In prep for NIS2 cybersecurity requirements
“There are simply not enough industry regulations and security frameworks…” – said nobody, ever.
Are government regulations and security standards a forcing function to gain alignment? Or are they an unnecessary friction? The answer likely depends on your role, and whether or not you work in a heavily regulated industry.
For organizations only interested in checking a box, it’s a costly, time-consuming, and often frustrating exercise to try and prove compliance. But for organizations looking to use the regulations to help guide how they set up and implement security controls, it can be a path towards keeping your infrastructure secure and your customer and sensitive company data safe.
Cyber regulation heating up around the globe
Over the past several weeks, lots of industry attention has been on the US. And rightly so. The Security and Exchange Commission (SEC) dropped a bombshell of regulation onto publicly-traded companies, holding executive teams and boards accountable for cyber incidents.
It all sounds good in theory. If this forces the hand of companies to take cybersecurity more seriously, that’s a win in my book. However, some facets of the legislation — like having to submit detailed reports of “material” cyber incidents within 4 days of occurrence — are sure to get some CISOs’ heart rates up.
But don’t be distracted by recent headlines. The United States isn’t the only global entity that’s raising the bar on corporate cybersecurity. In fact, my own European neighbors should be readying the sails.
In January of this year, it was announced that the Network and Information Systems (NIS) would get an overhaul. NIS2, the sequel to NIS, expands the initial 2016 regulation to eliminate inconsistency and establish a common set of cybersecurity standards and risk management practices. The goal is to create a coordinated response through Cyber Crises Liaison Organizations Network (EU-CyCLONe) across EU member states, sectors, and businesses, with compliance mandated by October 17, 2024.
Who’s impacted and what’s at stake
Companies with more than 50 employees and more than €10M in revenue must now have a security plan along with a risk management process for responding quickly. NIS2 extends its reach from critical industries into cloud computing service providers and digital providers like online marketplaces and search engines.
NIS2 distinguishes between “high criticality” sectors and “other critical sectors” for prioritization purposes.
High criticality sectors include:
- financial market infrastructures
- health (including manufacture of pharmaceutical products plus vaccines)
- drinking water
- waste water
- digital infrastructure (i.e., internet-related service providers, cloud service and data centre providers, electronic communications networks, etc.)
- managed service providers and managed security service providers
- public administration and space
Other critical sectors include:
- postal and courier services
- waste management
- manufacturing of medical devices, computers and electronics, machinery and equipment, motor vehicles, trailers and semi-trailers and other transport equipment
- digital providers (i.e., online market places, online search engines, and social networking service platforms)
- research organizations
To avoid fines, companies must take proactive steps to minimize disruption. They must also disclose incidents or cyber threats to the national authority within 24 hours, followed by an official public-facing notification within 72 hours.
That’s a fast turnaround. And failure to comply will result in fines for management bodies, similar to GDPR, and the fines are steep. The potential maximum fines for essential entities could reach either €10 million or 2% of global annual turnover (whichever is higher). For important entities, fines can reach €7 million or 1,4% of global turnover (whichever is higher).
Make smart investments
The intention with all of this — whether you’re in the US regulated by the SEC or in the EU adhering to NIS2 — is to establish regular risk reporting from a CISO or similar role to the appropriate internal management body. It’s also to force companies to proverbially put their money where their mouth is. Companies can no longer only pay “lip service” to caring about data security. Now, they must rightly prioritize cybersecurity efforts and allocate dollars/euros to cyber risk mitigation, incident response, supply chain security, and other cloud security issues.
It will be a big challenge for CISOs, wherever their companies are in their cloud journey, to onboard and operationalize the needed detection capabilities that allows them to “detect” attacks and enables them to fulfill the reporting requirement for the SEC and NIS2. Those who know me will remember my saying: “CSPM is not enough.” Now public companies and those in scope for NIS2 cannot rely on CSPM but will need detection capabilities and teams that are able to operationalize them.
Adding to the challenge is the fact that many companies are currently relying on too many security tools — a CSPM solution potentially being one on a long list. It’s simply not possible to meet the high bar set by the SEC and EU governing bodies if teams are forced to manually piece together incident facts across multiple security dashboards. And the experts tend to agree. It’s also not economically efficient. Most cybersecurity budgets are incrementally increasing at best, even in the face of oncoming legislation. You should be using fewer more efficient cybersecurity solutions that create less work for your teams.
Are you ready for NIS2?
Manual efforts won’t scale or enable you to quickly and accurately collect the required evidence to prove NIS2 compliance. You’ll need something a bit more modern.
According to the directive, EU member states must incorporate NIS2 requirements into their national legislation by October 17, 2024. I have a feeling that day will be here before you know it.
After all, time flies when you’re having fun. Am I right?