Getting a Head Start on Compliance With NIS 2: Seven Steps to Take Now
The countdown clock is running until the EU’s updated Network and Information Security Directive, NIS 2, goes into effect in all EU member states in October 2024 — less than a year away. While meeting NIS 2’s compliance requirements will take time and a solid organizational strategy, ultimately it will help mitigate an organization’s cybercrime-related risk.
Cybercrime Continues to Surge
NIS 2 is meant to address a global crime wave. Cybercrime is among the fastest-growing areas of criminal activity worldwide. High-profile ransomware campaigns continue to make headlines with increasing frequency. BlackBerry’s November 2023 Threat Report notes a remarkable 70% increase in unique malware attacks from June to August 2023, with finance, healthcare, critical infrastructure, and government sectors being most heavily targeted. According to the European Union Agency for Cybersecurity (ENISA), in 2022, the vast majority of those attacks in Europe targeted public administration and governments, digital service providers, and critical infrastructure – the very same sectors covered by the updated NIS 2 Directive.
NIS 2 and Its Application to More Sectors
Originally introduced in 2016, the EU initial NIS directive was the first ever EU-wide cybersecurity legislation. It established cybersecurity obligations for operators of “essential services” in critical sectors such as energy, transportation, health, and finance, as well as for digital service providers, including online marketplaces, search engines, and cloud services.
Recognizing that the cyber threat landscape had changed considerably since the first NIS directive was adopted, the European Commission proposed a revised NIS directive (NIS 2) in December 2020 that would make the legislation “fit-for-purpose.” To that end, the new directive expands the number of sectors covered, and aims to protect food and pharmaceutical supply chains, essential public services, and digital services such as data centers.
NIS 2 entered into force in January of this year, and EU member states must enact the directive into national law by Oct. 17, 2024. At that point, all “covered” organizations will be expected to be compliant.
NIS 2 Sets High Bar for Compliance and Has “Teeth”
NIS 2 compliance includes taking actions to minimize cyber risks, putting processes in place for reporting cyber incidents, and establishing accountability and cybersecurity training for employees. It also requires a business continuity plan for major cyber incidents. This plan must outline critical policies, procedures, and key contacts — including third-party agents — to contain and control breaches quickly.
What’s more, this directive has teeth. Failure to comply could result in fines of up to €10 million (nearly US$11 million), or 2% of the entity’s total turnover worldwide — whichever is higher.
Security-By-Design Now More Important Than Ever
Security, trust, and quality are principles deeply embedded in NIS 2. The directive recognizes the importance of high levels of cybersecurity risk management and “secure-by-design" principles across the critical infrastructure enterprise.
NIS 2 also focuses on security of software supply chains for critical infrastructure, which has become vitally important. In fact, BlackBerry research in October 2022 revealed that four out of five IT decision-makers said their organization was notified of a cyberattack — or vulnerability — in their software supply chain during the preceding 12 months.
The research also flagged challenges that organizations face in protecting their software supply chains, even with rigorous use of data encryption, identity access management (IAM), and secure privileged access management (PAM) frameworks. Despite enforcing these measures across partners, more than 75% of respondents discovered previously unknown participants within their software supply chain — entities they had not been monitoring for adherence to critical security standards.
NIS 2 will hold organizations accountable for closing these kinds of vulnerabilities. It also will require critical infrastructure entities to consider the overall security, resilience, and quality of the products and services that they use. Accordingly, an organization must understand the cybersecurity practices and software development procedures adopted by its suppliers and service providers.
For many, the granularity and breadth of cyber protection across all facets of organizational operation will mean establishing trusted partnerships with expert cybersecurity software and service providers to bolster the knowledge and capabilities that NIS 2 compliance demands.
Recommendations: Seven Steps to Take by October 2024
Specifically aligned with NIS 2, here are seven actions that organizations should take to prepare for the October 2024 deadline:
- Adopt measures to predict and prevent cyberattacks before they happen. This means implementing AI-driven cyber tools to detect and prevent threats before they cause damage.
- Adopt a Zero Trust approach to manage user access to applications and data, both continuously and by default. This will reduce the risk of breaches, provide granular unified access control, and enable secure work from anywhere.
- Report and respond to cyber incidents quickly. In a world where competition to attract cybersecurity talent is fierce, a rapid and cost-effective approach to accessing cybersecurity expertise is to subscribe to MDR (managed detection and response) services.
- Stay on top of the latest cyber threat intelligence. The cyber threat landscape is continuously evolving. Having access to actionable threat intelligence will help organizations ensure that their cyber risk assessments and security policies are fit for purpose.
- Secure data on corporate-owned and personal devices used by employees. With remote and hybrid work environments now the norm, it is critical that organizations adopt policy controls and the visibility required to secure all endpoints.
- Encrypt voice communications and messaging. NIS 2 requires the use of multi-factor authentication and secure encryption for voice, video, and text. This means organizations must adopt secure messaging and phone applications that are certified to meet the highest security requirements and protect against the most sophisticated threats.
- Put in place a business continuity plan, for use in the event of a major cyber incident. Organizations will need to be able to quickly deploy response teams and communicate with employees and other key stakeholders when regular communication channels are compromised. This means adopting secure, multi-channel communications platforms to ensure that the right people have the right information to respond to — and recover from — critical events.
Indeed, as critical infrastructure enterprises and their supply chains have become prime targets for cyber threat actors in the EU and around the world, meeting NIS 2 requirements should be an immediate priority for all affected organizations. October 2024 is right around the corner, considering the significant time it will take to properly implement the extensive processes, practices, and technologies for NIS 2 compliance.
For similar articles and news delivered straight to your inbox, subscribe to the BlackBerry Blog.
About Marjorie Dickman
Marjorie Dickman is BlackBerry’s Chief Government Affairs and Public Policy Officer, responsible for strategic oversight of the company’s Global Government Relations and Technical Standards organizations.