New EU rules requiring firms to strengthen their cyber defenses have been slow to get off the bottom as many member states have did not adopt the foundations in time to satisfy a key enforcement deadline, in line with a study tracking the progress of the Policy monitored.
The EU's NIS 2 Cybersecurity Directive sets high standards for firms regarding their internal cybersecurity systems and practices. It imposes stricter requirements on risk management, transparency obligations and business continuity planning within the event of a cyber breach.
On Thursday, the brand new directive officially became enforceable for member states. This implies that firms must now be certain that their operations are compliant. However, most EU member states have yet to implement NIS 2 into their respective national laws, meaning enforcement is more likely to be patchy.
According to a report, two countries – Portugal and Bulgaria – haven’t yet began the implementation process for NIS 2, which involves incorporating guidelines into the national laws of EU member states Tracker tool from the Internet research organization DNS Research Federation. The governments of Portugal and Bulgaria weren’t immediately available for comment when contacted by CNBC on Wednesday.
“Implementation status varies significantly across the bloc,” Tim Wright, partner and technology attorney at Fladgate, told CNBC by email.
What is NIS 2?
NIS 2 – or the Network and Information Security Directive 2 – is an EU directive geared toward increasing the safety of IT systems and networks across the bloc. The law, first proposed in 2020, serves as an update to a previous policy simply called NIS.
NIS 2 expands the scope of its predecessor to handle newer cybersecurity challenges and threats as criminals have found latest ways to hack firms and compromise their sensitive data.
The directive applies to organizations operating inside the EU that provide essential services to consumers, including banks, energy suppliers, healthcare facilities, web providers, transport firms and waste processors.
Under the brand new regulation, firms have a “duty of care” obligation to report cyber vulnerabilities and hacks and share details about them with other firms – even when this implies admitting they’re the victim of a cyber security breach.
If an organization falls victim to a cyber breach, it has 24 hours to submit an early warning notification to authorities – a stricter time-frame than the 72-hour period through which firms must notify authorities of a knowledge breach under the General Data Protection Regulation . a separate data protection law within the EU.
Companies must also individually assess their technology providers for cyber threats and vulnerabilities.
Will or not it’s effective?
Fladgate's Wright said the effectiveness of NIS 2 as a regulation largely is dependent upon consistent implementation and enforcement across EU member states.
“Malicious actors may target countries that are lagging behind in NIS2 implementation, or they may look for vulnerabilities in supply chains, targeting smaller, less secure vendors and suppliers to gain access to larger, more protected organizations,” he told CNBC.
Companies have been working for years to get their internal processes, controls and overall culture around cybersecurity in control ahead of Thursday's deadline.
Chris Gow, EU policy director at enterprise tech company Cisco, said patchy implementation of NIS 2 had also been “exacerbated by local adaptation of the law”.
This, in turn, creates “discrepancies that can prove difficult to manage, particularly for smaller organizations with limited resources,” Gow told CNBC in emailed comments.
He advisable that somewhat than becoming “overwhelmed” by discrepancies in NIS 2 local customizations, organizations should “identify a common core of security controls and processes that will help them meet and demonstrate compliance at scale.”
What happens if an organization doesn't comply?
For “essential” businesses akin to transport, finance and water firms, non-compliance with NIS 2 can lead to fines of as much as 10 million euros (US$10.9 million) or 2% of worldwide annual turnover – whichever is bigger is.
Meanwhile, “essential” firms – akin to food firms, chemical firms and waste management firms – face fines of as much as 7 million euros, or 1.4% of their global annual turnover, for violations.
Companies may face possible business interruptions and increased oversight in the event that they fail to comply with NIS 2.
“NIS 2 makes it clear: Heavy fines, possible suspension of service and compliance monitoring will be used as leverage to encourage organizations responsible for critical services to pay attention to and respond to cybersecurity threats,” says Carl Leonard, EMEA cybersecurity strategist at Proofpoint, told CNBC.
“A baseline has been established regarding risk management and risk mitigation measures, including incident handling, staff training, leadership responsibilities and more,” Leonard added.
image credit : www.cnbc.com