Enterprises have been working hard to transform their internal culture to ensure that the threat of cyber breaches and outages is taken seriously.
Andrew Brooks | Image Source | Getty Images
New EU rules requiring businesses to beef up cyber defenses are off to a slow start as many member states fail to adopt the rules in time for a key enforcement deadline, according to research monitoring the directive’s progress.
The EU’s NIS 2 cybersecurity directive sets a high benchmark for companies’ internal cybersecurity systems and practices. It imposes stricter requirements on risk management, transparency obligations and business continuity planning in the event of a cyber breach.
On Thursday, the new directive was officially made mandatory by member states. This means companies must now ensure their operations comply with the rules. However, most EU member states have yet to implement NIS 2 in their respective national laws, meaning implementation is likely to be uneven.
Two countries, Portugal and Bulgaria, have not yet started the NIS 2 conversion process, in which the directive is incorporated into the national laws of EU member states, according to a report. Tracking tools From the DNS Research Consortium, an Internet research organization. The governments of Portugal and Bulgaria did not immediately comment when contacted by CNBC on Wednesday.
“Implementation varies widely across the EU,” Fladgate partner and technology lawyer Tim Wright told CNBC via email.
What is NIS 2?
NIS 2 (or Network and Information Security Directive 2) is an EU directive designed to improve the security of IT systems and networks across the EU. The law was first proposed in 2020 as an update to the earlier directive NIS.
NIS 2 expands the scope of its predecessor to address recent cybersecurity challenges and threats, as criminals have found new ways to attack companies and compromise their sensitive data.
The directive applies to organizations that operate within the EU and provide essential services to consumers, including banks, energy suppliers, healthcare providers, internet providers, transport companies and waste handlers.
Under the new rules, companies will have a “duty of care” to report and share information about cyber breaches and hacking attacks with other companies, even if it means admitting they have been a victim of a cyber breach.
If businesses fall victim to a cyber breach, they will have 24 hours to submit an early warning notification to the authorities, a timeline longer than the 72-hour window under the General Data Protection Regulation in which companies must notify authorities of a data breach. Strict, separate EU data privacy laws.
Enterprises must also review their technology vendors one by one for cyber threats and vulnerabilities.
Will it be effective?
Fladgate’s Wright said the effectiveness of NIS 2 as regulation will largely depend on consistent implementation and enforcement by EU member states.
“Bad actors may target countries that are lagging behind in NIS2 transitions or look for weaknesses in supply chains, targeting smaller, less secure suppliers and suppliers to gain access to larger, more secure suppliers,” he told CNBC. Better protected organizations.
Businesses have been trying for years to develop internal processes, controls and broader culture around cybersecurity before Thursday’s deadline.
Chris Gow, head of EU public policy at enterprise technology company Cisco, said uneven implementation of NIS 2 was also “exacerbated by adjustments to local laws”.
This in turn “creates disparities that are difficult to navigate, especially for smaller organizations with limited resources,” Gao told CNBC in emailed comments.
He suggested that organizations should not be “overwhelmed” by the differences in local adjustments to NIS 2 but should instead “identify a common core of security controls and processes that will help them meet and demonstrate compliance at scale.”
What happens if the company doesn’t comply?
For “essential” entities such as transport, finance and water companies, failure to comply with NIS 2 could result in fines of up to €10 million ($10.9 million) or 2% of global annual revenue – whichever is higher.
Meanwhile, “essential” companies such as food companies, chemical companies and waste management services will be fined up to €7 million, or 1.4% of their annual global revenue, for non-compliance.
Businesses may also face service suspensions if they do not comply with NIS 2 and the stricter regulations.
“NIS 2 makes it clear that large fines, possible service suspensions and compliance monitoring are being used to encourage organizations responsible for critical services to pay attention to cybersecurity threats and how to respond to them,” EMEA Cybersecurity Strategist Carl Leonard Proofpoint told CNBC.
“Baselines have been set in terms of risk management and mitigation measures, including incident handling, employee training, leadership responsibilities, etc.,” Leonard added.
About The Author
