In today’s fast-paced business environment, technology is central to enterprise success, often underpinning efficiency, innovation and competitiveness.
From advanced data analytics to cloud-based models, modern companies are now leveraging a wide range of digital tools to boost productivity and streamline operations.
That said, firms need to consider several factors to ensure that technology is a help rather than a hindrance.
Proper IT management, security and compliance practices, for example, are vital – perhaps more so now than ever before. Why? Well, several new digital-centric directives are coming into play as governments seek to protect businesses and individuals alike from the potential issues associated with increasing digitisation.
The EU’s Digital Operational Resilience Act (DORA) stands as a prime example. Having entered into force in January 2023 and set to apply from January 2025, DORA will demand that financial entities and their critical third-party technology service providers establish more comprehensive technical and security standards in their ICT systems.
However, before that, a wider variety of industries and organisations are gearing up to comply with the second landmark Network and Information Security Directive (NIS2), which is set to enter force on 17 October 2024.
What is NIS2?
In simple terms, NIS2 is an update designed to enhance the cybersecurity of critical infrastructure across EU member states by establishing a unified blueprint for secure networks and information systems.
Indeed, it’s a change that is necessary in the modern environment. With the original NIS Directive having been implemented seven years ago, it is now inadequate in addressing the rising frequency of cyberattacks and data breaches – particularly against critical national infrastructure.
Resultantly, NIS2 will introduce several expanded requirements and tightened regulatory standards that aim to address the shortcomings of the previous legislation. Critically, these include, but are not limited to:
- Improved information security policies: Organisations must now assess their risk levels, evaluate the potential impacts of attacks on key assets, and establish robust information security policies. This proactive approach emphasises systematic risk analysis and awareness of network vulnerabilities.
- Incident prevention, detection and response: Organisations must also develop and regularly test incident response plans, ensuring they have procedures in place to prevent attacks and detect potential incidents effectively.
- Business continuity and crisis management: The directive emphasises the need for organisations to have verifiable plans to enable them to maintain operations during a cyberattack and recover swiftly, minimising disruption. This includes a focus on cloud backup solutions.
- Supply chain security: NIS2 further asks organisations to assess the cybersecurity practices of their suppliers and service providers, ensuring they understand the associated risks of their supply chains to enhance overall security.
- Vulnerability disclosure: It also mandates transparent vulnerability management, requiring organisations to develop mechanisms for reporting vulnerabilities and acting upon identified weaknesses in their networks—transparency that will go a long way in backing the fight against cybercrime.
- Incident reporting: Additionally, companies are now required to notify relevant authorities of an incident within strict timeframes: an initial report within 24 hours of significant incidents, a full report within 72 hours, and a final report within one month.
Who does NIS2 apply to, and what are the implications for non-compliance?
With the NIS2 Directive applying to those organisations that are critical players within the supply chains of critical infrastructure, the number of affected sectors has now expanded from seven to 15. Significantly, the updated list now includes industries such as energy, health, transport, digital infrastructure, digital service providers, manufacturing, waste management, and postal services, among others.
Further, the updated directives also introduce significantly stricter enforcement requirements compared to the previous directive. Unlike NIS, NIS2 is no longer voluntary, and the EU is set to impose financial penalties akin to those under GDPR for organisations that do not comply.
Specifically, these penalties can range from mandatory security audits and enforced adherence to specific recommendations, all the way up to fines of up to €10 million or 2% of the organisation’s total worldwide turnover – whichever sum is greater.
In this sense, the EU is demanding that NIS2 receives the same level of attention as GDPR.
How can companies prepare for NIS2?
With NIS2 set to enter force on 17 October 2024, businesses must act now. But where exactly should these efforts be focused?
Personally, I would recommend that a logical step to take would be achieving ISO 27001 certification.
An internationally recognised standard for Information Security Management Systems (ISMS), ISO 27001 provides organisations with a structured framework for protecting their crucial assets. It focuses on risk assessment, risk management, and continuous improvement.
Crucially, certification depends on achieving several key components, including:
- A comprehensive risk assessment process
- An organisational structure that supports security initiatives
- Information classification and management
- Access control mechanisms
- Physical and technical safeguards
- Development of information security policies and procedures
- Monitoring and reporting guidelines
Comparing this with the list of expanded NIS2 requirements, it is clear that many are directly or closely related to those of ISO 27001, from a focus on risk assessment processes and access control mechanisms to information security policies and procedures and monitoring and reporting guidelines.
In this sense, by adhering to the best practices outlined in ISO 27001, organisations will be well placed to meet the demands of NIS2, giving them a significant head start in their compliance journey.
Enjoy the competitive advantages that come with certification
With that said, the merits of ISO 27001 extend far beyond just compliance with NIS2. Indeed, certification also offers several substantial competitive advantages.
In the business world, trust is paramount. Therefore, you can strengthen that trust by demonstrating that an accredited certification body has independently audited your Information Security Management Systems (ISMS).
Customers will quickly recognise that your enterprise security measures are grounded in best practices, providing them with the peace of mind that you are an enterprise that will take the protection of their data and assets seriously.
Indeed, the merits are multi-faceted. However, that is not to say that the ISO 27001 certification journey may not seem equally as daunting as the road to NIS2 compliance.
Fortunately, support is readily available. With the proper guidance, what initially seems challenging can transform into a manageable and streamlined aspect of your business operations. By adopting the right approach and utilising available resources, organisations can seamlessly integrate best practices into their internal processes and effectively promote them externally.
With NIS2 on the horizon, now is not the time to delay. Acting today is vital to ensuring proactive compliance and avoiding the repercussions of non-compliance.
About the Author
Luke Dash is CEO at ISMS.online. ISMS.online helps hundreds of companies around the world with their information security, data privacy and other compliance needs. The powerful ISMS.online platform simplifies the process of getting compliant with a range of standards and regulations including ISO 27001, GDPR, ISO 27701 and many more. With ISMS.online you can make up to 81% progress from the moment you log in. Our Assured Results Method is there to guide you every step of the way and if you need any guidance then the Virtual Coach or our team of compliance experts are available to help you succeed.
Featured image: Adobe