Dr. Martin J. Kraemer, Security Awareness Advocate at Knowbe4, gives his advice on where to organisations can start to act now with the impending NIS2 regulation
While EU member states must introduce the Network and Information Systems Directive 2022 (NIS2) into their national law by October 2024, not all appear ready to meet this deadline. This directive imposes ten security measures intended to strengthen the cyber resilience of critical infrastructure, including business continuity management, cyber risk management, supply chain security and training and education.
Differences between EU countries in the implementation of the NIS2 Directive
Some member states have already transposed the directive into their national legislation and are preparing to apply compliance measures from October 2024. Others, such as France, Denmark and the Netherlands, have announced that they only implement it at the beginning of 2025. Germany, for its part, will very unlikely meet the deadline, due to pending national legislation.
The differences in the implementation of the directive are also significant. For example, France explicitly includes local authorities, which is not the case in Germany. As the UK has left the EU bloc, it also has divergences from NIS2, though those UK businesses operating in the EU will have to meet its requirements. The UK has extended the reach of its NIS legislations to include managed service providers (MSPs) in a bid to up the ante on cyber resilience, as well as include a broader scope of incidents that require reporting.
These variations have left many pan-European organisations struggling to understand the directive and its various implementations across the EU.
Organisational Confidence and Readiness
According to a study by Zscaler, 80% of organisations are confident in their ability to comply. However, many are waiting for national legislation, assuming that implementation delays will give them enough time to put the required measures in place. Currently, only 14% of organisations say they are compliant.
However, many organisations lack confidence in their ability to understand requirements (53%), and 49% report a notable lack of support from their leadership. Without adequate support from the top, who are personally responsible and accountable for the implementation and security of the organisation, IT teams may find themselves ready, but the organisation as a whole will not be.
Perspectives from European organisations
Another YouGov survey commissioned by ESET reveals a similar situation: a third of organisations say they have implemented the directive, while 15% believe they are not affected and 14% are uncertain about their compliance requirements. About 38% have not yet started on compliance but plan to do so soon. Despite significant attention to the subject, actual implementation is often insufficient, leading to one of the main criticisms of the directive: the path to compliance is not always clear.
Although there is time, the lack of support from company management, understanding among key stakeholders and awareness among small and medium-sized businesses are concerning. Management can no longer avoid engaging with cybersecurity professionals, as they are ultimately responsible and accountable.
Although national legislation will eventually be resolved, organisations must proactively prepare. Implementing standards such as ISO27001 is one approach. Comprehensive risk management must consider the specific threats an organisation faces. As the directive states, employee training is crucial to building resilience. This recognition is now widespread, as the human element is the most targeted attack vector. Effective training and education are essential to understanding and mitigating organisational risks. Proper execution of these initiatives is key.
While legislation is delayed and there is still time for organisations to prepare, everyone is advised to use this time with intention. NIS2 is not just another compliance requirement but a wake-up call for all critical infrastructure and their suppliers to make cybersecurity a business priority and to help protect countries from interference by threat actors, e.g., nation states, hacktivists, or cybercriminals.