Cyberattacks are increasing in number and scale, with some predictions suggesting that companies will suffer a ransomware attack every 11 seconds in 2022; up from every 40 seconds in 2016. As a result, businesses must invest more in cybersecurity, both for themselves and their customers.
In light of this heightened risk level, a new EU cybersecurity strategy has been adopted for 2020–2025. Among other things, it proposes a review of the existing Network and Information Security (NIS) Directive with a view to making Europe fit for the digital age and building a future-ready economy that works for the people.
So, what is the NIS2 Directive?
The objective of the revised NIS2 Directive is to achieve a high level of network and information system security within the EU through the following means:
What will member states do to increase their national cybersecurity capabilities? Each member state will adopt a national strategy for the security of network and information systems, which will define the strategic objectives and appropriate policy and regulatory measures.
How will member states cooperate? The NIS2 Directive will establish a 'cooperation group' to support and facilitate strategic cooperation and the exchange of information among member states, and to develop trust and confidence. It will also establish a network of national cybersecurity incident response teams (CSIRTs) to promote swift and effective operational cooperation between member states.
What are "operators of essential services" and what will they be required to do? Operators of essential services are private businesses or public entities with an important role for society and the economy. Under the NIS2 Directive, identified operators of essential services will have to take appropriate security measures and notify the relevant national authority of all serious incidents. Security measures include:
To prepare for the NIS2 Directive, a singular, centralised governance structure should be established for your firm's security. This will enable quick responses to compliance requests. Defined ownership of security controls is also important in understanding governance.
Although not yet published, the NIS2 Directive will likely remain largely unchanged from its predecessor. Providing awareness training to security staff will ease the transition when the Directive is eventually published.
A cybersecurity health check will provide an up-to-date picture of where your organisation stands. An audit can be the first step on the road to compliance, highlighting potential gaps and creating plans to remediate them.
Not everyone will be affected by the NIS2 Directive. Identifying which partners, clients and suppliers will fall under the remit of the Directive is a useful exercise. Doing so will give you an opportunity to prepare in the event that a change of approach is needed with certain stakeholders.
Contact your trusted cybersecurity advisers for the most up-to-date advice and guidance. Also, leverage what you already have by integrating the NIS2 Directive with existing compliance efforts or initiatives. And finally, build IT and cybersecurity international standards and frameworks into your regulatory compliance framework for easy implementation, testing and monitoring, and to ensure that maximum benefit is derived from existing IT and cybersecurity control programmes.
The NIS2 Directive will affect organisations designated as operators of essential services and digital service providers within the European Union. As a result, it will directly impact the cybersecurity space in Ireland. PwC can help you understand the requirements that affect your organisation, and help you prepare for the future. Contact us today.