Businesses have been working hard to shift their culture internally to ensure they’re taking the threat of cyber breaches and outage incidents seriously.
Andrew Brookes | Image Source | Getty Images
New European Union regulations requiring businesses to bolster their cyber defenses is off to a slow start as many member states have failed to adopt the rules in time to meet a key enforcement deadline, according to research monitoring the progress of the directive.
The EU’s NIS 2 cybersecurity directive sets a high benchmark for companies over their internal cybersecurity systems and practices. It imposes tougher requirements around risk management, transparency obligations and business continuity planning, in the event of a cyber breach.
On Thursday, the new directive officially became enforceable by member states. That means firms have to now ensure their operations are up to scratch with the rules. However, most EU member states have yet to implement NIS 2 in their own respective national laws, meaning that enforcement is likely to be spotty.
Two countries — Portugal and Bulgaria — haven’t begun the transposition process for NIS 2, where directives are incorporated into the national laws of EU member states, according to a tracker tool from internet research organization DNS Research Federation. The governments of Portugal and Bulgaria were not immediately available for comment when contacted by CNBC Wednesday.
“The implementation status varies significantly across the bloc,” Tim Wright, partner and technology lawyer at Fladgate, told CNBC via email.
What is NIS 2?
NIS 2 — or the Network and Information Security Directive 2 — is an EU directive that aims to increase the security of IT systems and networks across the bloc. First proposed in 2020, the law serves as an update to an earlier directive simply called NIS.
NIS 2 expands the scope of its predecessor to address more recent cybersecurity challenges and threats, as criminals have found new ways to hack companies and compromise their sensitive data.
The directive applies to organizations that operate within the EU and provide essential services to consumers, including banks, energy suppliers, health care institutions, internet providers, transport firms, and waste processors.
Businesses will have a “duty of care” to report and share information on cyber vulnerabilities and hacks with other companies under the new regulation — even if it means owning up to being a victim of a cyber breach.
If a business falls victim to a cyber breach, they’ll have 24 hours to submit an early warning notification to authorities — a stricter timeline than the 72-hour window firms have to notify authorities about a data breach under the General Data Protection Regulation, a separate data privacy law in the EU.
Firms will also have to vet their technology vendors one by one for cyber threats and vulnerabilities.
Will it be effective?
Fladgate’s Wright said that effectiveness of NIS 2 as a regulation will largely depend on consistent implementation and enforcement across EU member states.
“Bad actors may target countries lagging in their NIS2 transposition or look for weaknesses in supply chains, targeting smaller, less-secure vendors and suppliers to gain access to larger, better-protected organisations,” he told CNBC.
Businesses have been working to get their internal processes, controls and broader culture around cybersecurity into shape for years ahead of the Thursday deadline.
Chris Gow, enterprise tech firm Cisco’s EU public policy lead, said that the spotty nature of NIS 2’s implementation has also been “exacerbated by local adaptation of the law.”
This, in turn, is “creating discrepancies that can prove difficult to navigate, especially for smaller organisations with limited resources,” Gow told CNBC in emailed comments.
He recommended that, rather than being “overwhelmed” by discrepancies in local adaptations of NIS 2, organizations should “identify a common core of security controls and processes that stand them in good stead to both meet and demonstrate compliance at scale.”
What if a company fails to comply?
For “essential” entities like transport, finance and water companies, failure to comply with NIS 2 can lead to fines of up to 10 million euros ($10.9 million) or 2% of global annual revenues — whichever ends up higher.
Meanwhile, “important” businesses — such as food companies, chemicals firms, and waste management services — are looking at fines of up to 7 million euros or 1.4% of their global annual revenues for breaches.
Firms can also face possible suspensions of service if they fail to comply with NIS 2, as well as closer supervision.
“NIS 2 makes it clear – large fines, possible suspension of service and monitoring of compliance are being used as levers to encourage organisations responsible for critical services to pay attention to cybersecurity threats and their response to those,” Carl Leonard, EMEA cybersecurity strategist at Proofpoint, told CNBC.
“A baseline has been set in terms of risk-management and mitigation measures including incident handling, staff training, leadership accountability and many others,” Leonard added.
