Part of the well known meme: “the EU regulates” comes to mind with the latest directive from the EU. NIS 2. Following hot on the heel of NIS 1, NIS 2 is a directive, rather than a regulation, that encompasses Cyber Security.
EU member states need to incorporate the directive into law by 18th October 2024 – which is not far away. The “state” will become more active in reducing the impact cyber risks as society continues to become more digitalised and interconnected.
NIS 2, unlike NIS 1, gives “authorities” the ability to carry out “random inspections, regular and ad hoc audits, and security scans to check for vulnerabilities”. They can request information and evidence of compliance.
NIS 2 is focussed on an expanded array of “essential entities”. The supply chain provisions, however, mean that many more organisations could be drawn into the NIS 2 net.
What about Brexit?
While UK will not be implementing NIS 2, it is planning its “own NIS changes”. These are expected in 2024 (election permitting).
This means an enhanced cyber security regime is coming to an organisation near you. Think of GDPR, which was EU based, but widely adopted by UK businesses.
Notwithstanding any future legislation, NIS 2 will impact UK organisations. This might include those with EU operations and maybe organisations that supply organisations that are subject to or choose to adopt NIS 2.
Cyber Security implications
Implementing a security standard will help fulfil many of the tenants of NIS 2.
Obtaining a security standards certification (Cyber Essentials, ISO 27001, NIST etc) will not be enough for NIS 2 reporting and timeliness needs.
The continuous and reporting timeliness of NIS 2 means you will need a set of tools, processes to ensure you have no gaps or omissions.
Sounds expensive?
The EU believes it will require a “12% increase” in Organisations’ ICT spend for the years immediately following the implementation of NIS 2. For companies which were not subject to NIS 1, the estimate is “22%”.
With pressure on budgets, this extra spend could be beyond many organisations’ capabilities. On the other side, failure could mean significant “sanctions” on management or fines. Many are going to be stuck between a rock and a hard place.
Take Away Thoughts
Is NIS 2 an inflection point? Only time will tell. It is likely that, like GDPR, NIS 2’s perceived scope will go beyond the original intention of the directive’s framers. Many more organisations, by design or by accident, will end up adopting measures in NIS 2.
NIS 2 and NIS (UK) does mean, however, that organisations could end up more secure and with the right technology and processes in place.
But.. It is now no-longer viable to keep adding tools on top of existing tools to meet NIS 2, new approaches are needed.
Whatever the outcomes, expect much more in the way of FUD (Fear, Uncertainty and Doubt) marketing.
Can Rebasoft help?
If you’re looking at NIS 2 and concerned about the costs, maybe a system that provides real-time security monitoring and continuous vulnerability assessment in a single, cost-effective deployment could be the answer?
An uptick in the number of inquiries, show that maybe once again that regulation could be driving a new way of doing Cyber Security defences.