How will the EU directive of NIS2 impact your organization?

Cyber Protection, March 15, 2023

Cyber Protection, March 15, 2023

The current threat landscape, with the increasing number of attacks and breaches, has forced organizations to improve their capability to identify, protect, detect, respond and recover from security incidents in all phases (before, during and after an attack). 

In response, the EU created the NIS directive in 2016 with the intention of improving the cybersecurity capabilities within EU member states. Recognizing the need to stay on par with the ever-evolving risks and threat to organizations operating within the EU, the NIS2 directive was created in 2022. Member states have 21 months from November 2022 to codify it into local legislation.  

In this thought leadership article, we will explore the key provisions of the NIS2 Directive and discuss their implications for private- and public organizations operating in Europe across included industries. We will examine the new obligations that are placed on organizations, including the requirement to implement appropriate cybersecurity measures, report incidents to national authorities, and cooperate with other member states in the event of a cyberattack. 

Aligning impacted industries and the scope of NIS2 

Overall, the NIS2 Directive represents a significant step forward in strengthening cybersecurity in the EU. By understanding its requirements and implications, public- and private organizations can ensure that they are well-positioned to protect themselves and their customers from cyber threats, both now and in the future. 

Becoming compliant with NIS2 

While compliance with the directive may require significant investment and resources, it also provides an opportunity for businesses to enhance their cybersecurity posture and build trust with customers and stakeholders. Below is an extract of key areas organizations will need to focus on. 

* NIS2 also introduces the European Cyber Crisis Liaison Organisation Network, also called EU-CyCLONe, to support large-scale cybersecurity incidents and crises at an EU level. 

However, simply investing in cybersecurity technologies is not enough. Organizations must also ensure that their employees are trained to recognize and respond appropriately to potential cyber threats.  

Financial implications and management accountability 

With the implementation of the NIS2 directive, regulatory bodies will become more stringent in enforcing cybersecurity standards. The consequences for non-compliance have also become more severe, with financial penalties now a common form of punishment. The severity of these penalties can be substantial, and in some cases, they can be enough to bring a business to its knees. This can be in the form of fines for breaches of cybersecurity risk management and reporting obligations. These fines are up to €10 mil. or 2% of the total global annual turnover. In addition to the changes within management, accountability means that management can either be banned, have a 72-hour reporting requirement, or even be assigned a monitoring officer to ensure compliance. 

Ultimately, the bridge between cybersecurity capabilities and financial penalties is clear: the former is essential to avoid the latter. Organizations that take cybersecurity seriously and implement sufficient measures will be better positioned to avoid costly financial penalties and protect their operations from cyber threats. By investing in cybersecurity capabilities, businesses can not only protect their operations but also safeguard their reputation and customer trust. 

The EU quickly recognized that many organizations would lack the resources necessary to comply with the directive and created the ‘Digital Europe Program’, where organizations can apply for funding, with an allocated budget of €1.6 billion from EU, in the following areas: 

  1. Cyber Shield- which includes funding for the acquisition of security operation centers 
  2. Activities related to the implementation of tangible cybersecurity controls 
  3. Program activities evaluations and reviews 

“By establishing clear guidelines on minimum cyber security resiliency, the nis2 directive empowers private and public organizations in EU to proactively safeguard their networks and systems, and ultimately contribute to a safer, more secure digital world”

Anders Fleinert Larsen, Business Unit Leader, Trifork Cyber Protection

Let’s enhance your Cybersecurity posture together

In conclusion, the EU outlines clear expectations for industries in scope through the NIS2 directive, with strong enforcement measures. With careful planning, a well-defined strategy and a commitment to continuous improvement, organizations can enhance their cybersecurity posture within the evolving threat landscape. Trifork Cyber Protection recognizes the power of NIS2 to positively impact cybersecurity across EU member states and the inherent need for Cybersecurity expertise to support organizations on their cybersecurity journey.