The European Union is set to enforce stricter cybersecurity regulations under the Network and Information Security Directive 2 (NIS 2) on October 17, 2024. Companies operating within the EU will need to comply with these regulations or face substantial penalties, including hefty fines and potential service suspensions.
What Is NIS 2?
NIS 2 is an update to the original NIS directive introduced in 2016. It aims to bolster the cybersecurity resilience of IT systems and networks across the EU, addressing evolving threats from cybercriminals. The directive expands the scope of its predecessor by including a broader range of organizations that provide essential services, such as:
- Banks
- Energy suppliers
- Healthcare institutions
- Internet providers
- Transport firms
- Waste management services
The directive emphasizes key areas like risk management, corporate accountability, incident reporting, and business continuity planning.
Key Requirements for Companies
Under NIS 2, businesses will have to:
- Strengthen Cyber Resilience: Companies must implement robust internal cyber resilience strategies to protect their operations.
- Vetting Digital Supply Chains: Firms are required to assess their supply chains for vulnerabilities, ensuring that third-party services meet cybersecurity standards.
- Reporting Obligations: Businesses have a “duty of care” to report cyber vulnerabilities and breaches, including sharing information with other firms in case of an incident.
Geert van der Linden, executive vice president of global cybersecurity services at Capgemini, emphasized that NIS 2 establishes a new baseline for cybersecurity, serving as a global standard for companies to protect themselves and their stakeholders.
Potential Penalties for Non-Compliance
Failure to comply with NIS 2 can lead to severe financial penalties:
- Essential Entities: Companies providing critical services can face fines up to €10 million (about $11.1 million) or 2% of their global annual revenues, whichever is higher.
- Important Entities: Organizations such as food and waste management companies face fines up to €7 million or 1.4% of their global annual revenues.
Additionally, firms may face suspensions of service, and if they experience a cyber breach, they are required to notify authorities within 24 hours—significantly shorter than the 72-hour notification window under the General Data Protection Regulation (GDPR).
Preparation and Industry Response
As the October deadline approaches, businesses are ramping up efforts to meet the new regulations. Cisco’s Chris Gow noted that companies are increasingly aware of the need for a strong cybersecurity culture, leading to more proactive discussions at all organizational levels.
Carl Leonard, EMEA cybersecurity strategist for Proofpoint, highlighted that organizations should view compliance as an opportunity for competitive advantage rather than merely a regulatory obligation. He anticipates enhanced support for companies at the EU level, including shared threat intelligence and a collaborative approach to cybersecurity.
Ongoing Cyber Threat Landscape
While regulatory measures like NIS 2 aim to strengthen cybersecurity, they cannot completely prevent cyberattacks. Earlier this year, a ransomware attack on UK-based healthcare provider Synnovis disrupted thousands of appointments, demonstrating that threats remain prevalent even as organizations invest in improved security measures.
Gow cautioned against assuming that regulations alone can eliminate cyber threats, but acknowledged that NIS 2 has heightened awareness and scrutiny around cybersecurity practices.
Conclusion
The NIS 2 directive represents a significant shift in the EU’s approach to cybersecurity, imposing stricter regulations and expectations on companies. As businesses prepare for the October 17 enforcement date, the emphasis on compliance will be crucial not just for avoiding penalties, but for fostering a culture of cybersecurity resilience that can adapt to an ever-evolving threat landscape
I am Aparna Sahu
Investment Specialist and Financial Writer
With 2 years of experience in the financial sector, Aparna brings a wealth of knowledge and insight to Investor Welcome. As an accomplished author and investment specialist, Aparna has a passion for demystifying complex financial concepts and empowering investors with actionable strategies. She has been featured in relevant publications, if any, and is dedicated to providing clear, evidence-based analysis that helps clients make informed investment decisions. Aparna Sahu holds a relevant degree or certification and is committed to staying ahead of market trends to deliver the most up-to-date advice.