Ensuring NIS2 Compliance With Proactive Cyber Resilience

October 17 2024 is the official deadline for the NIS2 Directive. Is your organisation ready? Chris Gow offers five tips to stay compliant with NIS2

In an era of hyperconnectivity, distributed work environments, fast AI roll-out, and advanced threat actors, companies face a complicated and diverse threat landscape that goes far beyond ransomware and phishing. October 17 2024 is the official deadline for EU Member States to pass national laws implementing the NIS2 Directive, which aims at strengthening the cyber resilience of Europe’s critical infrastructure.

“Organisations that fail to comply could face fines of up to €10 million or 2% of their global annual turnover”

It’s estimated that at least seven times more entities will be covered under the new directive, compared to its previous version, including medium and large organisations with more than 50 employees and organisations from covered sectors, such as healthcare, energy, water or transportation, that have more than €10 million in revenue.

Non-compliance with the NIS2 Directive is not an option. Organisations that fail to comply with the new law could face fines of up to €10 million or 2% of their global annual turnover or even see their executive leadership temporarily suspended from exercising managerial functions. Organisations in scope that do not already have continuous monitoring or incident response plans and processes need to get moving.

While regulation can be a catalyst for improving cyber resilience, it is not sufficient by itself. We need to incentivise organisations to invest in the people, processes and technology that together make for a successful security programme.

Staying on the front foot in an evolving threat landscape

Organisations should not become complacent or assume compliance offers blanket protection from cyber attacks. NIS2 provides a baseline, but cybersecurity shouldn’t be seen as a mere compliance exercise. Rather, it’s an everyday critical matter for businesses. AI is empowering malicious actors by enhancing cyber attack tools and lowering the access barriers to deploy more sophisticated, targeted attacks. As a result, all strategy and process must be approached in an ongoing, iterative way to counter an ever-evolving cyber threat landscape.

This challenge is highlighted in the 2024 Cisco Cyber Readiness Index, which shows that very few European organisations feel prepared to defend themselves against today’s threat landscape. Only 3% were assessed as having a mature stage of readiness. This is despite over two thirds of respondents (IT and security leaders) in Europe anticipating a cybersecurity incident in the next one to two years.

Top 5 tips to stay compliant with the NIS2 Directive

The jump from NIS1 to NIS2 is a clear sign from the EU that it’s serious about achieving a common and higher level of cybersecurity across its Member States.

Here are five tips for maintaining compliance and continuing to enhance your organisation’s cyber posture:

1. Know the rules: Understand which Member State laws apply to the organisation. Keep an eye out for practical guidance coming from EU and national cyber authorities on how to implement them. Register covered entities with the relevant cyber authorities.
2. Get executive support: Inform management and get their buy-in to ensure the culture shift that’s needed to reach the right level of cyber resilience. They are ultimately accountable for compliance.
3. Assess gaps: Evaluate the organisation’s set up for security incident detection and reporting and required security controls and define a roadmap to prioritise the closing of those gaps and become fully compliant.
4. Assess third parties and tools to improve the organisation’s security posture: Get the right expertise, solutions and data analytics to be able to detect, investigate and prioritise threats and incidents. Consider the full range of technologies available, from services and solutions across identity, network, device, cloud and AI to identify, protect, detect, respond and recover from cyber incidents, making threat hunting and remediation more effective.
5. Demonstrate compliance: Examine which standards the organisation already follows and how it can be scaled to meet and demonstrate compliance to regulators and customers. As an example, Cisco set up a Cloud Controls Framework (CCF) to map key international standards security requirements, identify commonalities and simplify its own compliance efforts. We have made this tool available online on our Cisco Trust Portal for all to leverage.