2 min reading Mon Jun 06 2022
EU’s NIS 2 Directive to improve cybersecurity across European businesses
The year 2020 brought a wave of increased remote connectivity as businesses world wide compete to become more digital, they also increase their exposure on the Internet.
Digital transformation is encouraged, embraced, and rushed. Businesses need to securely let go of IT debt and old technology as they embrace new technologies.
All of this to say that the wave of remote connectivity and digital transformation can get business stuck between a rock and a hard place.
From a cybersecurity viewpoint connecting remotely and introducing new technology translates into an increased threat surface that malicious hackers can exploit. A common response from business is to increase cybersecurity spending without a strategy. They rush to figure out ways to 'fix the issue'. However, the digital footprint resulting from increased connectivity and digital transformation is not a problem to be fixed but a process to be managed.
At European level the NIS 2 Directive aims to improve cybersecurity processes across European businesses.
The guidance from the Directive on security of network and information systems (the NIS Directive) describes legal measures which support cybersecurity by design. At a high-level some areas covered are
- At national level EU countries will need to demonstrate cybersecurity preparedness.
- Collaboration between all the EU Member States to exchange knowledge
- Foster a culture of security across sectors that are vital for the European economy and society and that rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.
A pragmatic approach with the 'NIS Toolkit'
As the cybersecurity threat landscape moves fast, the NIS Directive attempts to keep up. The European Commission adopted a Communication to support Member States in their efforts to implement the Directive.
The idea is to provide practical information such as best practices on implementing the Directive from other Member States.
Last but not least important, the focus is on operators of essential services. They are now responsible for notifying national authorities of serious cyber incidents.
In conclusion, the NIS directive can be seen as a compliance requirement as well as an opportunity to improve security by taking guidance from regulators and exchange best-practices with industry peers.