NIS2 hasn’t been converted into national law in every EU country, despite the deadline set for October 2024. However, in some cases legislation has caught up. What do organizations need to take into account? We’ll be discussing this in an extensive roundtable discussion with experts from Conscia, Dell, HPE, KPN, ManageEngine, Thales, TSTC and Veeam.
Joining us are Maarten Werff, Security Consultant at Conscia, Dick Vonk, Account Manager Government Cyber Recovery & Data Protection Solutions at Dell Technologies, Emmon Lang’at, Principal Cyber Security Solution Architect – North & West Europe at HPE, Nadeem de Vree, Vice President Networking & Security at KPN, Sabarishwaran Jay, Country Director Benelux at ManageEngine, Steven Maas, Sales Director Data & Application Security BeNeLux at Thales, Michiel Benda on behalf of TSTC, and Sander Schreven, Presales Director Benelux & Nordics at Veeam.
The NIS2 Directive is designed to make organizations within Europe more cyber resilient. Each member state must transpose this directive into national law. Most countries have not succeeded in doing so. One example of such a country, the Netherlands, has proven to not be all that hopeful: it “aims to have the Cyber Security Act and the Critical Entities Resilience Act enter into force in the second quarter of 2026.”
In any case, many countries are behind the official timeline. Dick Vonk of Dell knows why some countries have made the deadline and others have not. In the Netherlands, for example, several ministries are involved in drafting the bill. As a result, many organizations continue to hide behind the lack of legislation and do not yet see the need to take proactive measures to withstand a cyberattack, other than the familiar (technical) preventive measures. New laws are therefore a much-needed big stick.
NIS2 is (not yet) in place
Sander Schreven of Veeam indicates that the majority of EU member states have failed to meet the NIS2 deadline (October 17, 2024). Only six countries already have national legislation that transposes the NIS2 directive. To illustrate the state of affairs, Steven Maas of Thales notes that the Belgian implementation is anything but rigorous, to name one example. “The law is a guideline for improving your cyber security posture. This law must be translated into concrete measures, but today we see in practice that many organizations only have a plan. These plans must be sufficiently substantiated. In principle, they should lead to the introduction of processes and the implementation of technical solutions to take your security to a higher level.”
In short, organizations that fall under the NIS2 directive sometimes need a push in the right direction. Exactly where that push should go remains to be seen. For vendors, European legislation has always been a puzzle, says Sabarishwaran Jay of ManageEngine. He explains that the DACH region is very important to the company, but that stricter privacy laws apply there compared to elsewhere in Europe. These must therefore also be complied with, even though ManageEngine complies with the specific Dutch implementation elsewhere in the EU.
Nadeem de Vree of KPN highlights a case study in the form of Microsoft, which opts for the strictest version of every European law and complies with that. This avoids fines and micromanagement, as it is more efficient to make the software EU-compliant once versus 27 times. The question is how workable a strategy like this is if your organization is considerably smaller than Microsoft. That’s the case for the overwhelming majority of businesses.
Michiel Benda, representing the TSTC training center, points out that the previous ISO 27001 standard is broadly sufficient to avoid having to worry about NIS2 fines in the previously mentioned Belgian case. Although he believes that Belgium may be missing some elements in the final legislation (such as the social impact of a cyberattack per organization), Benda argues that the country opted for a “good and feasible” implementation. Meanwhile, Hungary had to go back to the drawing board after a veto from the European Commission due to a lack of measures to control cyber risks. It now has a final law in place.
Learning from other sectors
“Organizations find it difficult to distinguish NIS2 from other security controls,” notes Emmon Lang’at of HPE. “However, regulated industries are usually a lot further ahead. They already run security programs with information security leaders. SMEs are not doing that yet.” Maarten Werff of Conscia sees a lesson in this for other sectors. “Within the healthcare sector, there is an active role for Z-CERT [the Dutch center of expertise for cybersecurity in healthcare, ed.].” He believes that more industries should consider such an approach, even if it is difficult. Why exactly?
“There are four officially designated CERTs in the Netherlands, representing all sectors,” says Benda. “After the NIS2 implementation, these four centers will have to cover more than 10,000 organizations, while the task is already heavy.”
This could easily lead to a bottleneck. After all, the experts at the table insist that the step toward compliance and awareness is a big one. Help from a CERT will therefore not be a given due to limited bandwidth. This makes the transition to better cyber resilience more difficult.
Emmon Lang’at emphasizes that organizations should not get bogged down in all the details. Consider, for example, Article 21 of the NIS2 Directive, which sets out the necessary steps to promote risk management. He mentions DORA (Digital Operational Resilience Act), an EU law that aims to increase the digital resilience of financial organizations. Lang’at argues that the banking sector is already more concerned about issues that currently result in fines than any problems caused by the transposition of NIS2 into law. In other words, the financial and mental investment required to comply with legislation has already been made. Lang’at hopes that national laws based on NIS2 will push more entities towards this concerned mindset.
Schreven notes that preparing for local laws will be an expensive undertaking. This is due to a combination of tooling, hiring lawyers, and gathering knowledge. In other words, you need to have staff who know what they are doing. That also costs money to hire and retain. De Vree acknowledges this. “KPN already had to comply with NIS1, so it’s a smaller step for us to move to NIS2. But for parties for whom NIS is new, it means a lot of work, which of course also entails additional costs. Retaining staff is expensive, but training employees to reach the desired level is even more expensive.”
Money, money, money
You can avoid this expense by ignoring NIS2. After all, who says there will be fines? Maarten Werff: “If you are caught without being able to prove that you have taken the right measures, there will be a fine.” He is not referring to any future specific violations; according to the participants in the discussion, NIS2 is not intended to be draconian. De Vree compares it to a traffic violation: if you simply make a mistake and drive into a road you are not allowed to enter, the police will not always fine you. “Non-compliance does not automatically result in a fine if you are hit by a cyberattack.” The message is clear. You risk a fine if you are careless and unprepared, but you can expect some leniency if you did not completely fail to make your organization resilient.
Sabarishwaran Jay believes that it will mainly be about complying with the spirit of the law. “Companies must care about cybersecurity. But what people don’t realize is that risk assessment is about more than just security; it’s about business continuity.” In other words: continuing your organization’s operations, even if you face a major setback.
“There is no reason why any company, large or small, should not look at risk management,” says Benda. “What risks do we face? What is relevant? Once you talk about these things, it becomes logical to implement measures. You don’t need to buy tools, just write a policy. The absolute baseline is to determine the risks.”
According to Dick Vonk, the step that is often missing is in the procurement of new products. Organizations are not yet thinking about NIS2. It is seen as a problem or a challenge, he says, “while it is a good thing that there is going to be a NIS2 law.” He considers it a good thing that it is no longer optional for organizations to do nothing to make themselves resilient. Those who ask the right questions will quickly get the answers they need. “Secure supply chains are also coming our way,” explains Vonk on behalf of Dell Technologies. “When you purchase products, you need to be sure that they are secure.” For example, a Dell backup appliance even checks whether it still contains the same hardware and code in a customer’s rack as when it left the factory.
Automation for everyone
Maas from Thales definitely sees an increase in demand for solutions and technologies to improve security posture. Governments and organizations such as NATO are taking concrete action in the area of encryption standards. The contrast with SMEs that fall just below the NIS2 implementation is stark. “It’s impressive if they even have a CISO,” says Maas. “At best, you can expect them to have improved their security slightly in recent years. They need external consultants and don’t have the resources to go beyond that.”
“External resources are expensive, but you can’t do without them,” says Schreven. “NIS2 is not an end in itself, but a means to an end.” Organizations need to be provided with the right knowledge, which often means looking outside the organization. Werff explains that Conscia consultants, for example, help customers with assessments and CIS Controls. This quickly makes companies realize that there is work to be done when it comes to monitoring or incident response. “This makes MDR services useful, even though NIS2 is not the main focus here,” says Werff.
“Democratization of tools and processes is important,” adds Sabarishwaran Jay. “Automation must be possible for everyone.” For vendors, it is important not to cause problems themselves as part of the chain. This allows organizations to solve problems with automation without introducing new risks by sharing data with third parties.
Conclusion: a big job
In this discussion with these experts, we focused primarily on the transposition of NIS2 into national legislation. However, in a later article, we will delve deeper into the subject matter and look at what your organization can do in concrete terms to prepare itself for local laws and, just as importantly, how you can actually become more cyber resilient regardless of the specific legal requirements. As Michiel Benda sums it up: “This issue is not about compliance, but about security. It is not just the letter of the law, but the spirit of the law that people need to be aware of.”
Read also: The state of cloud security