NIS2: Greater Resilience or More Red Tape?

NIS2 is ambitious and faces many teething issues, states Kennet Harpsøe, but will the resilience it builds outweigh the negatives of more red tape?

NIS2, the newly updated version of the Network and Information Security directive, came into effect on 17 October but has so far proven something of a damp squib. It was widely anticipated that the directive would raise the bar of cybersecurity across the continent by applying to far more entities than its predecessor and compelling them to implement a baseline of risk management measures. Yet few member states have passed it into law.

According to reports, Bulgaria, Estonia, Portugal, France, Germany, Spain, and The Netherlands have all missed the deadline, with Germany stating it doesn’t expect to implement the law until 2025. This delay will hamper not only compliance but also the effectiveness of the European vulnerability database and crisis liaison network, EU-CyCLONe, which aims to support the coordinated management of large-scale cybersecurity incidents and crises to ensure the regular exchange of relevant information among Member States and Union institutions, bodies, offices and agencies

“Bulgaria, Estonia, Portugal, France, Germany, Spain, and The Netherlands have all missed the deadline”

There’s also been widespread confusion over exactly who is in scope. The directive increases the number of verticals from seven to 17 and will apply to more than 160,000 entities, but nobody has told them who they are. Some initiatives, such as a self-assessment tool launched by the Dutch government, have been launched to help companies determine if NIS2 applies to them. Still, it’s an issue further complicated by the individual laws of each respective member state. In Germany, for example, only the part of the business that provides NIS services is in scope, so other departments need not comply. This creates an obvious issue when applying a risk management strategy that needs to be company-wide to be effective.

NIS2 has caused considerable consternation because it has the power to enforce significant penalties. Fines can be as high as €10m or 2% of worldwide annual turnover for essential entities and €7m or 1.4% of worldwide annual turnover for important entities, whichever is higher. However, it’s notable that the previous legislation, NIS, which could impose fines of up to £17m never saw any issued.

One could argue that the other punitive measures proposed under NIS2 are also daunting, especially for medium-sized businesses that were previously out of scope and had a steep compliance hill to climb. Those deemed non-compliant could be subjected to on-site inspections, targeted security audits (to be carried out by a third party and charged back to the entity), security scans, requests for information or access to additional data or documents. Then there’s the matter of personal liability. NIS2 states that management bodies can be held liable for infringements and that persons responsible for discharging managerial responsibilities at CEO or a similar level can be suspended from exercising managerial functions.

The combination of these penalties and a detailed specification of the measures taken is making businesses sit up and listen. NIS2 will compel senior management to protect network and information systems and their physical environment from incidents by implementing security and risk policies and procedures, incident response, business continuity and disaster recovery, cyber hygiene, training, authentication and access controls, and system management security, to name but a few.

“The other punitive measures proposed under NIS2 are especially daunting for medium-sized businesses that were previously out of scope and had a steep compliance hill to climb”

Such measures undoubtedly equal more red tape and will not be cheap to implement, saddling new entities with sizeable compliance costs. One study estimates NIS2 could cost the continent €31.2bn per year. But that could prove to be a bargain in comparison to the economic costs of a major breach. The global average cost of a data breach has increased 10% over the past year and now stands at $4.88m, but European states top that, with Germany at $5.31m and Benelux at $5.9m. When it comes to critical entities, the cost is higher still. The disruption caused by the 2017 WannaCry attack against the NHS is estimated to have cost £92m.

Creating a baseline of cybersecurity continent-wide, coupled with the coordinated response capabilities that EU-CyCLONe promises, could effectively counter that threat. Entities that implement the compliance measures could benefit not just from protecting their own processes but also from access to a broader network of protection, equivalent to an ecosystem of resilience.

So, yes, NIS2 is ambitious. Yes, it’s likely to face some teething troubles as different jurisdictions interpret and adopt it. And yes, compliance will be painful for some organisations. However, the regulations advocate the measures many already adhere to, from cyber hygiene to risk management practices associated with frameworks such as ISO 27001 to the monitoring and response of a Security Incident and Event Management (SIEM). Therefore, compliance needn’t be onerous. Once in place, NIS2 promises to significantly reduce the opportunity for attack and the costs associated with remediation.