A survey conducted by SailPoint revealed that a significant number of organizations in the UK, France [6] [8], and Germany have not completed their preparations for the European Union’s updated Network and Information Security Directive (NIS2) [8]. This directive aims to improve cybersecurity across the EU and carries severe penalties for non-compliance.
Description
The NIS2 directive [2] [4] [5] [8], also known as the European Union’s updated Network and Information Security Directive [8], must be implemented by Member States before October 17, 2024 [9]. The survey conducted by SailPoint highlighted that only 34% of organizations in the UK, France [6] [8], and Germany have completed their preparations for compliance [8]. UK organizations [1] [2] [3] [4] [5] [6] [7] [8] [9], in particular [6], are lagging behind, with 75% of them yet to fully address the five key requirements for compliance [6].
Failure to comply with NIS2 can result in fines of up to €10 million or 2% of an organization’s global annual revenue [6]. Each requirement takes an average of five months to complete [6] [8]. NIS2 replaces the previous NIS directive and applies to organizations with more than 250 employees and an annual turnover of €10 million or more [6].
The European Parliament has approved NIS2 [3], which aims to improve and specify the directions of the EU’s first cybersecurity legislation [3], NIS1 [2] [3] [5] [6]. NIS2 covers a larger share of use cases in Europe and implements additional security requirements [3]. Member states have 21 months to transpose NIS2 into national legislation once it is published in the Official Journal [3]. NIS2 repeals and replaces NIS1 [3], addressing limitations such as limited scope [3], lack of harmonization [3], and inconsistent levels of cyber resilience [3].
NIS2 imposes cyber risk management [3], incident reporting [1] [2] [3] [5], and information sharing obligations on certain organizations across various sectors [3]. It requires entities to adopt single core policies [3], including risk analysis [3], incident response [2] [3] [5], encryption [3], vulnerability disclosure [3], cybersecurity training [1] [3] [4] [6] [8], and ICT supply chain security [3]. NIS2 applies to all entities providing services or carrying out activities in the EU [3], with exceptions for small and micro enterprises and certain entities engaged in national security [3], public safety [3], defense [2] [3] [4], or law enforcement activities [3].
NIS2 requires management bodies of covered entities to approve cybersecurity risk management measures and oversee their implementation [3]. Entities must submit initial and final reports of significant incidents to the relevant national authority or Cybersecurity Incident Response Team (CSIRT) [3]. NIS2 also introduces a simplified definition of “significant” incidents [3]. Certain stakeholders are required to submit information to competent authorities for maintaining a registry [3]. NIS2 will apply alongside existing EU regulations [3], such as the General Data Protection Regulation (GDPR) [3].
Conclusion
The study by SailPoint highlights the lack of preparedness among UK organizations for the implementation of the NIS2 directive. Failure to comply with the new obligations can result in significant fines and potential liability for senior management. It is crucial for organizations to assess their compliance requirements and plan for the associated costs. Compliance with NIS2 will lead to greater consistency in cybersecurity measures across the EU [3], improving overall cybersecurity and resilience. Organizations should also consider relevant obligations under other laws [3], such as GDPR requirements for incident reporting and technical and organizational measures [3].
References
[1] https://www.itpro.com/business/policy-and-legislation/three-quarters-of-uk-firms-unprepared-for-nis2-regulations-study-finds
[2] https://www.cobalt.io/blog/nis-2-overview
[3] https://4imag.com/nis-2-all-about-the-new-rules-and-how-to-prepare/
[4] https://www.computerweekly.com/microscope/opinion/NIS2-Why-organisations-need-a-unified-cybersecurity-standard
[5] https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/nis2-compliance-for-ics/
[6] https://www.infosecurity-magazine.com/news/third-organizations-comply-nis2/
[7] https://chambers.com/legal-trends/cybersecurity-policies-in-the-eu
[8] https://londonlovesbusiness.com/the-countdown-to-nis2-begins-and-only-a-third-of-eu-orgs-are-prepared/
[9] https://blog.irdeto.com/healthcare/nis2-one-year-to-go/
