport, banking, health, and digital infrastructure. The directive now applies to medium and large organizations, removing the thresholds that limited NIS1 to certain types of companies. This expanded scope ensures that a wider array of entities must implement robust cybersecurity measures, thereby enhancing the overall resilience of critical services across the EU.

Enhanced Security Requirements

NIS2 imposes enhanced security requirements on companies, necessitating the adoption of comprehensive risk management measures, such as incident handling, business continuity, and crisis management. Companies are also required to implement detailed technical and organizational measures, including encryption, secure development practices, and vulnerability handling. Moreover, the directive enforces more stringent reporting obligations, requiring companies to report incidents within a specified timeframe, often within 24 hours of detection, and provides clear guidelines for incident categorization to ensure consistency in reporting and response.

Focus on Supply Chain Security

Another significant aspect of NIS2 is its focus on supply chain security. This requires companies to ensure the security of their supply chains and service providers by implementing stringent security requirements for third parties. This means companies must scrutinize their partners and vendors more closely, ensuring they comply with robust security standards. Strengthening supply chain security helps mitigate risks arising from third-party vulnerabilities, creating a more secure and reliable operational environment.

Increased Accountability and Governance

The directive also emphasizes increased accountability, holding senior management responsible for cybersecurity and underscoring the role of company boards in overseeing security measures. This approach ensures that cybersecurity becomes a top priority at the highest levels of organizational leadership. Coupled with higher fines and stricter penalties for non-compliance, this directive makes it crucial for companies to adhere to its guidelines, thus driving a more proactive and responsible approach to cybersecurity governance.

Improved Cooperation and Information Sharing

Improved cooperation and information sharing are integral to NIS2, with enhanced mechanisms for cross-border collaboration and better information sharing about threats and incidents. Strengthening the roles of Computer Security Incident Response Teams (CSIRTs) and the European Union Agency for Cybersecurity (ENISA) supports these objectives. By fostering better collaboration and sharing critical information, the directive aims to enhance the collective cybersecurity resilience of EU member states against sophisticated cyber threats.

Impact on Company Security

The impact on company security will be multifaceted. Companies will need to invest in improving their cybersecurity infrastructure and processes, which could result in increased compliance costs, including the potential hiring of additional staff or consulting experts. However, these investments will lead to an improved security posture, as organizations adopt comprehensive risk management frameworks and best practices, enhancing their preparedness for handling incidents and minimizing damage. Moreover, the directive’s emphasis on senior management and board involvement in cybersecurity will likely result in a more strategic focus and resource allocation for security initiatives.

Supply Chain and Incident Response Enhancements

Enhanced supply chain security will require companies to scrutinize their supply chains more closely, ensuring that partners and vendors comply with stringent security requirements, leading to improved security across entire industry ecosystems. Clearer guidelines and stricter reporting timelines will improve the speed and effectiveness of incident response, enabling better coordination with national and EU-wide authorities. This collaborative approach will aid in managing and mitigating large-scale cyber incidents more efficiently, reducing potential damage and downtime.

Cultural Shift Towards Cybersecurity

The threat of significant fines and legal repercussions will incentivize companies to prioritize cybersecurity and compliance with NIS2, driving a cultural shift towards more proactive and robust cybersecurity practices. While the initial costs and efforts to comply may be substantial, the long-term benefits of improved security and resilience will be considerable. This shift in focus will not only enhance

individual company security but also contribute to the overall cybersecurity posture of the EU, making it more resilient against emerging cyber threats.

How can Saifort help you?

Our staff is available to offer you continuing assistance with this work, namely by conducting routine compliance audits and ensuring corrective measures are appropriately implemented. Contact us to get started.

You may also find interesting…

5 Tips for SOC Analysts to Monitor and Mitigate Threats

5 Tips for SOC Analysts to Monitor and Mitigate Threats

Monitoring has a pivotal role in safeguarding your organization's digital assets. While building a fully equipped SOC may present challenges for many companies, there are fundamental practices that can significantly enhance your capabilities. In this article, I'll...

AI and Machine Learning in Cyber Security Operations

AI and Machine Learning in Cyber Security Operations

We often say that the cyber security landscape is always changing, and threats are constantly evolving. Over the last year, those statements have been widely confirmed by the rise of consumer AI tools, which allow users to create content just by text commands. Just at...