The European Union’s NIS2 Directive (Network and Information Security 2), set to take effect in 2024, represents an evolution in cybersecurity requirements for organizations across member states.
As an update to the original NIS Directive, NIS2 expands the scope of industries and strengthens the baseline security standards for critical infrastructure, technology providers, and essential service operators.
In the simplest of terms: “NIS2 is about stricter cyber requirements and incident reporting”. For organizations, this brings both challenges and opportunities—enhancing cybersecurity frameworks, ensuring compliance and mitigating risk.
One aspect that is becoming increasingly clear is the shift of responsibility. Traditionally, cybersecurity has been viewed as an IT issue. However, with NIS2, it’s clear that cybersecurity is as much a governance and leadership issue as it is technical. The ultimate responsibility for cybersecurity is shifted from IT departments to company executives and boards. This puts increased emphasis on the need to educate the management in cybersecurity to better understand their role. At the same time, CISOs need to emphasize clear communication about cyber risks for the organization and direct the communication to the business.
While the NIS2 Directive is still being interpreted and transposed into national law by each EU member state, companies are already starting to prepare to align with the forthcoming regulation and ensure compliance when the deadline arrives.
In our experience, engaging with clients, current NIS2 compliance efforts are not focused on groundbreaking technical enhancements, architectural changes or large investments. Rather, organizations focus on reviewing and aligning their existing policies and processes with the new requirements, integrating them into the broader cybersecurity management system and thereby laying the foundation for a risk-based continuous improvement approach.
With The NIS2 Directive, there is a clear emphasis on resilience; the ability to withstand and recover from disruptions, this is also tied to the requirement on swift reporting to authorities.
While many organizations have processes in place for incident response, recovery, business continuity planning and communication strategies, our experience is that these are not always aligned. Processes and plans are often scattered in the organizations with various levels of descriptions and have untested dependencies across departments. To build resilience, organizations can unify these elements under a cohesive business continuity framework.
A business continuity framework provides a structured approach to manage and coordinate all activities related to maintaining business operations during and after a disruption. By formalizing the processes, roles, and responsibilities related to resilience, organizations can increase resilience and provide real business value while adhering to NIS2’s requirements. One key advantage with this approach is to be able to perform test, ensure effectiveness and continuous improvement. We propose the following key components for building an effective business continuity framework:
The sooner an organization starts to prepare for NIS2, the better. We are in contact with many organizations where the preparations are at full speed. If you wish to learn more about this, please don’t hesitate to contact us!