The future of cyber security regulation: what to look out for with NIS2

A digital padlock on a blue digital background.
(Image credit: Shutterstock / vs148)

The start of this year saw the introduction of NIS2 - the EU’s updated Network and Information Security Directive. With a deadline of 17 October 2024 to put this new law into national legislation, time is ticking for EU Member States to prepare. So, what is it, how does it differ from the original regulation introduced in 2018, and what do organizations need to do to ensure compliance?

New regulation for a new cyber reality

Currently, NIS regulations apply to organizations that provide ‘essential services’ – our critical infrastructures like energy, healthcare, and transportation, but also digital service providers such as online marketplaces and search engines. These regulations require organizations to ensure appropriate security measures are in place to manage cybersecurity risks. They also impose certain reporting obligations in the case of security incidents. 

NIS2 however, consists of stricter security and reporting requirements and is applied to a wider range of organizations. The new directive comes at a time when the world has never been so digitally-enabled. As the economy and wider society increasingly rely on digital services to stay connected, ransomware attacks are on the rise globally. An explosion of identities in enterprises – human and non-human – embroiled in more complex supply chains, is also complicating matters. The latest IDSA survey reveals 9 in 10 companies reported at least one identity-related breach in the past 12 months, 6% higher than last year, highlighting an increased level of cyber risk.

Steve Bradford

Steve Bradford is SailPoint's Senior Vice President for EMEA.

Strengthening digital defenses

How does NIS2 help businesses navigate these choppy waters, then? In the digital world, cyber resilience needs to be common practice in business models, but many organizations don’t know where to start. The NIS2 directive targets all public and private entities operating in the EU that are vital to the economy and society – including UK companies with operations in the EU. Sectors such as healthcare, energy, transport, IT infrastructure, financial market infrastructures, the food sector, social networking services platforms, cloud computing services, data centers, and more will fall under the NIS2 directive.  

NIS2 aims to deliver a broad, comprehensive, and holistic improvement of cybersecurity across the EU. Much of the responsibility falls on the government’s shoulders to maintain this standard, for example, through the establishment of ‘Computer Security Incident Response Teams’ that share information across countries to respond to potential incidents. However, there is still a great deal for businesses to be aware of in order to lay the groundwork for NIS2.

In the months leading up to the deadline, EU member states need to take the time to get ahead of the updated regulation. This means familiarizing themselves with the requirements of the directive and shaping their cybersecurity strategies to ensure they are both compliant and secure when the updated directive comes into force.  

Organizations will need to put policies and procedures in place for risk analysis, information system security, assessing the effectiveness of cybersecurity risk management measures, and more. Some examples of this include companies needing to ensure access is disabled when employees or contractors stop working for it, and they should also refrain from using ‘generic’ accounts (for example, accounts that are not tied to a named individual). Moreover, granting access to sensitive applications and/or data should be subject to approval and risk analysis to prevent toxic situations that could lead to fraud or data leakage.  

Implementing appropriate risk-management

Senior management will need to step up to the security plate when it comes to complying with NIS2 regulation. They will be responsible for approving the cybersecurity risk-management measures taken and overseeing their implementation, and, under NIS2, they can be held liable for any infringements. 

NIS2 will be far-reaching according to a new IDC report, “Identity governance will be a key to NIS2 compliance.” It will impact training, with the updated directive stipulating the need for cybersecurity training and awareness for all employees, as well as for the broader ecosystem – helping to improve an organization's overall security hygiene.

Supply chain security will also be impacted. Recent cyber-attacks on payroll services provider Zellis and outsourcing group Capita – which have both affected multiple organisations - highlight the importance of protecting third parties. The NIS2 directive will mandate coordinated risk assessments of critical supply chains that cover critical ICT services, CIT systems, or ICT products. 

Fortifying NIS2 with identity security

Assessing the efficacy of cybersecurity measures, or identifying vulnerabilities that remain despite those measures, can often be a real challenge for organizations. Many struggle to ensure access is promptly rescinded for employees that change roles or leave the company.

A proactive and policy-driven approach is needed to ensure these risks are addressed and managed properly. The European Commission recommends that essential and important entities adopt zero-trust principles and identity and access management. Least-privilege access that is implicit through zero trust approaches can be fundamental to managing that access for partners and contractors. Ahead of October 2024, European organizations need to conduct NIS2 gap assessments and implement strategies to address the outcomes of those assessments. 

Lessons learnt from the EU’s General Data Protection Regulation (GDPR) should be taken into account here. European regulators are more than ready to penalize businesses that are slow to act, typically in the form of regulatory penalties. In fact, for essential entities, NIS2 will require Member States to provide a maximum fine of at least €10 million, or 2% of the global annual revenue, depending on which is higher. For important entities, the maximum fine is of at least €7 million, or 1.4% of the global annual revenue. Add this to the costs of operational downtime, reputational damage, customer loss, and system restoration that follow any breach, and it becomes quite clear all that is at stake for businesses.  

Visibility is key

In today’s cyber landscape, organizations can't afford to overlook the need for identity management to ensure the security perimeter is properly protected. As the number of identities increases – from employees, machines, partners, and contractors, legacy identity security solutions are inadequate to address the sheer volume of identity-related tasks.

Fortunately, new AI-driven technology such as identity security can help businesses gain greater visibility and control through automating identity processes and building contextual insights. Clearly seeing, understanding, and managing who has access to what, and why, and then properly securing that access, can help trigger quicker, more impactful responses and will go a long way in avoiding a compromise.

This type of centralized visibility is vital when it comes to not only managing risk but enabling businesses. As identities proliferate at a speed far beyond what manual capabilities can handle, identity security is critical to help organizations prepare for NIS2 and protect against an increasingly sophisticated cyber threat landscape.

We've featured the best business VPN.

Steve Bradford is SailPoint's Senior Vice President, EMEA, where he is responsible for driving consistent growth across the company's EMEA business.