NIS2’s cybersecurity value spreads beyond its expanded scope

The European Union’s NIS2 (Network and Information Security) Directive has come into force to update the first 2016 NIS regulation to better address an increasingly damaging cyber threat landscape.

The latest version increases the scope of sectors and companies that must comply with the directive, resulting in up to 100,000 companies having to update their cybersecurity operations throughout the EU, according to data from Logicalis. Among the measures to be undertaken, the most notable are multifactor authentication, notification of incidents in less than 24 hours, and greater supply chain resilience, among others.

Independent analyst Fernando Maldonado stresses that, together with DORA, the EU act aimed at increasing the resilience of financial firms, Europe is seeking to shore up critical infrastructures within a geopolitical context in which “many battles against cybercriminals are being lost.”

For example, he cites, last year saw the largest ransomware payment in history, some $75 million to the Dark Angel group, doubling the second highest ever made public. In addition, the total economic impact generated by this attack continues to break records.

Thus, Maldonado continues, NIS2’s focus on collaboration, on sharing information, establishing a community crisis support network, and taking great care of relationships with suppliers, is key. 

“The response has to be cross-border, individually we do nothing,” he says. “If cybercrime were a company, it would have a valuation close to Meta. We have to disrupt the finances of cybercriminals. We must prepare and avoid paying ransoms at all costs. Anything that raises the level of demand and collaboration is good.”

Preparation is essential

Failure to comply with these provisions is subject to fines of up to €10 million or 2% of an organization’s annual revenue. Therefore, preparation is essential, Maldonado stresses.

According to Maldonado, companies still suffer from overconfidence when it comes to cybersecurity, resulting in a mismatch between their true degree of cyber maturity and what they perceive.

“Today’s efforts are insufficient,” he says. “The responsibility of a corporation to be resilient is no longer only towards its shareholders, but towards society as a whole. The underlying idea is that individually we do nothing, but if we are not individually prepared, we find ourselves in a bad scenario. Awareness is essential in this global race in which we find ourselves.”

Industry vision

Computerworld Spain spoke with Erik Prusch, global CEO of ISACA, an international professional association that focuses on IT governance, about NIS2’s anticipated impact in better securing organizations from cyberattacks — in the EU and beyond.

“NIS2 is a successful step and a good start to guarantee the resilience of the infrastructure of organizations and ensure that critical companies advance in compliance with regulations,” Prusch says. “Europe has an advantage in technological regulation and its initiatives are laying the groundwork for other countries to follow. In fact, other countries are already trying to regulate their respective markets, and this is very positive.”

Asked about the different approach between Europe and the US in regulating the IT market and, in particular, cybersecurity, Prusch replies: “I think that, in many respects, Europe is doing a good job in this area. And it is complex because of the large number of very different states that are part of the EU. In the United States, where we have more states but with the advantage of belonging to a single country, we must learn in this regard because we are not doing a good job in influencing other countries in South America or Central America, even in Canada. The EU approach to regulation is a good example for the United States and for the rest of the countries that want to start adopting regulations in this regard.”

That said, ISACA’s CEO continues, the problems that exist in cybersecurity are so widespread that, “although regulation is a good step, it is not the only one.”

It is essential, Prusch explains, that “organizations develop more cybersecurity talent, identify the gaps they have, equip themselves with more qualified workers, ensure they have the appropriate certifications and training to support this strategy.”

Because, he adds, “cybercriminals and threats [driven by artificial intelligence] continue to evolve.”