NIS2 Directive raises stakes for security leaders

In this Help Net Security interview, Roland Palmer, VP Global Operations Center at Sumo Logic, discusses key challenges and innovations of the NIS2 Directive, aiming to standardize cybersecurity practices across sectors.

NIS2 mandates minimal cybersecurity requirements for member companies, encompassing policies on risk information system security, crisis management measures, and cybersecurity training.

What are the significant challenges the NIS2 Directive aims to address in cybersecurity, and what key innovations are introduced in this new directive?

The NIS2 Directive aims to strengthen the cybersecurity landscape by creating a standardized approach that will be adopted by a wide array of sectors. The new guidelines will replace the EU’s existing NIS1 directive to combine cybersecurity measures with a risk-based approach to combat the increasing sophistication of cyberattacks. New features include a comprehensive regulatory framework and the addition of new sectors, including industries that pose a critical security risk such as healthcare, transportation and digitally operated companies.

The regulatory framework includes a series of best practices that standardize security and enforce requirements using strict penalties and obligatory incident reporting requirements. The new directive also highlights an EU-wide collaboration and vulnerability-sharing program to increase transparency across organizations.

What specific cybersecurity measures and risk management strategies does the NIS2 Directive mandate for organizations, and how do these measures enhance overall cybersecurity resilience?

NIS2 outlines several security measures that will be considered minimal requirements for all member companies. These measures include the following:

• Established policies on risk information system security and risk analysis
• Crisis management and continuity measures (e.g., backup management)
• Cyber hygiene and cybersecurity practices and training
• Assessment of risk management procedures and their effectiveness

NIS2 also introduces new incentives to encourage companies to adhere to the directive, including increased monetary fines for noncompliance and heightened responsibility for management bodies. This means security leaders and C-suite members face a greater risk if their organization fails to fulfill NIS2’s requirements.

Creating a minimum requirement for security protocols and shifting liability to company decision makers raises the stakes for security leaders and their teams. As a result, companies might take their security postures more seriously and make a greater effort to protect themselves and their customers from attacks.

Can you elaborate on the reporting obligations under NIS2 and how they differ from the previous directive? How should organizations prepare for effective incident management and reporting?

For security leaders, one of the most notable updates is the shortened security incident reporting window, with companies now being required to provide a warning within 24 hours of becoming aware of the incident. This alert will be followed by a mandatory description of the event – no more than 72 hours after the event – and a comprehensive account of the incident within one month of its occurrence.

These new obligations are tighter and less forgiving, and as such will require companies to exercise greater caution and stronger security protocols.

To prepare, companies can take these three crucial steps:

• Assess current risk: Organizations should conduct an internal risk analysis to identify vulnerabilities and assess current security standing.
• Create an incident response plan: A fortified, cohesive incident response plan will prepare companies for the new NIS2 guidelines and protect them from incoming security risks.
• Prioritize security training and awareness: Keep employees educated and informed on security so they know what to do in the case of an incident.

Given the global nature of cybersecurity threats, what implications does the NIS2 Directive have for multinational companies and cross-border collaboration in cybersecurity?

Cybersecurity threats are not limited to geographic lines, and the NIS2 guidelines take this into account. The new directive applies to any company based in the UK/EU, but also to any organization that offers services in the region. This will require companies to be mindful of NIS2 and its implications, even if their business is not physically based in the UK/EU. To avoid complications or misunderstandings, NIS2 encourages organizations to collaborate with each other and with national authorities to ensure compliance.

The directive also encourages organizations to share information with each other and with the European Union Agency for Cybersecurity (ENISA) when they’ve experienced a cyberattack or security incident. This collaborative approach to strengthening the security sector could have a major impact on the cybersecurity landscape and its processes moving forward.

Looking beyond 2024, how do you envision the evolution of the NIS2 Directive, and what future developments should professionals in cybersecurity and related fields anticipate?

The NIS2 Directive speaks to an overarching need of the cybersecurity community to respond to the current global threat landscape. Security professionals understand that digital threats are evolving and increasing by the minute, and regulations like NIS2 are necessary for the future success of the cybersecurity industry. Additionally, the rise of advanced technology such as AI and quantum computing will transform the security landscape and as a result, new and updated regulations will be needed to keep up with the pace of modern threats.

With NIS2’s tightened reporting process, bolstered security measure requirements and increased liability for security leaders, NIS2 is a step toward a more uniform and more efficient security sector. It points to a potential trend of regulatory bodies stepping up to improve security protocols, with the SEC also implementing new guidelines in 2023, and we may start to see other countries and entities follow suit.