9 min Security

NIS2 leads to better basic hygiene

Couple of measures can really make a difference

Insight: NIS2

NIS2 leads to better basic hygiene

NIS2 is a hot topic. Companies are preparing for the new European directive, but some countries still have uncertainty about how the government is translating it into legislation. Either way, change will occur over the next 12 months, resulting in the necessary improvements in security. To help organizations on their way, we pay extra attention to the subject here at Techzine.

We do this through some stories that we put together with expert input. To this end, we organized a roundtable that highlights several aspects. Seated at the table were Jan Heijdra (Field CTO Security at Cisco Benelux), Mark Hupkens (Head of Secure Enterprise Management at Orange Cyberdefense), Pieter Molen (Technical Director Benelux at Trend Micro), Willemijn Rodenburg (Government Relations Manager at Fox-IT) and Filip Verloy (Field CTO EMEA & APJ Rx at Rubrik). With our guests, we discuss the implications for a company, what organizations can do to increase security and how the European directive will affect society.

In the first article in our NIS2 series, we discussed the current state of NIS2 within organizations and how to achieve compliance. You can read that article by clicking here.

Forcing companies to take steps

Pieter Molen

Roundtable participants were broadly in agreement on the impact of NIS2 on companies. There are now quite a few companies that have their security up to standard, but in 2024, there is just as much of a large group of companies that do not have things in order. And that is worrisome because awareness of a good security state has grown recently. Major attacks that reach the news make companies realize that frequency and sophistication are rising. These warning signs should be an incentive to take steps. Unfortunately, organizations that have been victims have not had the most basic things in order.

Rodenburg of Fox-IT sees that being NIS2-compliant will lead to a higher security level. Soon, the government will force more or less companies to take steps. An SMB with no obligations now and is lax about security will soon have to take action or risk fines and other penalties. Companies must comply with a framework aimed at a strong baseline. “The approach of NIS2 is that you take steps,” Rodenburg said. She does note, however, that showing that, as a company, you are taking steps and are willing can mean that if you make mistakes, you are not immediately punished through fines. It’s really about wanting to improve the state.

There was a little more ambiguity during the roundtable than there is now. Meanwhile, in fact, there is a draft Cybersecurity Act (Cbw). This is not yet a definitive version, as there is still a consultation period and review by the Council of State. The minister also confirmed that the introduction of NIS2 will take place in the second or third quarter of 2025.

A discussion is also emerging at the table about what NIS2 compliance will ultimately mean. You will probably soon be able to get a certificate as a company showing that you are compliant with the directive and law. But won’t companies suddenly emerge that can quickly issue such a certificate? Perhaps they will spend an hour doing some pen tests on a company’s systems that want to get a NIS2 certificate and then issue the certificate. That’s the risk society runs with such guidelines; compliance doesn’t say everything, but either way, steps are taken to get a better foundation.

A few measures make a difference

It remains alarming, however, that getting that basis in order has to be enforced with a European agreement. After all, the companies the roundtable participants work for regularly issue reports based on threat intel and other telemetry. Those show where leaks are coming from. Verloy of Rubrik also sees those lists come up. “Often, the basic things are not properly taken care of. Do you have multi-factor authentication? And do you have access to physical devices within your company,” Verloy points out the missing issues. To a security professional, such steps seem logical, but in practice, they are still too little implemented within organizations.

Mark Hupkens

The NIS2 may soon force these measures. If your company does not implement improvements in such areas, it may violate the duty of care. After all, this prescribes that the protection of systems must be up to standard. Assuming that every company, therefore, takes five to ten measures, basic hygiene has already been raised to a higher level. Basic measures could include applying encryption to data and having every employee, customer, and partner use multi-factor authentication. Which measures are best to put first will ultimately vary by company. But there is almost always something you can do to improve basic hygiene. Even mature organizations can make stitches in this regard.

Know what you have

Echoing Verloy’s words, Molen of Trend Micro also agrees. According to him, raising the level of security and determining what basic measures to take starts with companies being in control of their IT infrastructure. This includes everything from corporate laptops to SaaS services and the company’s own data centre to the cloud. “That’s really where the big step is,” Molen said. “You have to know what is happening within your IT infrastructure and where your risks are. Otherwise, you can forget about everything else.”

Jan Heijdra

This is where NIS2 can be challenging. Companies seem to be affected by the European directive in two ways. Either they come from the NIS1 (often large organizations) and already have measures in place. The NIS2 means they don’t have to make too many changes – usually, it’s a matter of implementing a few details. With these large organizations, however, it is often the case that they have grown tremendously in capacity and IT resources since the introduction of NIS1 years ago. As a result, visibility into all IT assets may have been lost. That leads to obstacles if you want to improve the security state.

On the other hand, you now have companies with no NIS history. These can be SMEs. Do they know what they have? If that needs to be mapped now, which is plausible, being ready in time for the NIS2 could be a challenge. This type of company does not have a comfortable starting point on the road to compliance and thus getting basic hygiene in order.

Europe more resilient as a whole

What Molen is outlining with this is how, as an individual company, you can take your cybersecurity strategy to new heights. A win we can put to good use because, as we outlined earlier, things still go wrong too often. However, regarding Heijdra, we should also look at the discussion about the need for NIS2 more broadly. It’s not just raising the security state of a single company that’s central. “I think the approach is also to get Europe-wide cybersecurity to a higher level. So that doesn’t necessarily mean that individual parties are better secured, but we’ve gotten cybersecurity to a higher level across that entire supply chain. That’s all going to help those parties,” Heijdra said.

Filip Verloy

He brings up a new point about which the roundtable participants get into a discussion. Examples include the Log4Shell open-source vulnerability and the Intel vulnerability Spectre. Those problems had a huge impact Europe-wide. Companies were haunted for months by the vulnerabilities in their IT systems. However, some companies were not affected by the vulnerabilities themselves but were affected through a supply chain partner, for example. This is where the eventual legislation resulting from the NIS2 can change. Across the board, business can become more secure as a very large group of companies raise security. The chance of an attack via workarounds decreases because Europe has become more resilient.

Mandatory information sharing

Hupkens of Orange Cyberdefense concurs with Heijdra’s words that we are becoming more secure as Europe thanks to the NIS2. “The EU is now going to unify it to a large extent. In fact, that was a mistake they had made with NIS1. You were allowed to fill it in at will as a country. The NIS2 says, ‘dear member state, you will do all this this way and this way.’ It is really directive,” said Hupkens. EU member states have to transpose the NIS2 directive into legislation, but there is much more unity on the cyber front than before.

Willemijn Rodenburg

Moreover, the reporting requirement that raises the level is attached to this Europe-wide path of becoming cyber resilient. This will require companies to report any cyber incident they encounter. “The mandatory sharing of that information is where the profit of NIS2 is. And with that also comes the fact that the government will help make information available,” Hupkens explained. It provides additional information to help with the next vulnerability with Log4Shell-like impact. And that information will be available, Hupkens argues, because the reporting requirement is tied to the personal liability of management. “If the finance director can go to jail for not having things in order, then you can’t afford not to make certain reports. If it does come out and makes it to the press once or is noticed in the supply chain, then the organisational and personal consequences are huge. Based on the draft Cyber Security Act, we now know this is somewhat more nuanced. Nevertheless, for an essential entity, the license to operate can be revoked. In the case of important entities, it is primarily about financial consequences, but at both the managerial and personal level. So there is work to be done, it seems to me.”

With that, everything the upcoming NIS2 directive does is in some way responsible for raising the security state for companies and Europe as a whole. That often starts with getting basic hygiene in order. How you do that as an organization will depend on your situation. However, every step an organization takes helps both its own business and society.