EU's updated NIS2 Directive enforces stricter cybersecurity rules

The deadline for EU member states to transform the NIS2 Directive into legal obligations is set for the end of October, bringing significant implications for businesses across the continent.

This updated cybersecurity framework requires organisations to heighten their security measures, particularly in the wake of escalating threats. The NIS2 Directive aims to fortify digital resilience by setting stricter criteria for compliance, impacting an estimated 160,000 companies, with potential fines reaching €10 million for non-compliance.

Patrick Scholl, Head of OT at Infinigate, highlights the varied readiness levels among EU states and organisations to implement these changes. While Belgium, Hungary, Croatia, Latvia, and Italy have advanced in integrating the directive into national laws, other countries, including Germany, Finland, and Sweden, remain in preliminary stages.

Scholl underscores the directive as an opportunity for channel partners to offer valuable consultancy services, assisting organisations in determining their classification as "essential" or "important" entities. Services can range from security audits and risk assessments to advising on incident reporting and implementing new security technologies.

Mike Smith, Director of Engineering and Security at Qodea, cautions that adherence to NIS2 will be a demanding process, especially for those not currently employing up-to-date security measures.

The directive's stringent requirements redefine who is accountable, potentially broadening the scope to include organisations previously exempt under NIS1. Smith voices concerns over supply chain security, stating that maintaining transparency and due diligence in supplier interactions is essential to meet these new guidelines.

Edwin Weijdema, EMEA Field CTO at Veeam, reveals a worrying statistic: 66% of businesses are likely to miss this compliance deadline. He stresses the critical need for enhanced data resilience amidst ongoing threats, urging business leaders to take immediate steps to secure their organisations. Weijdema also points out the personal liabilities now facing executives within the EU, who could face financial penalties or management bans for non-compliance.

In the UK, though not bound by NIS2 as a non-EU member, business leaders remain liable under national laws like the Data Protection Act 2018 and the National Cyber Strategy. These regulations demand that companies in critical sectors maintain robust cybersecurity frameworks. Directors may face personal repercussions under the Companies Act 2006 if they fail in governance and compliance duties, resulting in significant business harm.

Simon Fisher, Senior Advisory Services Consultant at Orange Cyberdefense, sees NIS2 as an opportune moment for IT leaders to prioritise cybersecurity at board level, potentially unlocking increased budget allocations. As businesses grapple with economic challenges, he advises leveraging regulations to bolster cyber resilience and secure their operational frameworks.

As the NIS2 Directive takes effect, businesses must act promptly to comply, adapting to new requirements swiftly to avoid fines and ensure their operations remain secure against evolving cyber threats. The directive not only compels companies to enhance their digital safeguards but also presents a strategic avenue to improve organisational resilience and maintain competitive edge in a digitally volatile landscape.