Nandini Roy Choudhury, writer
Brief news
- The EU’s NIS 2 cybersecurity legislation, effective October 17, imposes strict compliance requirements on companies, with significant penalties for non-adherence, including fines up to €10 million for essential entities.
- NIS 2 emphasizes risk management, corporate responsibility, and early reporting of cyber incidents, mandating businesses to assess their digital supply chains and share vulnerabilities with others.
- Companies are proactively enhancing their cybersecurity measures in anticipation of NIS 2, although experts warn that regulations alone cannot prevent cyberattacks, highlighting the need for a robust security culture.
Detailed news
Companies may incur substantial penalties or even service suspensions inside the European Union due to stringent new cybersecurity standards scheduled to be implemented next month.
The EU’s NIS 2 cybersecurity legislation will be enforced by member states from October 17. Consequently, companies must verify their activities comply with the requirements established by the new legislation.
The regulations provide stricter obligations for firms regarding their internal cyber resilience strategies and processes.
What is NIS 2?
NIS 2, or Network and Information Security regulation 2, is an EU regulation designed to enhance the security of IT systems and networks within the union. Enacted in 2020, the legislation updates a prior directive known as NIS.
NIS 2 broadens the remit of its predecessor to tackle contemporary cybersecurity difficulties and risks that have arisen as criminals have devised novel methods to infiltrate enterprises and jeopardize their critical data.
The directive pertains to entities operating within the EU that deliver important services to consumers, such as banks, energy suppliers, healthcare institutions, internet providers, transportation companies, and waste management enterprises.
The primary focus will be on risk management, corporate responsibility, reporting requirements, and business continuity planning in the case of a cyber breach.
Geert van der Linden, executive vice president of global cybersecurity services at Capgemini, said CNBC that NIS 2 has established a new standard for organizations for the protection of people, operational continuity, and resilience against assaults.
Van der Linden stated that “NIS 2 will be regarded as a global standard by judges” once it becomes enforced. “Clients, irrespective of their classification as essential or significant in regulation, must assess the baseline and ensure compliance.”
By adhering to this baseline, corporations will adequately safeguard themselves against accusations, Van der Linden stated. He likened it to obtaining homeowners insurance to safeguard your residence against theft.
“Where do the intruders retreat?” The most vulnerable house is always the least protected. “They examine each door to determine where they can gain entry,” he stated. According to Van der Linden, this is also increasingly applicable to firms seeking to safeguard themselves against cyberattacks.
Under NIS 2, companies must evaluate their digital supply chains for cyber risks and vulnerabilities. Contemporary companies utilize a variety of goods and tools daily, so providing criminals with several possible paths for assault.
Chris Gow, leader of Cisco’s EU public policy team, said CNBC that a “mapping exercise” will be conducted under NIS 2, requiring enterprises to assess their technology providers for potential hazards.
Under NIS 2, businesses will be obligated to exercise a “duty of care” by reporting and disseminating information on cyber vulnerabilities and breaches to other enterprises, even if it necessitates acknowledging their status as victims of a cyber incident.
What are the consequences if a corporation does not adhere to regulations?
Companies that do not adhere to the new legislation may incur substantial penalties and further punitive measures.
Entities deemed vital, such as transportation, banking, and water businesses, may incur fines of up to 10 million euros ($11.1 million) or 2% of worldwide annual turnover for non-compliance with NIS 2, whichever is greater.
Essential enterprises, including those in the food, chemicals, and waste management sectors, may incur fines of up to 7 million euros or 1.4% of their global annual revenues for noncompliance.
Companies may encounter potential service suspensions if they do not adhere to NIS 2, along with increased oversight to assess their compliance status.
In the event of a cyber breach, a corporation must file an early warning notification to authorities within 24 hours. This is more stringent than the 72-hour notification requirement for data breaches mandated by the GDPR (General Data Protection Regulation), a distinct data privacy statute in the EU.
Carl Leonard, EMEA cybersecurity strategist for Proofpoint, stated to CNBC, “Preparing for NIS 2 is not a competition to determine how much one can evade; instead, it is a contest where the most robust organizations surpass the minimum requirements and utilize this endeavor to gain a competitive edge.”
“I expect that organizations will receive enhanced support through coordinated efforts at the European Union level,” Leonard stated. “This will encompass collaborative threat intelligence, an elevated standard of cybersecurity, and a collective mindset of unity.”
Are enterprises prepared?
Companies have been striving to refine their internal procedures and controls, along with the overarching culture of cybersecurity, in anticipation of the October 17 deadline.
Cisco’s Gow stated that, irrespective of the impending regulatory threats, businesses have been diligently endeavoring to transform their organizational culture to adequately address the risks associated with cyber breaches and outage situations.
“Independent of regulatory developments, reporting occurs from the CISO level to the board and management.”
He noted that NIS 2 is prompting firms to expedite the enhancement of their cyber controls and processes in accordance with the new regulations.
“It certainly exerts an influence,” he stated. I am witnessing it firsthand. Internal personnel are presenting inquiries from sales and management, questioning, ‘What are the implications for us?’ He stated that there is “preparation to undertake immediately” for firms to guarantee compliance with NIS 2 criteria.
Despite the heightened emphasis on cybersecurity in boardrooms, hacks continue to occur.
Earlier this year, a ransomware assault on Synnovis, a private healthcare provider in the U.K., disrupted over 3,000 hospital and general practitioner appointments. The assailant, a Russian-based hacking collective known as Qilin, requested a ransom of £40 million.
Gow stated that it would be erroneous to presume that new regulations will avert such occurrences in the future, but he noted that NIS 2 has facilitated “increased scrutiny and the allocation of resources towards demonstrating how one is enhancing overall security levels.”
Source : CNBC News
