The new EU cybersecurity legislation, NIS2, was one of the major topics at the Tech for Good EMEA Regional Conference in October 2023 – an ESET conference where ESET Government Affairs Director Andy Garth, discussed with thought leaders, experts, and cybersecurity stakeholders updates from their areas of expertise.
The lively debate was unsurprising, given the sweeping implications of the new legislation for various entities and institutions across the EU. However, it's crucial to clarify that EU Member States have until October 17, 2024, to transpose the NIS2 directive into their national laws. This means companies won't have a specific compliance date until each member state finalises its national legislation.
So what are the experts' views on this legislation? What are their views on its benefits and potential problems?
Extraterritorial cybersecurity legislation was long overdue
Robbert Santifort, principal associate at Eversheds Sutherland, looked at the new legislation from a lawyer’s point of view, emphasising the ever-rising costs of cyber-crimes and the pressing need for extraterritorial legislation to protect EU entities and institutions. Santifort explained the position of the NIS2 directive within a pan-European infrastructure composed of national and cross-border security operations centres (SOCs) across the EU.
The directive affects not only EU institutions and companies, but also their suppliers and all entities running their business in the Union. The law expert highlighted the need to bring the theme of cybersecurity into the boardrooms of governments, companies, and institutions, as well as the need to educate its management accordingly. Santifort says:
“Why is NIS2 that important? Why is it getting so much attention? As I said, it brings cybersecurity to the boardroom. What does it mean in practice? It means that management bodies must be able to identify and assess those cybersecurity risk management measures. They must be able to approve those measures in relation to the risk management framework that’s applicable within the company and oversee the implementation of those measures. The management board also needs to be educated and trained to be able to properly govern the implementation of any of those obligations.”
Santifort also praised the much larger scope of NIS2 compared to its predecessor, the NIS directive, and its improved enforcement not only on the company level but on a personal one too.
Security is always a snapshot
Dave Maasland, CEO of ESET Nederland, named three key components for an efficient implementation of NIS2: communication, awareness, and collective resilience. He believes that it should not be a matter of duty for any institution or individual whom NIS2 affects to comply with it, but rather a matter of desire. Maasland trusts that once individuals and companies understand that it is, in fact, a tool of protection, they will realise it is in their best interest to comply with it.
The digital security expert also pointed out that: “Security is always a snapshot. You can be secure now. But tomorrow, Microsoft might have an exploit and you´ll be less secure.” That means security is not a one-time achievement but an ongoing process. It requires constantly evaluating your security posture, addressing evolving threats, and taking a proactive approach to minimise the risk of being caught off guard.
Maasland suggests that being prepared for cyberattacks and effectively dealing with their aftermath is vital. The last important key feature he mentioned was sharing knowledge and working together against threats. All of these are, as per his words, embodied by NIS2.
A tight deadline might mean extra workforce
Maik Wetzel, the strategic business development director at ESET DACH, urged everyone who will be affected by NIS2 not to hesitate, but to start aligning the processes and policies of their companies and institutions with it right away. He pointed out that since NIS2 is an EU directive, there will be some nuances on the level of individual countries.
Using Germany and its cascade of federal but also state institutions dealing with cybersecurity as an example, Wetzel pointed out that an extra specialised workforce may be needed to achieve compliance with NIS2 within the tight deadline.
|
MAIN POINTS |
|
|
|---|---|---|
|
NIS2 is a key new EU legislation that builds resilience against cybercrime. |
||
|
It will affect up to 160,000 entities. |
||
|
Communication, awareness, and collective resilience are crucial. |
||
|
Implementation might require an additional specialised workforce. |
||
All three presenters agreed on the necessity of a directive such as NIS2 and the unified cyber protection legislation across the EU. They turned to all entities that will be affected by it, urging them to start working towards NIS2 compliance right away, amplifying that it is in their best interest to do so. The speakers also highlighted the importance of straightforward and clear communication, as well as effective education of the involved entities as the best means of getting them on board with the new legislation.
So, if you know your company will be affected by NIS2, follow Maik Wetzel’s advice:
“Don’t hesitate. Start now.”
