Supply Chain Defense
How Should Your Organisation Prepare for the New European Union Cybersecurity NIS2 Directive?
Key facts and how proper preparation can help you avoid up to millions in fines
Revised European Union-wide directives on cybersecurity recently came into force and are expected to have wide implications on cyber defence laws across Europe. This new directive, known as NIS2, replaces the 2016 Network and Information Security (NIS) directive, and is designed to strengthen the cybersecurity of all organisations doing business in the EU.
Since the original NIS went into effect, there has been rapid digitalisation across Europe and an increase in the prevalence of cyber attacks. This new directive is designed to address the latest cybersecurity challenges and improve EU organisations’ cyber defence posture. Like the General Data Protection Regulation (GDPR), an EU law on data protection and privacy, the effects of the new directive will likely be felt outside the EU’s borders as all enterprises doing business in the European Union will need to comply.
What new threats do the directive address?
One of the biggest threats organisations face today is defending against supply chain attacks. Digital supply chains are made up of vendors, suppliers, and other third parties with numerous connections that can include network access. While organisations' internal security is becoming more secure, a third party may have weaker security and provide an easier route to compromise. In a recent survey of C-level executives conducted by BlueVoyant, 99% of respondents in Europe said they have been negatively impacted by a breach in their supply chain.
NIS2 for the first time addresses EU supply chain cybersecurity. A significant innovation of the directive is that organisations must not only ensure a sufficiently high level of protection for their own infrastructure, but also for the wider ecosystem with which they are connected. They should also ensure that they mitigate security risks in their supply chains by assessing and considering the overall quality of products and cybersecurity practices of suppliers and service providers.
Other new risks addressed by NIS2 include 5G technology security, as well as risks that have more recently grown due to the rapid digitalisation and cloud migrations caused by the COVID-19 pandemic. By October 2024, the European Union Commission must adopt implementing acts, laying down the technical and the methodological requirements of the cybersecurity risk management measures for DNS service providers, cloud computing service providers, and data centre service providers, among others.
What are the key provisions of NIS2?
NIS2 entered into force in January but EU member states have until the 17th of October 2024 to implement the NIS2 measures as national legislation. For organisations, this means the time to start planning is now.
The new directive contains significant changes, including new obligations and risk management measures, a wider range of involved stakeholders and in-scope entities, and potentially hefty fines.
The directive aims to give Member States more flexibility to respond to cybersecurity incidents and protect critical infrastructure with a higher level of resilience. It regulates, among other things, the cybersecurity measures that covered organisations must take and their reporting obligations. Certain details are left to Member States to regulate themselves, so there will be differences in national regulations and implementations. However, the key focus areas are consistent across the EU.
An important change in the new directive is that it significantly expands the coverage to include any sectors considered critical, including energy, transport, banking, finance, health, digital infrastructure, public administration, and certain aspects of infrastructure. Under the old directive, it was up to Member States to determine which organisations were considered in-scope. Within the sectors covered by the directive, all medium and large organisations must comply. The threshold for medium sized companies is 50 employees and an annual turnover exceeding €10,000,000.
What is at stake?
Organisations should pay close attention to NIS2 requirements, as failure to do so could result in substantial fines up to €10 million or 2% of the entities' total turnover worldwide, whichever is higher.
As part of the directive’s rollout, each Member State needs to designate or establish one or more competent authorities responsible for cybersecurity and a single point of contact for entities covered by the NIS2 Directive.
Organisations affected by a cybersecurity incident now have 24 hours from when they first become aware of it to submit an initial notification, then a formal incident report no later than 72 hours, and a final report no later than one month after the incident.
How should you prepare for NIS2?
Any organisation that does business in the EU needs to analyse their cyber defence posture to make sure they have full visibility of their digital ecosystems so they can comply with the new quick reporting requirements and avoid potentially large fines. In addition to the new legal ramifications of a breach, organisations face other financial costs, plus reputational damage with customers.
Organisations should continuously monitor internal and external networks so that they can quickly identify, validate, and rank risk, as well as remediate any cybersecurity issues where appropriate. Issues like ransomware and malware need to be swiftly addressed. Every week, new zero-day vulnerabilities are announced, and cyber criminals are now taking advantage of related exposures faster than before. It is imperative to quickly deploy patches for critical issues and maintain IT hygiene across the infrastructure.
When it comes to supply chains, organisations need to make sure they know which vendors, suppliers, and other third parties are being used and what network and data access they may have. Organisations should implement a strategy to address supply chain cybersecurity challenges. The best solution is to continuously monitor the organisation's supply chain to identify, prioritise and remediate critical issues, such as unpatched systems or IT hygiene issues. Organisations should contact the affected third party directly to guide the mitigation effort and ensure remediation occurs. Handling third-party risk internally can be time consuming and costly, so organisations may want to consider outsourcing the activities to a partner that can help address this issue more cost-effectively and can work with third parties on behalf of the organisation.
Many organisations still struggle to implement the right policies, procedures, and technologies. For example, multi-factor authentication (MFA), should be required for access to any sensitive system or data. Social engineering attacks, such as phishing, work because they compromise employees instead of technology systems. To combat this, organisations should regularly train and test employees on the latest threats. Organisations should also look at identity and access management. Third parties, contractors, and employees should only have access to data strictly necessary to carry out their functions. Not controlling vendor access can allow cyber criminals to access sensitive data if credentials are compromised.
NIS2 provides additional incentives for organisations to examine their cyber defence posture to not only comply with the new laws coming, but also to help them prevent and minimise the negative effects of a cyber breach.
Looking for more? Download our NIS2 Reference Guide.