Article

NIS2 –
developing resilience

How the NIS2 Directive will bring value to your business

Published

September 2022

Author

The EU’s NIS2 Directive will standardise and make more stringent the legal requirements regarding cyber and information security across the EU Member States. If your company is covered by NIS2, how do you then make the adoption of NIS2 a beneficial part of your business?

At Implement, we are working closely with clients to prepare them for NIS2. And we firmly believe that with the right approach to the NIS2 Directive, you can add value to your business in terms of both resilience and reputation.

In this article, we highlight the essentials of how your organisation should approach the NIS2 Directive to make its adoption a beneficial part of your business.

What is NIS2?

Many European countries are experiencing a rapidly increasing number of cyberattacks that are also becoming more sophisticated. The question is no longer what we should do if we are affected, but rather what to do when it happens. Following this line of thinking, companies will not be judged by consumers and stakeholders on whether they are affected by a cyberattack – but they will be judged by the nature of their response and their preparedness for the attack.

In response to this new threat landscape, the European Parliament came to a provisional agreement on a high common level of cybersecurity across the European Union. The agreement made on 13 May 2022 is known as the NIS2 Directive and is an extension of the former NIS Directive. However, NIS2 will significantly enhance the scope of the Directive in terms of the entities and sectors that are included, as well as introduce new requirements.

Which companies will be included in the Directive and why does it matter?

The NIS2 Directive distinguishes between important and essential entities, and the category an organisation falls into is determined by the sector in which the organisation operates.

Furthermore, the Directive introduces a cap size which includes large companies with more than 250 employees and medium-sized companies with 50–250 employees. Companies with less than 50 employees or an annual turnover of less than 10 million euros are mostly not included unless they are deemed of critical importance to society.

The NIS2 Directive prepares the ground for inspections, and ahead of these inspections the distinction between essential and important should be particularly noted:

For essential entities, the inspections will be conducted ex-ante, which means inspections will have taken place before potential attacks occur.

For important entities, the inspections will be conducted ex-post, meaning inspections will mostly be initiated after an attack.

The difference between when the inspections take place for essential and important entities has a direct impact on how many resources your organisation needs to allocate and what types of capabilities your organisation will need to have at its disposal.

Regardless of size, the NIS2 Directive also applies to public administration entities of central governments and public administration entities at a regional level.

We are included in the Directive – what do we do?

More than 100,000 companies across the European Union are estimated to be encompassed by the NIS2 Directive, and many of these companies will gain an advantage if they immediately determine whether they will be included in the Directive or not. It pays to have a solid plan for the work ahead, rather than just waiting and being taken off guard by the potential number of resources you will need to comply with the Directive.

Harmonised sanctions will form an inherent part of the NIS2 Directive, and these sanctions will be the catalyst for placing NIS2 at the top of management’s agenda.

At Implement, we believe that companies should strive for the benefits they can gain from the resilience and robustness derived from complying with the Directive. The NIS2 Directive mainly enhances a risk-based approach, and for most organisations a risk management perspective will be the best way to balance security needs deriving from the Directive with business goals.

If your organisation is included in the Directive, it is our recommendation that you initiate the preliminary work as soon as possible. An appropriate first step for your organisation is to identify and allocate the resources you need to handle the task. Further, your organisation will benefit from examining and evaluating the forthcoming legal requirements and consequences of non-compliance. You can do this by conducting an information security gap analysis, taking NIS2 as a point of reference.

National legislation and the road ahead?

Following final approval of the Directive, Member States will have 21 months to transpose NIS2 into national legislation. This legislation will follow the Directive’s recommendations or possibly adopt an even higher minimum standard. Therefore, companies and organisations should understand the pitfalls of being hesitant about working towards NIS2 implementation, as our assessment indicates that very few aspects will change regarding the national interpretations of the Directive.

Going forward, the Directive is expected to be reviewed within a period of three to four years. Furthermore, it is estimated that the Directive will be aligned with the Regulation on digital operational resilience for the financial sector (DORA) and the Directive on the resilience of critical entities.

The obligations and deadlines linked to reporting are important parts of the Directive that will definitely not be affected by new national legislation. The NIS2 Directive aims to streamline reporting practices to avoid over-reporting and reduce the reporting workload. Entities will have to issue an early warning report within 24 hours and an incident notification and initial assessment after 72 hours. Furthermore, entities are expected to issue a final report within one month. It is expected that initial assessment will include indicators of compromise. Preparation will be essential to the ability to deliver a concise and valuable report within these time frames.

We help equip companies for a secure future

At Implement, we are ready to advise organisations on the NIS2 Directive. We have a diverse team of subject matter experts on legislation, security and compliance. We help identify the extent to which organisations are included in the Directive and the potential obstacles and challenges related to the Directive. Further, we have extensive experience in implementing organisational and technical requirements and assisting with establishing the necessary capabilities needed for compliance.

We aim to make organisations secure ahead of an uncertain future, through a truly human-centric approach. If you want to know more or wish to be kept up to date on the Directive, please do not hesitate to get in touch.