Category: Expertise strategy

What is NIS 2 and how should businesses prepare?

To mitigate rising cyberattacks, organizations must comply with these stricter regulations, improve cyber hygiene, and adopt standards like ISO/IEC 27001. NIS 2 is a pivotal directive designed to support these efforts.

The NIS 2 Directive has been dubbed the most comprehensive European cybersecurity directive to date, encompassing 15 sectors with stricter requirements around risk management and incident reporting, as well as greater financial penalties for non-compliant firms.  

Read more about NIS 2 Directive here.

NIS 2 has been in force since 16 January 2023 and EU Member States have until 17 October 2024 to incorporate the directive into their national law and start holding businesses to account. With the daily reports of organisations experiencing costly and disruptive cyberattacks, not many businesses will be asking ‘why now?’.  

According to Forbes, more than 2,300 cyberattacks were recorded in 2023 involving more than 343 million victims, and the number of data breaches increased by 72% compared with 2021, which was the previous all-time record year for attacks.  

Read the Forbes article here.

In response to this dramatic rise, NIS 2 will help to build organisational resilience and give regulators and governmental agencies additional muscles to monitor the threat of cyberattacks. A significant challenge for businesses just months away from this legislation is the limited information available from public agencies, including the EU and Member States. With the lack of guidance on how to prepare, here are some key steps that compliance teams can focus on. 

How are regulators monitoring the rising threat of cyber hackers?

Among its requirements, NIS 2 imposes reporting obligations, information sharing rules, and the designation of single points of contact (SPOCs) and computer security incident response teams (CSIRTs).  

These measures will ultimately assist national and EU agencies to monitor cyber threats and successful attacks. This will allow businesses from across the EU to learn from each other’s experiences and improve their respective cybersecurity and crisis management practices and reduce the risk and potential impact of a cyberattack. 

NIS 2 imposes a heightened level of accountability on the management body. While prison sentences are not explicitly mentioned as a repercussion for non-compliance, authorities are more likely to resort to alternative measures such as fines or, in extreme cases, possible sanctions including restricting the right to manage companies. 

NIS 2 imposes a heightened level of accountability on the management body.

How can compliance teams prepare for NIS 2?

Despite the limited guidance available, there is a lot of work for compliance teams to do.  

Firstly, they should carry out a mapping exercise with updated risk assessments and look at what existing controls and frameworks are in place within their organisation. As experts in guiding businesses through compliance, we find that employees working in the affected areas usually have a good understanding of what the challenges are and where the organisation should be making improvements.  

With this better understanding of the risk picture, teams should then prioritise actions and allocate resources based on the level of risk posed to an organisation.  

Basic cyber hygiene, awareness and training are areas that require a lot of work but are vital for resilience. Strong cyber hygiene can help prevent security breaches and stop cybercriminals from installing different types of malwares and stealing personal information. Every employee needs to understand basic cyber hygiene practices and their role in protecting and maintaining the organisation’s IT systems and devices. This will facilitate quicker and more efficient incident responses and provide immediate and effective defences against attacks. 

If compliance teams have the time and capacity, implementing the controls of a standard like ISO/IEC 27001 would also be a worthwhile undertaking. We see a lot of new EU legislation encourage organisations to become compliant through EU and international standards. This is the case for NIS 2, which is directly mentioned in article 25.

Tips for compliance teams in the run up to NIS 2 

Due to our consultants’ extensive experience of meeting compliance requirements for a diverse client base, we are able to share some useful insights on how to tackle the challenges of complying with NIS 2 despite the limited guidance available: 

1. When implementing new requirements, compliance teams should always review existing processes, controls or frameworks to build on what is already in place, rather than start from the beginning. 
2. Working with third parties across the supply chain is always a key area of risk, particularly where the interaction falls across multiple teams or departments – such as procurement, legal and compliance. It must be clear which teams or individuals have ownership over ensuring that a third party is living up to requirements and carrying out necessary audits to hold them accountable. Organisations should also engage in awareness training and upskilling to ensure that all controls and audits are being conducted properly. 
3. Risk assessments and measuring where an organisation may be vulnerable requires the use of a uniform approach and a suitably efficient system. Using external tools and expertise is a highly useful resource.  
4. Most cyber incidents are still as a result of human error and, therefore, general upskilling, awareness and training of staff is paramount. With AI and other technological developments constantly evolving, so are the criminals and the baseline understanding of employees needs to evolve with them as well. This need is highlighted within NIS 2. 

emagine offers tailored cyber security training, with a particular focus on NIS 2.

Ready to find out more?

Get in touch with our team of experts.

Contact us

Explore our blog

Read more

[Blogs_Slider_Arrows]

[Blogs_Slider category=succeed-as-consultant]