NIS2 Countdown: Leveraging Synergies for Streamlined Compliance | EU
As we approach the 18 October 2024 deadline for compliance with the Network and Information Security Directive (NIS2), many businesses find themselves at a pivotal juncture, where the need for stringent cybersecurity measures is no longer merely a best practice but a regulatory imperative. In this article, Bech-Bruun’s Mikkel Friis Rossa and Kasper Bilde Nielsen, who specialise in IT, tech, digitisation, and cybersecurity, examine the requirements that businesses need to meet to comply with NIS2 before the deadline as well as the potential synergies in the implementation process.
An Integral Part of the EU’s Legislative Programme on Cybersecurity – “Shaping Europe’s Digital Future”
The NIS2 Directive is a horizontal cybersecurity directive that affects a wide range of organisations across multiple critical sectors. NIS2 is an important part of a comprehensive EU legislative programme concerning data, technology and infrastructure which is currently being rolled out. While the legislative programme in general targets specific sectors (eg, the financial sector) and specific technologies (eg, artificial intelligence) through various directives and regulations, NIS2 will affect businesses cross-sectoral in its requirements for cybersecurity.
By imposing cybersecurity requirements on individual businesses, the overall aim of NIS2 is to safeguard the economy and society’s interest in the resilience and continuous operation of critical sectors. Moreover, an improved level of cybersecurity plays a crucial role in facilitating the successful adoption of digital transformation across various critical sectors, allowing these sectors to fully realise the economic, social, and sustainable advantages of digitalisation. NIS2 grants relevant national authorities supervisory powers as well as the ability to impose sanctions in case of non-compliance with NIS2. The overarching requirements for the businesses and organisations subject to NIS2 include:
- a risk-based approach to cybersecurity measures, including continuous risk assessments;
- management involvement in the organisation’s cyberthreat management;
- security of supply chains, including contract and supplier management;
- cyber education and training of the organisation, including management; and
- reporting obligations, including notification to customers, vendors and authorities about incidents.
Requirements for Compliance with NIS2
Most businesses subject to NIS2 are already working with cybersecurity to a certain extent. However, few businesses will be able to comply with the NIS2 requirements based solely on their current cybersecurity level and infrastructure. NIS2 introduces comprehensive requirements that go beyond the current cybersecurity level of many businesses, necessitating a robust “compliance muscle” and thorough documentation.
When working with cybersecurity in businesses, it is not uncommon that the management lacks both an overview of the businesses’ current cybersecurity measures and which threats the business is exposed to. Knowledge about current measures and the threat level is necessary to raise the cybersecurity level and to adopt a risk-based approach as stipulated by NIS2.
With the introduction of NIS2, cybersecurity is now becoming an exercise that starts and ends with the management. As such, cybersecurity is not just a technical discipline which belongs to the IT department and can be solved solely by following standards such as ISO/IEC 27001, CIS controls, etc. Although these common standards and frameworks offer valuable guidance in technical and legal aspects of establishing and maintaining an adequate level of cybersecurity in line with the requirements of NIS2, compliance is also a legal discipline that requires contractual regulation of supplier agreements and continuous legal assessments.
Management is responsible for developing, approving and implementing an overall cyber and information security strategy that is anchored with the board of directors. This strategy must now also be able to embrace the NIS2 risk management and reporting requirements. In preparation for NIS2 compliance by 18 October 2024, management can benefit from initiating the following initiatives right now:
- seek legal assistance to clarify if their business is subject to NIS2;
- obtain an overview of the NIS2 requirements and determine to what extent their business currently meets these requirements; and
- develop a comprehensive strategy and step-by-step plan to achieve full NIS2 compliance before the deadline.
Potential Synergies with Other Compliance Disciplines
While the impending deadline for NIS2 compliance may seem daunting at first, many businesses can leverage their existing experience and technical know-how in establishing and maintaining robust cybersecurity. Furthermore, aligning with GDPR compliance presents an opportunity for businesses to streamline their ongoing compliance obligations under NIS2.
“NIS2 presents a significant opportunity to leverage and build on standard GDPR activities”.
Unlike GDPR, NIS2 does not explicitly require records and overviews of activities and measures. Nevertheless, such records of IT systems and measures can be prepared in the same manner as records of processing activities known from GDPR compliance. This is a necessary step to identify relevant weaknesses while it might also be useful to provide records to supervisory authorities.
In addition, most businesses are well-versed in various standard GDPR activities such as risk assessments, organisational-level solutions, contract management, employee education, emergency management, annual wheels, governance, and more. NIS2 presents a significant opportunity to leverage and build on these established activities. This existing foundation can significantly clarify the scope of implementation and streamline ongoing compliance.
Bech-Bruun
