5 Reasons Why NIS2 Directive Preparation Should Start Now, Part Two: Implementation Takes Time
In a previous blog post, I discussed the two main areas to audit before the European Union’s updated Network and Information Security Directive (NIS2) becomes ratified law in October 2024. Specifically, these audits would:
Identify your gaps with the NIS2 directive’s requirements now.
Review your current supply chain security flaws.
Now that we’ve discovered these security flaws, we must fix them — before time runs out in October 2024.
So, in this post, I’ll walk you through how to resolve your weakest security issues before the NIS2 Directive deadline hits by addressing these three key areas:
- Inform management about your cybersecurity gaps
- Correctly implementing new organisation and technical security measures
- Find time to train all of your employees
1. Inform management about your gaps – and get budget to remediate them
The NIS2 Directive imposes significant obligations on organisations that fall under its scope, which may entail substantial costs and resources. The Directive also introduces hefty fines and sanctions for non-compliance, up to a maximum of €10 million or 2% of an organisation's global annual revenue (Article 34).
On top of this, the new directive can extend liability from entities to their individual representatives in certain situations. Moreover, when certain conditions are met, persons in management positions could be temporarily suspended (Article 32-5b).
Therefore, following the NIS2 Directive is a legal necessity and a strategic priority.
To be in compliance, you must:
- Inform your management about its implications and benefits and convince them to allocate sufficient budget and resources for implementing compliance.
- Present a clear business case that outlines the risks of non-compliance, the opportunities of compliance and the return on investment.
- Demonstrate how compliance will enhance your organisation's reputation, trustworthiness, competitiveness and resilience.
Informing management and getting a budget is a challenging task, requiring a persuasive and evidence-based argument that showcases the value of cybersecurity for your organisation.
The sooner you start this process, the more time you’ll have to secure buy-in and support from management.
Possible business case benefits for NIS2 compliance
Some possible benefits that you can highlight in your business case are:
- Reducing operational costs by preventing or minimising cyberattack losses, such as downtime, data breaches, ransom payments, lawsuits and so on.
- Increasing revenue by attracting or retaining customers who value security, privacy, quality, et cetera.
- Improving efficiency by streamlining processes, enhancing performance, reducing errors, etc.
- Innovating by adopting new technologies, developing new products or services, creating new markets and more.
- Following other cybersecurity regulations or standards beyond NIS2 – such as GDPR, ISO 27001, PCI DSS and others – since global frameworks often have a high overlap with the compliance requirements of NIS2.
Potential information sources for justifying your NIS2 compliance business case
Some sources you can use to support your business case are:
- Statistics or facts showing the prevalence, impact or cost of cyberattacks in your sector or region.
- Case studies or examples illustrating how other organisations have benefited from complying with the NIS2 Directive or similar regulations. For example, the Enisa NIS Investments 2022 report shows that for 62% of the organisations implementing the older NIS directive, such implementations helped them detect security incidents; for 21%, implementations helped during security incident recovery.
- Testimonials or feedback from customers, partners, regulators or experts who endorse or recommend complying with the NIS2 Directive or similar regulations.
- Benchmarks or indicators revealing your current or projected cybersecurity performance or progress in relation to the NIS2 Directive or your competitors.
- Ivanti’s 2023 Cyberstrategy Tool Kit for Internal Buy-In is also a great resource that explains time-to-functionality and cost, how a solution helps defend against certain types of cyberattacks, and how to react to and overcome common objections.
General business benefits of NIS2 Directive compliance
Some of the benefits of complying with the NIS2 Directive include:
- Reducing operational costs by preventing or minimising cyberattack losses, such as downtime, data breaches, ransom payments, lawsuits, et cetera. According to a report by IBM, the average cost of a data breach in 2022 was US$4.82 million for critical infrastructure organisations and the average time to identify and contain a breach was 277 days. If you are taking measures to comply with the NIS2 Directive, the average time spent identifying and containing a breach will be much shorter, and costs of the attack will be lower.
- Increasing revenue by attracting or retaining customers who value security, privacy, quality and similar factors. According to a survey by PwC, 87% of consumers say they will take their business elsewhere if they don't trust a company's data practices, and 71% of consumers say they would stop using a company's products or services if they found out it was sharing their data without their permission, which could happen with a data leak.
- Improving efficiency by streamlining processes, enhancing performance, reducing errors and so on. Accenture has found that companies that adopt advanced security technologies can reduce the cost of cybercrime by up to 48%.
- Complying with other regulations or standards that require cybersecurity, such as GDPR, ISO 27001, PCI DSS or others. Cisco points out that 97% of organisations that follow GDPR see benefits such as gaining competitive advantage, achieving operational efficiency and reducing sales delays. Similar results are probably achievable by following NIS2.
When it comes to budgeting, the proposal for a directive by the European Commission (Anex 7 - 1.4.3) mentions that for companies falling under the scope of the NIS2 framework, it’s estimated they would need an increase of a maximum 22% of their current ICT security spending for the first years following the introduction of the NIS2 framework.
However, the proposal also mentions that this average increase of ICT security spending would lead to a proportionate benefit from such investments, notably due to a considerable reduction in cost of cybersecurity incidents.
2. Correctly implement new organisational and technical security measures
After researching the gaps and obtaining a budget, it’s time to close those gaps. The NIS2 Directive requires companies to implement appropriate organisational and technical measures to manage their cybersecurity risks and ensure a high level of security across their networks and information systems.
These measures include:
- Adopting policies and procedures for risk management, incident response, business continuity, data protection, et cetera.
- Establishing roles and responsibilities for cybersecurity governance, oversight, coordination and other areas.
- Providing training and awareness programs for staff, management, customers, etc.
- Implementing basic cyber hygiene such as encryption, authentication (MFA), firewalls, antivirus software, patching, zero trust access and so on.
- Conducting regular testing, monitoring, auditing and other measures.
Implementing those organisational and technical measures isn't a one-off or static task. It requires establishing a continuous and dynamic process that adapts to changing threats, technologies, regulations and business needs.
So, the same advice applies for this process as for the other points we’ve already covered: the sooner you start, the more time you'll have to implement the necessary measures and ensure their effectiveness and efficiency.
I would advise starting implementation at least in January 2024, so you’re ready before the summer holidays.
Next steps for NIS2 Directive implementations
Some possible steps that you can take to implement organisational and technical measures are:
- Developing and implementing a risk-based management process that defines your objectives, scope, roles, responsibilities, resources, timelines and metrics for managing your cybersecurity risks.
- Implementing a security policy that establishes your principles, guidelines, standards and procedures for ensuring the security of your network and information systems.
- Conducting risk assessments to identify your assets, threats, vulnerabilities, impacts and likelihoods of cyberattacks; and prioritising your actions based on your risk appetite and tolerance.
- Implementing security controls that protect your network and information systems from unauthorised access, use, disclosure, modification or destruction. These controls can be classified into three categories: preventive (e.g., encryption); detective, detective (e.g., monitoring), and corrective (e.g., backup).
- Implementing an incident response plan that defines your processes, roles, responsibilities, resources, tools and communication channels for responding to cyberincidents effectively and efficiently.
- Implementing a business continuity plan that defines your processes, roles, responsibilities, resources, tools and communication channels for maintaining or restoring your critical business processes during a cyber-related disruption or disaster.
- Implementing a review and improvement plan that defines your processes, roles, responsibilities, resources, tools and communication channels for regularly evaluating, reporting and enhancing your cybersecurity measures.
- Implementing the technical controls for asset management and basic cyber hygiene.
The Directive’s reference to ‘basic cyberhygiene’ is a bit vague in Article 21, so we’ll dive into this in another blog post. For now, think about basic security measures such as:
- MFA.
- Patching your OS and applications as quickly as possible.
- Securing network connections on public networks.
- Encryption of all drives (especially removable ones.)
- Privilege management and education of all employees.
- Subscribing to channels that give you information about the latest patches and priorities, like Ivanti’s Patch Tuesday webinars.
3. Fix the weakest link: find time to train every employee
The NIS2 Directive recognises that human factors are crucial for cybersecurity and that employees are often the weakest link — as well as the first line of defense – in preventing or detecting cyberattacks.
The Directive requires organisations to provide adequate training and awareness programs for their employees, users of digital services and other stakeholders on cybersecurity issues.
Training all your employees is not a sporadic or optional task. It requires a regular and comprehensive program that covers topics such as:
- Basic cybersecurity concepts and terminology.
- Common cyberthreats and attack vectors.
- Best practices and tips for cyberhygiene.
- Cybersecurity policies and procedures, made relevant and simplified for end users.
- Every user’s role and responsibilities for organisational cybersecurity.
- How to report and respond to incidents.
It is important to note that this training should be received by everyone within the company, not only by IT employees. Even management should undergo this training.
A survey conducted for Ivanti shows that a lot of employees are not even aware of mandatory cybersecurity training. Just 27% of them feel “very prepared” to recognise and report threats like malware and phishing at work. 6% of them feel “very prepared” to recognize and report threats like malware and phishing at work.
In Enisa’s NIS Investments 2022 report, Enisa mentions that 40% of the surveyed OES (Operators of Essential Services) have no security awareness program for non-IT staff.
It is important to monitor who has not been trained yet and act on it. Training all your employees is not only beneficial for compliance but also for productivity, quality, innovation and customer satisfaction.
The best NIS2 advice we can give
The NIS2 Directive is landmark legislation that aims to enhance the cybersecurity of critical sectors in the EU. It imposes significant obligations on organisations that fall under its scope, along with hefty fines and sanctions for non-compliance.
Following the NIS2 Directive is a complex task. It demands a proactive and comprehensive approach involving multiple steps, stakeholders and resources.
The sooner you start preparing for it, the better prepared you will be when it becomes effective in October 2024.
The best advice we can offer? Do not wait till then: start preparing for the NIS2 Directive now!