Cyber Crackdown: Will Big Business Survive the New Regulations?

Companies operating within the European Union are gearing up for significant changes as the **Network and Information Security Directive 2 (NIS 2)**, a new cybersecurity regulation, is set to become enforceable on **October 17, 2023**. This directive, designed to bolster the cybersecurity of IT systems and networks across the EU, introduces **stricter requirements** for companies, particularly those offering **essential services** to the public. These requirements encompass a range of aspects, including **risk management, corporate accountability, reporting obligations, and business continuity planning**.

NIS 2 represents a **meaningful update** to the original **NIS directive**, addressing evolving **cybersecurity challenges** and threats. It aims to ensure that organizations are better prepared to handle the **increasing risks** posed by cybercriminals who continue to find innovative ways to exploit vulnerabilities in companies’ digital infrastructure.

The scope of NIS 2 **extends beyond the original directive**, encompassing a broader range of organizations that provide **essential services** within the EU. This includes sectors such as **banking, energy, healthcare, internet services, transportation, and waste processing**.

The key considerations under NIS 2 include:

• **Risk Management:** Implementing robust, proactive risk management strategies to identify and mitigate potential cybersecurity threats.
• **Corporate Accountability:** Holding individuals and organizations accountable for ensuring compliance with cybersecurity regulations and best practices.
• **Reporting Obligations:** Imposing reporting requirements on companies to notify authorities in a timely manner about any cyber incidents or breaches.
• **Business Continuity Planning:** Developing and maintaining comprehensive plans to restore normal operations and minimize disruptions following a cyberattack.

The **importance of NIS 2** can be understood through the words of **Geert van der Linden, executive vice president of global cybersecurity services at Capgemini**, who characterizes it as a **new baseline** for companies: “NIS 2 will be seen as a global standard by judges.” He emphasizes that it is not about legalistic compliance alone, but rather establishing a robust foundation that companies can leverage for **competitive advantage**.

Van der Linden draws a comparison to **home insurance**: Just as it protects your house from burglary, meeting the NIS 2 baseline protects against potential legal claims and reputational damage from cyberattacks.

Furthermore, NIS 2 mandates a **thorough examination of digital supply chains** for potential cyber threats and vulnerabilities. Due to the reliance on numerous third-party vendors, companies face an increased attack surface, requiring stringent controls to prevent vulnerabilities from spreading.

**Chris Gow, head of Cisco’s EU public policy team, emphasizes the critical role of vendor due diligence:** “A mapping exercise” will be necessary under NIS 2, where companies must meticulously scrutinize their technology suppliers to evaluate and mitigate associated risks.

Another notable aspect of NIS 2 is the **”duty of care”** it introduces. Companies are obligated to **share information about cyber vulnerabilities and hacks** with other firms, even if they themselves are victims. This collaborative approach aims to foster a more proactive and informed environment in combating cyber threats.

For companies that fail to meet the requirements of NIS 2, the consequences can be severe. These include:

• **Financial Penalties:** The highest fines are levied on **essential entities, such as banks, energy companies, and water suppliers**, which can face up to **10 million euros ($11.1 million)** or **2% of their global annual revenue**. For **non-essential companies**, the maximum fine is **7 million euros ($7.7 million)** or **1.4% of their global annual revenue**.
• **Suspension of Service:** Depending on the severity of the non-compliance, companies could face **service suspensions** — a move that can cripple their operations, potentially damaging their brand and customer relations.
• **Enhanced Supervision:** Entities that fail to meet NIS 2 requirements may face **increased oversight** and regular audits to ensure they become compliant.

In addition to these penalties, NIS 2 also introduces a **stricter time frame** for reporting cyber breaches. Companies have **24 hours** from the time they become aware of a breach to notify authorities, a significant reduction compared to the **72-hour window** under the EU’s **General Data Protection Regulation (GDPR)**.

This accelerated reporting requirement highlights the critical need for companies to have **well-defined incident response processes** in place that can be rapidly activated in the event of a cyberattack.

**Carl Leonard, EMEA cybersecurity strategist for Proofpoint**, offers a positive perspective on NIS 2, arguing it is not a cause for fear but rather a catalyst for improvement: “Preparing for NIS 2 is not a race to see what you can get away with, rather it is a race in which the strongest organisations race past the baseline and leverage this effort to their competitive advantage.”

He expects NIS 2 to foster a more **unified approach to cybersecurity** across the EU: “I anticipate organisations will be better supported through efforts coordinated at a European Union level,” Leonard said. “This will include shared threat intelligence, a higher common level of cybersecurity and a ‘we are in this together’ mentality.”

As the deadline approaches, companies are working diligently to align their cybersecurity practices with NIS 2 requirements. This effort goes beyond simply ticking boxes on a compliance checklist; it requires a **cultural shift** within organizations.

**Cisco’s Gow** notes that even prior to the looming regulation, businesses have been increasing their focus on cybersecurity, with **reporting on cyber risks** becoming more commonplace in boardrooms. However, NIS 2 acts as a **catalyst** for accelerating this process.

“It definitely does have an impact,” Gow said. “I’m seeing it myself. People internally are coming forward with questions from sales and management, asking ‘How does this play out for us?'” He observes increasing **urgency and proactivity** among companies to meet the regulation’s requirements.

However, even with the heightened emphasis on cybersecurity, **cyberattacks remain a persistent threat**. In the early part of 2023, a ransomware attack on **Synnovis, a U.K. private healthcare provider, disrupted over 3,000 appointments**. This incident, orchestrated by a Russian hacking group called **Qilin**, emphasizes the ongoing need for robust cybersecurity measures.

Gow reminds us that regulations like NIS 2 cannot alone prevent cyberattacks, but they can serve as a catalyst for **strengthening cybersecurity practices**, fostering a more proactive and informed approach to protecting businesses from digital threats: “NIS 2 has helped ‘create some scrutiny and focus resources around demonstrating how you’re going about lifting overall security levels,’ he said.