Industry News for Business Leaders
CybersecurityFeaturedOpinion

NIS 2: How it May Affect Your Business and How to Prepare

NIS 2: How it May Affect Your Business and How to Prepare
The EU's NIS 2 Directive on cybersecurity will take effect across the 27 member states on October 18, 2024. (Credit: iStock)

The EU’s NIS 2 (Network and Information Security) Directive on cybersecurity will take effect across the 27 member states on October 18, 2024. It will introduce stricter risk management and incident reporting obligations for a broader range of industries. It also aims to establish a high-standard level of cybersecurity and resilience throughout the Union. Andrius Buinovskis, head of product at NordLayer gave his insights on how NIS 2 will change businesses’ approach to their cybersecurity budgets. He also gives pieces of advice on how they should prepare for NIS 2 compliance.

The directive’s introduction might change how businesses approach and allocate their cybersecurity budgets. Under this regulation, companies are mandated to implement additional measures across their operations that could impact their financial planning for IT and cybersecurity initiatives.

Companies will have to strengthen cybersecurity investments. However, large companies that have already implemented cybersecurity measures may only need to increase their budgets slightly. In contrast, medium-sized companies that have not yet implemented any cybersecurity will have to reckon with significantly larger budgets in some cases.

READ ALSO

NIS & NIS2: What’s the Difference?

While NIS 2 retains the core principles of the original NIS, it introduces a series of significant enhancements designed to address emerging threats and challenges. These modifications aren’t mere extensions of the original directive. They represent shifts intended to encompass a broader range of entities and promote a more holistic approach to cybersecurity.

One of the most notable changes in NIS 2 is its broader scope. The new directive casts a wider net, bringing a broader spectrum of enterprises, governmental bodies, and organizations under its purview. Alongside this, NIS 2 emphasizes supply chain security, ensuring that partners and suppliers adhere to cybersecurity protocols.

NIS 2 has also significantly strengthened its enforcement mechanism. Taking a page from GDPR’s playbook, NIS 2 implements a stricter sanctions regime.

NIS2 also recognizes the crucial role of leadership in cybersecurity. It mandates cybersecurity training for management teams, ensuring cybersecurity becomes a boardroom issue rather than just an IT department concern. Transparency and shared learning are other key aspects emphasized in NIS2. Under the new directive, the reporting of cybersecurity incidents becomes obligatory. 

Finally, NIS2 emphasizes encryption practices more strongly. This reflects the growing recognition of encryption as a fundamental tool for protecting sensitive data in an increasingly digital world.

How NIS 2 Might Affect Investments

Previously, according to NordLayer’s 2023 research, businesses primarily focused their IT and cybersecurity budgets on acquiring cybersecurity solutions, services, apps (61%), and employee training (56%). A third (35%) of companies allocated up to a quarter or even up to half (32% of businesses) of their organizational budget towards IT needs.

However, the new directive emphasizes implementing cybersecurity as a process. Individual security tools will still be utilized primarily to support cybersecurity management development. Solutions include secure backup options and cryptography concepts and procedures.

The most critical initial investment may not even be technological. Initially, the most important cybersecurity measure costs nothing because it is not a tool. Investing in training programs to educate staff on best practices, data protection, and threat recognition will be essential. Building a strong security culture within the organization will strengthen the company’s security.

Beyond that, businesses will also need to assess their existing security strategy. Many newly affected companies do not yet have it and will only develop a plan in the course of implementation over the next few years. Companies must now understand that cybersecurity cannot be reached with a single product but by an orderly management system consisting of a good combination of products and organizational measures in which they are used.

Prepare Your Business for NIS 2 Compliance

At the foundation of your NIS 2 preparation should be a risk assessment. Perform a thorough analysis to identify potential vulnerabilities and threats within your network and information systems. This isn’t a one-time task – you should regularly update this assessment to reflect new risks and changes in the threat landscape.

Once you have a clear understanding of your risk landscape, focus on implementing security measures that align with NIS 2 requirements. I recommend implementing Multi-Factor Authentication (MFA) for secure access. Additionally, deploy dynamic firewalls and network segmentation to isolate environments and enforce least privileged access. These measures form a strong foundation for your cybersecurity infrastructure.

However, we must acknowledge that even the best preventive measures can’t guarantee complete protection. That’s why it’s essential to establish solid incident response procedures. Develop and implement an incident response plan that includes procedures for detecting and responding to security incidents, as well as clear communication protocols for notifying authorities and affected parties when necessary.

READ ALSO

To complement these reactive measures, invest in continuous monitoring. Utilize advanced tools such as cloud-delivered Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS), and Web Application Firewalls (WAF). These enable continuous surveillance and protection against evolving cyber threats.

For businesses handling sensitive data, pay close attention to data sovereignty and localization requirements. You can address this by using dedicated servers with fixed IP addresses to ensure data remains within the specified jurisdiction. This is a critical aspect of NIS 2 compliance for many organizations.

Given the complexity of NIS 2, you might want to consider partnering with expert compliance consultants. These specialists can help strategize and validate your NIS 2 preparedness, ensuring thorough attention to all aspects of the directive.

Advertisement
Advertisement
Advertisement
Advertisement
Advertisement