NIS2 sets high expectations for protecting companies from cyber attacks. While the law promotes awareness and responsibility within organizations, there are also critical concerns. Several industry experts discuss NIS2’s strengths and potential shortcomings.
The NIS2 directive has been finalized by Europe. Now, it is up to the member states to transform the directive into national legislation. In the near future, European companies will need to adapt to these new regulations governing their digital security practices.
Given that this is a second version of the law, new aspects have been included, and certain rules have been adjusted. What do experts think about this, and what could even be improved for a possible third version? Pieter Jansen, SVP of Cyber Innovation at Darktrace; Lieke Hamers, Field CTO at Dell Technologies; Cindy Wubben, CISO Public Segment at Visma; Edwin Weijdema, Field CTO EMEA at Veeam Software and Rob Vissers, Regional Director and Security Sales by Dynatrace, discuss this together.
Brave ambitions
NIS2 or any other security legislation is never a definitive solution against hackers. There’s no such thing as perfect security, so cyberattacks will continue to occur even after implementation. However, according to its creators, NIS2 also addresses post-attack scenarios and aims to reduce risks to business continuity. This is the opinion of Bart Groothuis, member of the European Parliament on behalf of VVD and co-founder of NIS2, discussed in the podcast Baseline NIS2. Vissers does see aspects of the legislation that support this view. “The law contributes to this by creating awareness at multiple levels in an organization.” Hamers, however, raises a point of criticism: “Recovery remains your own responsibility and is not part of NIS2. The law certainly provides organizations with guidance on how to stop an attack, but once you’re hacked, the organization has to figure out the recovery process on its own.”
Vissers raises another point regarding the recovery stage, suggesting that lawmakers missed some opportunities. While he acknowledges that the increased scope for enforcement is not necessarily detrimental, he argues that the legislation could have been more stringent. The notification requirement contributes to enforcement, as does the duty of care, which mandates that organizations prove they took all necessary measures to prevent an attack. It is, however, denounced that organizations are given an extended timeframe to report. “Lawmakers have taken a conservative approach when it could have just been tougher and sharper. Especially since cybersecurity is evolving rapidly and AI, for example, makes it possible to automate reporting processes.”
The components of the notification requirement
NIS2 requires companies to report significant security incidents. This means incidents of the category that seriously disrupt operational processes or involve others (such as a data breach).
The reporting requirement has three components:
- An early warning is to be made no later than 24 hours after the discovery of the incident. This contains basic information and estimates whether the incident could potentially spread to other sectors or abroad.
- A complete incident report follows within 72 hours of discovery.
- A report based on an investigation of the incident is submitted after one month.
Jansen points out that NIS2 attempts to address issues from previous legislation by intentionally avoiding mentions of specific new technologies like AI. “In the GDPR, the legislator tried to be forward-thinking by requiring companies to have ‘state-of-the-art’ security solutions. However, this left security experts to make an interpretation of this term, resulting in chaos.” In other words, lawmakers relied on the knowledge at hand when NIS2 was designed. The proposal to amend its predecessor was submitted in December 2020. AI has only been made available to a wider audience much more recently and, as a result, has become so relevant.
Working model in silos under pressure
The NIS2 places the responsibility of a cybersecurity incident on the board. This raises awareness of the importance of security and makes it a company problem rather than a problem for the IT department. Vissers views this situation as both positive and regrettable. He states, “It’s crucial that cybersecurity doesn’t remain solely the concern of the IT department. However, it’s unfortunate that this broader awareness hasn’t stemmed from an intrinsic motivation at the board level.”
Tip! NIS2 leads to better basic hygiene
The experts think it is a step to far to see the renewed responsibilityas a possibility of enforcing budgets for cybersecurity. By shifting responsibility to the CEO, they only see an organic way of tackling cybersecurity top-down. Weijdema explains, “NIS2 requires working as a team to stay afloat. That while many companies now still work in silos, making it easy for everyone to shift the blame away from themselves.”
Jansen broadens the perspective even further, marveling at the wide-ranging impact NIS2 will have. He observes, “Although this is European legislation, I’m already noticing its effects in America. We’ve received inquiries from organizations there about preparation, as they’re clearly getting ready for the requirements that their European partners will impose starting in October.” He adds that the impact won’t be limited to individual organizations, due to the concept of chain responsibility. “At the European level, it’s quite clearly stated that the entire supply chain bears responsibility for data security. Even if a company isn’t directly covered by NIS2, if 20 percent of its customers have to comply with the law, then data privacy will likely become a higher priority for these companies as well.”
Giving organizations the right tools
The intrinsic motivation for getting cybersecurity rights is still lacking in a lot of organizations, which is a challenge that security solution providers need to address, according to Wubben. Although her organization, Visma, sees security as an opportunity rather than a cost, she knows that this mindset is not present in all organizations. With several of these vendors at the table, different ideas arise about how to tackle this. “In the public sector, such as education, there is less focus on security. Often they lack knowledge to know which questions they need to ask and we are trying to address that within Visma.”
Vissers points out that managing customer expectations for a standard NIS2 solution in the market will remain a challenge. He explains, “That’s why we conduct consultations with affected customers. We admit there’s definitely room for improvement in this area, particularly in terms of resources needed to effectively coordinate these consultations and communications.” He emphasizes the value of collaborations, such as the discussion taking place, in achieving optimal outcomes for customers. Vissers adds, “Often, consultations are conducted in isolation, but we make more progress when we work together.”
Conclusion
NIS2 is a step toward improving cybersecurity in Europe, but it is not a comprehensive solution. It promotes awareness and responsibility within companies but leaves companies in despair about recovery. Reporting requirements are stringent, but there is room for improvement in the speed and efficiency of reporting.
The industry is mostly looking forward to the renewed priority that security within companies can be given by holding executives accountable. However, at the same time, it remains level-headed and recognizes that security in many companies is still so behind that it cannot be rectified in a short period of time.
Also read: NIS2 compliance is the beginning, better security the goal