There will be a major flurry of regulatory activity over the next several weeks as European Union (EU) member states race to meet an October 17 deadline to pass legislation that transposes Network and Information Security Directive (NIS2) into national law. Only two of the 27 EU nations have met the legislative deadline with one month to go, putting pressure on the remaining 25 countries to get a law on the books before current legislative sessions come to an end.
The flurry of activity over the next several weeks and the decentralized nature of NIS2 is sure to cause confusion among companies that do business in the EU. To stay ahead of a rapidly advancing timeline, organizations are going to need to start the compliance effort now and figure out how to meet uncertain compliance requirements while maintaining operational integrity and security posture in both the short and long term.
While it may seem like a time to panic, the good news is that NIS2 is based on established cybersecurity risk management and incident reporting best practices that most organizations already follow.
According to Raphaël Peyret, director of cloud security at Bitdefender, nearly every organization that does business in Europe will be impacted by NIS2 legislation. NIS2 has two major requirements for private organizations: implement a risk management strategy (Article 21) and report significant cybersecurity incidents that could lead to downtime – regardless of whether the intent is malicious or accidental. Article 21 of the directive lists specific technologies – including risk analysis, incident handling, business continuity, network security, encryption, access control, asset management, multi-factor authentication (MFA) and others – that organizations need to implement to meet compliance.
NIS2 applies to mid-size companies and large enterprises in 18 industries. While NIS2 applies to any organization that operates in these sectors, some industries may be subjected to more robust compliance requirements through additional legislation like the Digital Operational Resilience Act (DORA) that applies to the financial sector. Each EU member state is required to publish a list of entities subject to NIS2 and additional legislation by April 2025, but it’s highly advisable for all organizations that do business in Europe to read through proposed legislation now and scope areas of interest.
The sooner you understand how NIS2 legislation applies to your organization, the sooner you can determine the steps you need to take to get up to compliance. This starts with a thorough analysis of your current cybersecurity posture, including an assessment of the digital assets on your network and any potential vulnerabilities. This allows you to identify gaps and come up with a remediation plan to close these gaps. It’s also important to get buy-in from decision makers and other stakeholders on the compliance roadmap and timeline.
Risk management personnel will need to do this efficiently due to the budget constraints and the fast, decentralized NIS2 timeline. Fortunately, the directive closely follows existing cybersecurity frameworks that organizations already follow – including ISO 27001. Following these already-defined policies and processes is a good way to speed up assessment and compliance in the short term.
Long-term compliance with NIS2 legislation will require on-going monitoring and reporting. It’ll be important to watch for changes in specific regulations and adopt effective, non-disruptive change management. Regular internal audits can provide a good baseline for compliance, but hiring a third-party to provide an external audit is likely to produce more complete or “honest” results. Conducting tabletop or red-team exercises can also help ensure readiness in real-world scenarios. Users can help with compliance as well by participating in training that helps establish a strong cybersecurity culture within the organization and report non-compliance through established feedback channels.
As the October 17 deadline approaches and a flurry of regulations become law in a short time period, it’s important to not get overwhelmed or give in to panic. It’s likely that you are already doing everything you need to do to meet NIS2 compliance as long as you know how the various laws in each EU member state impacts your organization and you have a good assessment of your digital assets and potential vulnerabilities. From there, you can follow already-established cybersecurity frameworks to meet NIS2 requirements and keep up with any regulatory changes as they come up. Having a plan in place now will go a long way in meeting and maintaining compliance as the law dictates.
tags
Don’t miss out on exclusive content and exciting announcements!