Oscar Wong | Moment | Getty Images
Businesses in the European Union could face huge fines or even have their services cut off under strict new cybersecurity rules that come into effect next month.
The EU’s NIS 2 cybersecurity directive is set to come into effect in member states from October 17, meaning companies must ensure that their operations meet the obligations laid down in the new law.
These rules impose more stringent requirements on companies’ internal cyber resilience strategies and internal practices.
CNBC looks at everything you need to know about NIS 2, from the legal requirements to the potential penalties businesses could face for noncompliance.
What is NIS 2?
NIS 2 stands for Network and Information Security Directive 2, an EU directive that aims to strengthen the security of IT systems and networks across the bloc. The law, introduced in 2020, serves as an update to the previous directive, simply called NIS.
NIS 2 expands the scope of previous versions to address modern cybersecurity challenges and threats as criminals find new ways to hack into companies and compromise sensitive data.
This directive applies to organisations operating within the EU and providing essential services to consumers, such as banks, energy suppliers, healthcare providers, internet service providers, transport companies and waste management companies.
Key areas covered include risk management, corporate responsibility, reporting obligations, and business continuity planning in the event of a cyber breach.
Gert van der Linden, Capgemini’s vice president of global cybersecurity services, told CNBC that NIS 2 sets a new standard for what enterprises are allowed to do to protect citizens, maintain operations and remain resilient in the face of cyberattacks.
“NIS 2, once it becomes enforceable, will be viewed as a global standard by judges,” Van der Linden added. “For our clients, whether it’s deemed mandatory or critical by regulation, we need to look at that baseline and make sure we’re complying with it.”
By meeting this standard, companies can effectively protect themselves from claims, Van der Linden added, comparing it to buying home insurance to protect your home from burglary.
“Where do thieves go? It’s always the least protected house. They open every door and see where they can get in,” he said. Companies trying to protect themselves from cyberattacks are doing the same, van der Linden added.
According to NIS 2, companies must inspect their digital supply chain for cyber threats and vulnerabilities. Today, companies use a variety of different products and tools every day, providing criminals with more potential attack vectors.
Chris Gow, Cisco’s head of EU public policy, told CNBC that NIS 2 will involve a “mapping exercise” where companies will be required to scan their technology suppliers to assess potential risks.
Companies also have a “duty of care” under NIS 2 to report and share information about cyber vulnerabilities and hacks with other companies, even if that means admitting to being a victim of a cyber attack.
What happens if a company fails to comply with regulations?
Companies that fail to comply with the new laws could face hefty fines, along with other punitive measures.
For entities deemed essential, such as transport, finance and water companies, failure to comply with NIS 2 could result in fines of up to €10 million ($11.1 million) or 2% of their annual global turnover (whichever is higher).
On the other hand, companies deemed essential, such as food companies, chemical companies and waste management services, face fines of up to €7 million or 1.4% of their annual global turnover if they fail to comply.
If a company fails to comply with NIS 2, its services may be suspended and it may be subject to strict supervision to ensure compliance.
If a company becomes the victim of a cyber breach, it must file an early warning notification with the authorities within 24 hours. This is stricter than the 72-hour window that companies must notify authorities of a data breach under the EU’s separate data privacy law, the General Data Protection Regulation (GDPR).
“Preparing for NIS 2 is not a race to see what can be achieved, but rather a race to see which of the strongest organizations will leverage these efforts to exceed the bar and gain competitive advantage,” Carl Leonard, EMEA cybersecurity strategist at Proofpoint, told CNBC.
“We expect organizations to be better supported by a coordinated effort at EU level,” Leonard said. “This will include shared threat intelligence, a higher level of common cybersecurity and a ‘we’re in this together’ mentality.”
Are businesses ready?
Companies have been racing to flesh out their internal processes, controls, and broader culture around cybersecurity ahead of the October 17 deadline.
Cisco’s Koh said that even without the threat of new regulations looming, companies have been working hard to change their internal cultures to take the threat of cyber breaches and disruptions seriously.
“Even if we take away what’s happening on the regulatory side, we see reporting happening all the way from the CISO level all the way up to the board and executive management.”
He added that NIS 2 is forcing companies to more quickly update their cyber controls and practices to comply with the new rules.
“It definitely has an impact,” he said. “I’m seeing it firsthand. I’m hearing internally from sales and management, ‘How does this impact us?’” He added that there are “things that need to be done now” to ensure companies meet the requirements of NIS 2.
And yet, despite the increased focus on cybersecurity in boardrooms, cyberattacks still occur.
Earlier this year, a ransomware attack on UK private healthcare provider Synnovis disrupted more than 3,000 hospital and GP appointments. The attackers, a Russian-based hacking group called Qilin, demanded a £40 million ransom.
Gow said it would be a mistake to assume the new rules would prevent similar incidents from happening in the future, but added that NIS 2 had helped “create research and focus resources on how to increase overall security”.