The European Union’s new cyber security law, NIS2, is now in effect, and businesses are feeling the pressure. If companies don’t comply with the requirements, they’ll face substantial fines.
NIS2 aims to standardize cyber security measures across the EU. This means that businesses in crucial sectors like energy, transport, water, finance, and healthcare must implement strong cyber security protocols and report significant cyber threats to the necessary authorities. IT vendors—think search engines, cloud services, and online retailers—aren’t off the hook either. They need to follow these regulations too. Additionally, EU member states are required to establish their own computer security incident response teams and a national authority for network and information systems, if they haven’t already set these up.
UK businesses that want to sell to EU customers must also comply with NIS2. The rules apply to any essential or important entities offering services within the EU, even if they don’t have a physical presence there.
Not complying can lead to fines starting at €7 million or 1.4% of global annual revenue, with a possible maximum of €10 million or 2% of that revenue—whichever is higher.
Bart Salaets from F5 highlighted that NIS2 casts a wider net than its predecessor, NIS1. Many organizations that may have previously overlooked cyber security now need to pay attention. He pointed out that companies should focus on creating better visibility and unified reporting across their security platforms. Integrated solutions and advanced reporting tools, possibly using AI, are going to be essential for keeping up with NIS2’s demands.
Mike Smith at Qodea emphasized that NIS2 has more detailed definitions about accountability. Many organizations that weren’t under NIS1 may find themselves covered by NIS2. This can be a tough adjustment for those not already investing in robust security measures.
David Higgins from CyberArk mentioned a key point in Article 21 of NIS2—companies now have to implement strong cyber security safeguards to protect their supply chains and enforce zero-trust access. This zero-trust approach to identity security is crucial for compliance, as organizations must shield themselves from a wide array of threats, including subcontractors and service providers.
Tim Wright, a technology lawyer at Fladgate, pointed out the uneven progress among EU countries in adopting NIS2. While there’s a compliance deadline of October 17, 2024, only six member states—Belgium, Croatia, Greece, Hungary, Latvia, and Lithuania—have fully integrated NIS2 into their laws. Meanwhile, Bulgaria, Estonia, and Portugal have yet to get started.
Wright argues that the effectiveness of NIS2 hinges on consistent enforcement across the EU. While it aims to bolster the cyber security landscape, he warns that determined attackers will still seek out weaknesses. The success of this directive relies not just on compliance, but on fostering a genuine culture of cyber security throughout the EU.