NIS2 on the horizon: companies need to get ready

The aim of this new European directive is to strengthen cybersecurity in Europe. It is set to replace the NIS1 directive, whose requirements are no longer up to the task of improving security, especially given the steady increase in cyberattacks against businesses and public authorities.

According to a research paper published by Cyber Rescue Alliance in 2022, almost every company in the world has already been the target of a phishing attack. In 12% of successful attacks, hackers were able to gain full access to company data for over a year before they encrypted it with ransomware. If cybercriminals get their way, companies soon run the risk of seeing their operations disrupted. This could even lead to production shutdowns, with serious financial consequences.

A report by international insurer Hiscox suggests that a fifth of companies that have fallen victim to a cyberattack are on the brink of bankruptcy. A global survey conducted in 2022 revealed that around 46% of German companies surveyed had been the victim of a cyberattack on at least one occasion. An average of around 49% of companies across the various countries included in the survey said they had suffered at least one cyberattack in the last 12 months.

Forcing companies and public authorities to take protective measures

NIS2 is designed primarily to protect critical infrastructure, and in the medium to long term will affect practically all companies operating in Europe. Initially, though, it will mainly apply to operators of critical infrastructure, in particular companies, government agencies, and organizations that are vital to keeping the economic, legal, and health systems running smoothly.

The definition of critical infrastructure set out in NIS2 includes not only traditional organizations such as hospitals or energy suppliers, but also companies in the water supply, transport, telecommunications, healthcare, and finance sectors. Other critical sectors include digital, mail and courier services, waste management, food, industry (especially the chemical industry), and research.

It is important to note that the suppliers and service providers of the above-mentioned companies are also affected. Other sectors will also fall within the scope of NIS2. The intention is clear: in future, almost all companies, regardless of size or sector, will have to comply with NIS2 requirements. This makes a great deal of sense, as it is ultimately in every company’s interest to protect its data from hacking attempts by cybercriminals.

All EU countries must have transposed NIS2 requirements into national law by October 2024, forcing companies to adopt appropriate protective measures from that point forward. Cybersecurity projects can often take several years to complete.

Many companies currently have no information security management system at all, for example. They are not collecting data that feeds into indicators or carrying out security audits, two aspects that will be vital in the future. It is therefore about time that companies started to take NIS2 seriously.

Most companies underestimate just how important they are to the supply chain in which they operate. Yet, under the directive, subcontractors of critical companies are also regarded as critical. This means that, in future, large companies will have to pay closer attention to their suppliers’ cybersecurity practices, with the risk of these suppliers rapidly losing business if their cybersecurity is deemed inadequate.

Companies that fail to comply with NIS2 requirements risk losing customers

The directive makes it clear that protection efforts do not only apply to the critical business itself, but also to its suppliers and subcontractors, who are also responsible for ensuring that the business runs smoothly and is resilient. If a supplier suffers a major failure that ultimately affects the supply chain, the NIS2 critical business will have to change suppliers to ensure it remains resilient.

Companies are also likely to voluntarily evict suppliers who fail to protect themselves sufficiently against cyberattacks. This new directive will affect small and medium-sized businesses just as much as large corporations and public authorities, especially if they want to protect not only their data, but also their economic survival.

Ensuring business resilience

NIS2 is not just about preventing cyberattacks, which looks far from being realistic given the growing number of attacks and the ever-increasing professionalism of bad actors. Strengthening business resilience is at the very heart of NIS2. A company must be able to deal with a successful cyberattack and eliminate its traces as quickly as possible. The aim is to ensure that even successful cyberattacks do not affect a company or government agency to the point of significantly disrupting its operations over the long term.

The aim of the NIS2 directive is therefore to contain threats and limit disruption caused by cyberattacks as quickly as possible, to prevent any impact on the supply chain. If a company is unable to provide this guarantee, it will sooner or later be forced out of the supply chain, given that the number of cyberattacks will continue to grow.

Business leaders must therefore ask themselves three key questions: When will the next cyberattack hit? Can my company withstand it, and is it resilient enough to stay in business? Are we as prepared as we need to be to deal with cyberattacks?

Practical advice

A proactive response to the requirements of the directive calls for a structured approach and, more importantly, consistent preparation to ensure that cyberattacks have no major impact on the company. To do this, companies need to consider the following points:

What assets and resources does the company have? Who owns them? What are their risks and weaknesses?
What are the potential targets for hackers within the company?
Are there systems in place to manage access for new starters and leavers?
How and where is data stored, and who uses it?
Users must only have access to the data they need; all other data must be archived in a safe place.
It is not always a good idea to move everything to the cloud.
Are administrative rights controlled and limited?
Are the business processes to be followed in the event of a cyberattack properly defined, documented, and tested?
Are security incidents thoroughly analyzed?
Has a system been set up to counter attacks that can occur at any time, 24 hours a day, 7 days a week?
Does the company have partners ready to provide rapid assistance in an emergency?
Is there scope for collaboration with other companies to meet requirements together?

A company’s level of cyber maturity needs to be defined as quickly as possible, and its security measures and response capabilities planned. The aim is to ensure that the organization itself is effectively protected against attacks and can learn from those that have already occurred. This is the only way the company can protect its business and minimize potential damage.