The new EU Directive NIS2 requires meticulous compliance strategies to improve cybersecurity resilience, explains Puneet Kukreja
The intense uptake of digital solutions and innovative technologies over the past four years has changed the way we socialise, work, shop, bank, and receive necessary services, such as health.
As sectors and services increasingly become interconnected and interdependent, the cybersecurity threat landscape continues to grow in sophistication and focus.
Safeguarding critical infrastructures and services is paramount to protecting society and economies from these actors.
In response, EU lawmakers have introduced several interconnected EU-wide laws to improve the digital and operational resilience of the sectors and services we rely on most.
The second Network and Information Systems Directive (Directive (EU) 2022/2555 (NIS2)) is one of these EU-wide laws. It comes into effect on 18 October 2024 and will have a compliance impact on many public and private sector organisations across 18 sectors, similar to that experienced under the GDPR.
The regulatory supervision and enforcement measures under NIS2 bear similarities to the GDPR. However, direct accountability and liability for upper management and possible suspension of CEO duties brings this squarely into the board room.
NIS2 is an evolution from its predecessor, NIS-D (Directive (EU) 2016/1148), extending the legislative scope to capture entities in several additional sectors and subsectors, including public bodies and a wider range of digital service providers, as well as covered entities’ information and communications technology (ICT) supply chains.
NIS2 sets out the minimum powers of supervision and enforcement that Member State competent authorities must have.
Administrative fines can be imposed on essential and important entities for breaches of obligations relating to cybersecurity risk management measures and incident notification.
For ‘essential entities’, the maximum fine is at least €10,000,000 or at least 2 percent of the total worldwide annual turnover in the previous financial year, whichever is higher. For ‘important entities,’ these figures are €7,000,000 and 1.4 percent.
Irish legislation must be enacted before 18 October 2024 to transpose NIS2.
Consistent with its treatment of NIS-D, the transposing legislation will provide that breaches of certain provisions of the same will be a criminal offence.
We expect that a person found guilty of any of these offences will be liable on conviction to a fine and/or imprisonment.
It is vital that CEOs, CFOs, CIOs, CISOs and board members understand not only the financial, personal, and reputational consequences of non-compliance – which underscores the urgency of pursuing NIS2 compliance now – but also the role that NIS2 will play in safeguarding their organisation’s cybersecurity and operational resilience.
Navigating NIS2
There are several steps an organisation can take to navigate the NIS2.
1. Legal analysis
Assess whether NIS2 applies to your organisation or whether any of the statutory exemptions will apply.
To the extent NIS2 applies, it will be necessary to understand its requirements, including any cross-border implications and the steps necessary to secure ICT supply chains.
2. Strategic planning of compliance navigation
Identify cybersecurity risks and set clear targets to assist in allocating resources and creating strong governance for resilience and regulatory adherence. This will also ensure operational integrity and informed decision-making.
3. Technology procurement
Align chosen technologies with organisation needs and regulatory requirements.
4. Implementation strategy
Develop a robust plan covering technology integration, employee training, and monitoring mechanisms.
5. Technology implementation
Explore partnerships with organisations experienced in technology transformation. This will help you enable the full lifecycle of capability from analysis to managed services.
6. Employee training and awareness
Champion comprehensive training programmes to instil a culture of cybersecurity within the organisation.
7. Managed services for continuous compliance
Explore partnerships with experienced service providers for ongoing monitoring and response capabilities.
8. Budgeting and resource allocation
Collaborate on budgeting to align finance planning with strategic cybersecurity objectives.
9. Documentation and reporting
Oversee the creation of comprehensive documentation, ensuring transparency and accountability.
Your NIS2 journey
Organisations will differ in their level of compliance or maturity across the key control areas that are required under NIS2.
However, one thing is certain: all in-scope organisations should now consider the implications of NIS2 to ensure they have sufficient time to assess, design, and implement their compliance plans before the legislation comes into effect.
Organisations operating in the sectors defined in NIS2 will need to assess whether they fall within its scope, the availability of any exemptions, their categorisation as ‘essential’ or ‘important’, their NIS2 obligations, and the impact of and interplay with other EU cybersecurity and operational resilience laws.
NIS2 requires organisations to address cybersecurity risks in their own ICT supply chains. In practice, this will require a risk-based assessment of ICT supplier relationships, enhancing contracts and securing inspection and other rights to ensure supply chain security. Early supplier engagement will be essential.
To the extent certain in-scope organisations are established and/or providing their services in more than one EU Member State, they may be subject to implementing laws in more than one jurisdiction or the EU Member State where their cybersecurity risk management decisions are predominately made. The NIS2 jurisdiction rules require careful consideration and may cause certain entities to rethink the geographic positioning of cybersecurity decision-making.
To successfully achieve and sustain NIS2 compliance, an organisation must commit to continuous improvement as well as the adoption of proactive measures. Both are key in this evolving digital landscape.
Beginning a compliance journey with a legal analysis of the new directive will ensure you start on the right path and your organisation not only avoids substantial financial penalties but also becomes more resilient to evolving cyber threats.
Puneet Kukreja is Cyber Security Leader at EY