The European Union's NIS2 Directive came into force on January 16, 2023, and member states had until October 17, 2024, to transpose it into national law. Yet many organizations still don't meet the required standards two years after it was approved.
According to survey from backup shop Veeam carried out shortly before the deadline, as many as two-thirds (66 percent) of organizations were going to miss the October 17 cutoff, despite nine in ten admitting that they faced incidents that NIS2-mandated controls would have prevented.
Additionally, only two of the 27 EU member states – Croatia and Italy – have fully transposed the directive into domestic law. Estonia and Portugal haven't started the process, while the others are at varying stages, according to the DNS Research Foundation's tracker.
The panic, or lack thereof, around meeting the deadline is largely due to competing priorities at relevant organizations, and disregard for the punishments that come with non-compliance, the Veeam survey showed.
It's a confusing stance given that the punishments associated with NIS2 failings include substantial fines and personal liability for individuals in management and decision-making positions.
Overview
NIS2 builds on the work of NIS1, the first EU-wide cybersecurity legislation introduced in 2018, which aimed to implement a common set of security standards across all member states.
The new regulations expand the scope, meaning more organizations must fall in line with the rules. Generally speaking, if your organization provides critical services or falls under the sectors in NIS2's extended scope, has more than 50 employees, or an annual turnover exceeding €10 million ($10.8 million), it's likely that NIS2 applies to you.
Critical infrastructure operators were bound by NIS1 and by extension NIS2 too. Organizations in the digital services sector, space companies, postal services, network operators, chemical producers/distributors, some manufacturers, and more are all now bound by NIS2. In-scope organizations are categorized as "essential entities" and "important entities" – all are deemed critical sectors, but some more than others. The classification determines the specific requirements organizations must meet.
It's important for each organization to determine whether it's required to comply with NIS2, not just because of the potential punishments on the table, but also because the regulations demand different things from different sectors. Although NIS2 aims to raise security standards across many industries to a common level, the compliance requirements are not the same across the board.
What's new?
Aside from bringing more organizations into scope, there are four main pillars to the new regs, introducing more robust requirements in key areas: Risk management; corporate responsibility; mandatory incident reporting; and business continuity.
Managers of in-scope organizations must have a full understanding of the directive and oversee compliance with it, and are responsible for identifying and addressing cyber risks.
Mandatory reporting of security incidents to a database managed by ENISA, the EU's cybersecurity agency, must be completed within 24 hours of detection. It's a positive step toward building a greater understanding of attack campaigns that can help inform defenders working on mitigation strategies.
Also tied into this is the establishment of EU-CyCLONe – the European Cyber Crisis Liaison Organisation Network. It's a new body comprised of experts from member states that's tasked with supporting the bloc in the event of a wide-scale incident.
There's also heavy emphasis on risk management. In-scope orgs must ensure adequate steps are taken to minimize threats to network and supply chain security, improve access control (use MFA), adopt encryption for comms, and ensure an incident management plan is readily available in case of a serious attack.
Organizations must also ensure adequate steps are taken to ensure they can continue to operate in the event of a disruptive cyberattack.
Checklist for compliance
Given the different requirements for the various in-scope organizations, it's impossible to create a checklist that's both comprehensive and applies to every organization. That said, below you'll find the fundamental starting blocks.
Determine whether your organization is in NIS2's scope
Understand the requirements and determine the current level of compliance
Secure the necessary budget for required changes
Determine what other member state laws and EU cybersecurity laws apply to your organization
Carry out cyber risk assessments to understand exposure to vulnerabilities and other threats
Assess third-party cyber risks, establishing appropriate risk management procedures
Develop comprehensive plans for incident response, business continuity, and cybersecurity generally
Implement any required security measures, like MFA
Ensure the workforce receives up-to-date cybersecurity training
Punishments and barriers to non-compliance
Remember how in-scope organizations are split into "essential" and "important" entities? Well, not only do the requirements differ but the fines for non-compliance do too.
- Cloud threats have execs the most freaked out because they're not prepared
- Revamped UK cybersecurity bill couldn't come soon enough, but details are patchy
- US and EU infosec authorities pen intel-sharing pact
- Europe moves closer to stricter cybersecurity standards, reporting regs
The most critical organizations found to be violating NIS2 face at least €10 million ($10.8 million) in fines or a sum equivalent to 2 percent of their global annual turnover.
"Important" entities, on the other hand, are let off with slightly more lenient but still significant fines of at least €7 million ($7.5 million) or 1.4 percent of their global annual turnover.
As NIS2 tasks leadership teams with ensuring NIS2 compliance, failures to comply can also lead to legal ramifications for individual business leaders deemed to have fallen short of expectations.
Policy experts at Big Four auditor EY have predicted that Ireland's domestic transposition of NIS2 will include provisions for possible imprisonment, for example.
As for how strictly these punishments will be meted out, that remains to be seen. Eye-watering fines have been issued since the introduction of GDPR but they're not nearly as common as many thought they might be before it came into force in 2018.
For survey respondents to report being unfazed by the potential punishments, which include huge fines and possible prison time, is puzzling, especially given the fines that have already been handed out, demonstrating the consequences of non-compliance.
Others came to similar conclusions about the rate of non-compliance by the deadline last week. Jesper Olsen, chief security officer for Northern Europe at Palo Alto Networks, said in-scope organizations haven't received the support from domestic authorities they need to fall in line with the new rules and clearer education materials are needed.
"A lack of guidance from authorities, from the approval of the NIS2 Directive two years ago to this week's deadline, has left many organizations in a state of limbo," he said last week. "With the deadline for enforcement approaching, businesses have been left confused about their responsibilities.
"Organizations directly subjected to the requirements are currently unaware of next steps, causing a huge gap in readiness. With limited support, many organizations also question the authorities' readiness to assist with compliance, further diminishing urgency.
"Businesses want to understand what the regulation means for their business, how to comply, and what technologies are required to implement these measures."
Whatever the reason for missing the deadline, compliance is a must. With the ever-rising threat of cybercrime to the global economy and the safety of critical services, the NIS2 Directive is warmly welcomed by the wider industry, even as employers struggled to meet the deadline.
"NIS2 provides a crucial framework to assess current security postures and implement changes that significantly bolster data resilience," said Edwin Weijdema, EMEA Field CTO, Veeam.
"While compliance alone doesn't guarantee complete security, it necessitates proactive measures against vulnerabilities. With threats escalating globally, business leaders must act now to secure their operations. Those who fail to do so will face significant consequences, both personally and professionally." ®