NIS2 compliance is the beginning, better security the goal

Insight: NIS2

NIS2 compliance is the beginning, better security the goal

NIS2 is a hot topic. Companies are preparing for the new European directive, but some countries still have uncertainty about how the government is translating it into legislation. Either way, change will occur over the next 12 months, resulting in the necessary improvements in security. To help organizations on their way, we pay extra attention to the subject here at Techzine.

We do this through some stories that we put together with expert input. To this end, we organized a roundtable that highlights several aspects. Seated at the table were Jan Heijdra (Field CTO Security at Cisco Benelux), Mark Hupkens (Head of Secure Enterprise Management/Lead Consulting & Advisory at Orange Cyberdefense), Pieter Molen (Technical Director Benelux at Trend Micro), Willemijn Rodenburg (Government Relations Manager at Fox-IT) and Filip Verloy (Field CTO EMEA & APJ Rx at Rubrik). With our guests, we discussed the state of NIS2, how far companies and society are from each other, and the consequences.

Lack of clarity at companies

Willemijn Rodenburg

We start the discussion with a topic that cannot really be ignored. The European Union stipulates that member states must transpose NIS2 into legislation by October 17 at the latest. The Netherlands, where we organised the roundtable, is not going to meet that deadline. This means that companies do have the NIS2 itself as a directive text to consult, but the exact details for the Netherlands are missing. The government is expected to complete the law after additional steps in the first period of 2025, although the fall of 2025 also remains an option. It is argued that extra time is needed to draft and implement the law carefully.

Still, exceeding the deadline does not fall entirely well in the market. Rodenburg of Fox-IT also notices the consequences of the postponement. “Not meeting the deadline certainly matters when it comes to timing. When it comes to organizations that have to comply with certain laws and regulations, the momentum did drop. And with it, the willingness of organizations. NIS2 is less in the crosshairs.”

There was a little more ambiguity during the roundtable than there is now. Meanwhile, in fact, there is a draft Cybersecurity Act (Cbw). This is not yet a definitive version, as there is still a consultation period and review by the Council of State. The minister also confirmed that the introduction of NIS2 will take place in the second or third quarter of 2025.

Trend Micro’s Molen concurs with those words, noting that the delay makes it feel like NIS2 is less important. “If the Dutch government delays the legislation, organizations think it wouldn’t be as important,” Molen said. Thus, the momentum is gone, and that jeopardizes the willingness to take steps. While NIS2 was written precisely to improve the level of security, it can hardly wait, given the cyber threats.

The directive’s falling off the radar is only an initial side effect. The delay is also causing more ambiguity in the marketplace. Many companies don’t know where to start or what to do, despite the EU’s NIS2 text already being there. Verloy of Rubrik sees clear differences between European companies in this regard. In Belgium, the legal text is now in place, allowing Verloy to compare with organizations from other countries. When talking to Dutch companies, he sees that they do not know what the NIS2 will entail. “They do comply with the general rules of the duty of care. But when you ask how they fill it in precisely and securely, you feel them shuffling in the chair. They’re not sure.”

Filip Verloy

This lack of clarity is extra annoying regarding the prescribed duties within the NIS2. It creates little clarity about the duty of care and duty of notification. The former is designed to get organizations to take steps around protecting systems, while the latter is about reporting incidents to regulators. It could just be that the duty of care must be met on Oct. 17, while the obligation to report could take effect later. And what exactly does the duty to report look like? Now, a report must be made to the appropriate authorities within 24 hours of discovering an incident. This could be several authorities because, at the sectoral level, several supervisors are active. Moreover, a report on the incident within 72 hours also seems necessary. More clarity is needed on such components.

Taking measures

If you want to be able to fulfil the duty of care and duty to report properly in the future, you should take steps now. Otherwise, your company risks not complying with the upcoming regulations. Achieving compliance status may take too long after a NIS2 assessment. Moreover, the situation threatens to arise that security experts who can help upgrade security will soon run out of time because of high demand by parties who want to become last-minute compliant.

Jan Heijdra

Acting now can thus prevent future misery, although Cisco’s Heijdra points mainly to the purpose of the NIS2, which should be intrinsic motivation. “The directive is here because of the threat of cyber attacks. The threat is there now, that threat is there on Oct. 17, and that threat is there on the new date. So, really, the shift shouldn’t matter in doing a risk assessment. And what do those organizations all have to do to be able to defend against what’s going on in the world today?”

So, the logical incentive of investing in cybersecurity and thereby improving security levels can help achieve NIS2 compliance. However, Hupkens of Orange Cyberdefense does understand the wait-and-see attitude of some companies. Of course, it is important to have the goal in mind, but that is where the details come into play. “For example, a manager must be trained for NIS2. What exactly does such training entail? When are you sufficiently informed as a manager? I don’t see much about that in the NIS2 yet. Hopefully, that will be more visible in the upcoming bill (now known as the Cybersecurity Act, ed.). Only then will it become clear where the emphasis will be placed. In that sense, I understand the companies because you don’t know what to invest in. Especially when, as an SME+, you don’t have an infinite budget and therefore have to do it right the first time.”

Every type of company will end up looking at those details differently. You can distinguish between large organizations and SMEs alone and between sectors, for example. Large companies typically have already taken many measures around cybersecurity and have come a long way. This is due, for example, to the earlier embrace of NIS1. SMEs often only have to comply with the new directive soon because the NIS1 did not apply before. Smaller companies suddenly have to invest fully now but may not have the necessary resources. They can only invest once and, therefore, wait until the legislation is final to invest and make policy.

Speaking the language

According to several roundtable participants, it starts primarily with the will to take steps. And that will is there, both among large organizations and smaller companies. Molen indicates that awareness is in play among companies and that they think cybersecurity is important. “Only what it means and what they should do, they don’t know. A recent survey showed that 9 out of 10 security professionals regularly experience that the risks they present to the C-level (management, ed.) are downgraded. C-level thinks it’s not too bad and not an issue with them.” Executives now know from the much attention to data breaches in the news that cybersecurity is important, which leads to this awareness. But at the same time, it conflicts with underestimating the risk to one’s own company.

This is exactly where Verloy also sees different perceptions. “Ask a CEO how secure the company is, they rate the security level with a nine. But the further you look to the tech people, the more pessimistic they are.”

Mark Hupkens

According to Hupkens, there is a clear cause for this. He sees a problem in the translation of security professionals toward general management. Communicating what the concrete risks and impact are remains a challenge. “A financial director speaks and thinks about business risks and not security risks. If you put a security professional directly opposite a CFO, it’s almost water and fire. They don’t speak each other’s language.”

Rodenburg notes differences in this discussion between security experts and management based on company size. An extensive C-level board only sits at that large company. At SMEs, you have a director, where things are arranged quite differently. “At SMEs, quite a lot is outsourced at all. In terms of knowledge, they don’t have much in-house. There they run into other obstacles.” For example, SMEs often do not know what questions to ask and what requirements they can make of parties to whom they outsource business. Moreover, outsourcing can lead to using multiple outsourcing parties that don’t know about each other. That, in turn, can lead to overlap and miscommunication.

Almost no one escapes NIS2

Therefore, the path to NIS2 compliance and achieving the right level of security will vary from organization to organization. There is a big difference between being covered by NIS1 and being completely new to the matter because NIS2 also applies to your organization. Heijdra calls the transition of NIS1-compliant companies a natural step to NIS2. “They are already fully engaged in those processes. I think the shoe is particularly wringing for the parties that will now be newly covered. Those are often the smaller, less mature organizations regarding security.”

Hupkens sees the question regarding which parties will fall under NIS2. “In the categorization, there are still very strange and unclear constructions. If you are involved in food, then you fall under it. But if you are engaged in feed, you don’t fall under NIS2. Strangely, these feed companies have to follow the NIS2 from a supply chain perspective. You get a very strange field of tension. You know you’re going to be affected by it, but you don’t officially have to comply with it.”

Pieter Molen

This whole supply chain issue ensures that the legislation will soon be crucial for many companies. Soon, many organisations will be directly or indirectly covered by NIS2, Molen observes. “Because they are suppliers to a company covered by it, for example. And that causes a great impact. It affects their operations because certain organizations no longer want to enter into contracts with them. It’s then a requirement within the contracts. And then suddenly a nasty situation arises for those smaller organizations.”

From compliance to better security

In that respect, with the NIS2, reality seems to be about to change. Companies will soon have almost no choice but to take the right security measures to demonstrate compliance with the standards. As far as Rodenburg and Verloy are concerned, these developments are good profits that we can all benefit from. Rodenburg: “Here we say security beats compliance, but start with compliance first. Then, we are a long way down the road. Then we start optimizing with security.” Verloy agrees, adding, “From the compliance angle, basic things that take security to a higher level are imposed. If that basis is forced by regulations, we are already taking steps.”

Being compliant means that you have laid a good foundation for your company. Therefore, a company that has taken no to a few security steps will become more secure because of NIS2. So, with the NIS2 framework, organizations are taking quite a few steps. This has advantages for a company, but certainly also for a country and continent as a whole. NIS2 will thus not only make companies more secure but also strengthen the entire supply chain. That should help everyone, from citizens to companies to the government. That way, society will be more resilient against cyber attacks.

This was the first story on our NIS2 diptych. In a subsequent article, we will discuss where you start as a company and what you can do to increase your level of security.