NIS2 Directive: Experts share their views on the cybersecurity law

The EU’s Network and Information Security (NIS2) Directive comes into force today, ushering in sweeping changes that will impact a broad spectrum of critical infrastructure organisations across various sectors. Unlike more specialised regulations, NIS2 applies to a wide array of entities, aiming to enhance cyber resilience throughout the EU.

Andrea Carcano, Co-founder and Chief Product Officer at Nozomi Networks, commented on the gravity of non-compliance: “Non-compliance with NIS2 could result in fines amounting to €10 million or 2% of global turnover for essential entities and €7 million or 1.4% of global turnover for important entities.”

NIS2 is considered a more inclusive regulation compared to DORA, which targets banks specifically. The directive demands the integration of cybersecurity considerations relative to the scope, scale, and size of services offered by a business.

Carcano advises that NIS2 compliance will necessitate a revision of security priorities, particularly in operational technology. This includes enhanced visibility of assets, regular risk analysis, and expanded risk management beyond IT to encompass operational technology.

Carl Leonard, EMEA Cybersecurity Strategist at Proofpoint, highlights the significant powers granted to authorities, including the ability to suspend organisations from service provision and hold CEOs accountable for compliance breaches.

“Authorities can order organisations to stop poor practice, make public their mistakes, and initiate corrective action,” Leonard explained.

Leonard also points out the stringent reporting timelines under the NIS2 Directive. Organisations must submit an early warning notification within 24 hours, contrasting with GDPR’s 72-hour requirement, although GDPR fines can be more severe.

Leonard believes that NIS2 sets a new baseline for acceptable cybersecurity, encouraging organisations to exceed the minimum standards for competitive advantage. The directive leverages large fines and compliance monitoring to ensure critical service providers pay heed to cybersecurity threats, fostering a “collective responsibility” mentality across the EU.

Tim Grieveson, SVP and Global Cyber Risk Advisor at Bitsight, added that the challenges surrounding third-party and supply chain risk are surmountable and emphasises that “understanding the directive’s expanded scope and implementing essential tools to achieve visibility” is crucial.

The directive also calls for the personal accountability of business leaders, a shift that emphasises corporate responsibility. In the UK, while leaders may not always face personal liability, they can be held accountable under the Companies Act 2006 for governance failures leading to business or customer harm.

Edwin Weijdema, EMEA Field CTO at Veeam, acknowledges that a staggering “66% of businesses were set to miss the NIS2 compliance deadline this week.”

With the potential of personal liability for C-suite executives, Weijdema urges business leaders to perceive NIS2 as an opportunity to strengthen data resilience; advocating proactive security measures against rising global threats.

The NIS2 Directive signifies a transformative phase in European cybersecurity management. While challenges persist, the focus on proactive resilience, integration of new technologies, and increased collaboration will help to secure the EU’s digital future.

(Photo by Sara Kurfeß)

See also: IMT-2030 Vision: Industry experts outline the path to 6G

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo, and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: cyber security, cybersecurity, directive, Enterprise, eu, europe, european union, governance, nis2, nis2 directive, Security