It's not surprising that in the last couple of months the requests of “are you EU Network Information Security Directive (NISD) v2 compliant?” are starting to come in. What would seem like a simple GRC yes no question is in fact complex.
Firstly as a cyber security leader you have to wrap your head around what a directive is and what it means. Put in layman's terms a EU directive is a mandate for each EU member state, to take the guiding principles outlined in a directive and generate their own national law. The date for this is the 24th October 2024.
So if anyone tells you today they are compliant, challenge them against what? Until each country turns it into law there simply isn’t something to be compliant against. Yes you could say you are compliant against the principles, but experience shows how these get translated will vary country by country.
You may be thinking why not have one common law, or in legal speak a regulation, such as is the case with GDPR. It is one common set of rules across all member states. In the case of GDPR, it also started as a directive and after all member states reached a certain level of harmonization and consistency it made sense for the rules to be the same. As NIS2 focuses on the protection of key digital services that enable countries to run, it must factor in the current maturity and existing investments/capabilities each member state has already. By being a directive, it ensures all are working towards the same goal, but acknowledges that each member state has a different legal system, and legal and cultural tradition. All that being said the EU aims to ensure better standardization across member states implementations of the v2 of the directive.
So does this mean you don’t need to do anything today? No, you need to start work now, as typically when directives become law the grace period for compliance is short. So I would encourage you to start preparing now. However, from past experience not every country met the deadline to update their laws by the defined deadline, and just as key to consider, if you are working across multiple member states in the EU, you will need to comply to each one's implementation of the directive.
So where should you start?
-
Understand what's changed between the last NIS directive (v1) and the new version (v2). There are plenty of papers covering this. But at the highest level it increases the scope of sectors covered (be sure also to look at the thresholds for each sector - employees in the company, turnover and balance). It also increased the requirements for those organizations that fall under its remit, including more focus on supply chain and response and recovery capabilities. Finally there's little surprise that the repercussions for failing to comply are also increasing.
-
Look at what you already have in place that will help you achieve your compliance, you’re never starting typically from a blank sheet of paper. For example we are currently updating our SoC2 and ISO certifications, these will help on the path to NIS2. Also look at what gaps you believe you will have based on the outlines in the directive.
-
Understand your liabilities. As a cybersecurity vendor that provides software and managed security services, we fall under the ICT Service management scope, which is one of the essential sectors in NIS2. Just as important is that we are in the supply chain of many companies that are in the essential and important sectors as defined in the directive. As such we must assume they will be looking to ensure we meet their requirements. We are therefore vicariously within the scope of NIS2.
-
Get your own legal guidance. Like I suspect many of you, I'm not a legal expert. You will need to have either someone from your own legal team or if not a 3rd party organization, help you truly translate between the legal definitions and how you turn that into a documented strategy that aligns to the requirements.
Some of us are indirectly accountable because we are in the supply chain of those that are. And as such it’s worth spending the time to build out a standard response document. What's new in the NIS2 is the shift from simple contractual validations (Does your cyber security meet our risk requirements YES?NO). To an expectation that security capabilities should be periodically assessed, which is more than simple contractual YES/NO.
Key takeaways
- The countdown for NIS2 to go live into national laws has launched, so now is the time to start to prepare. There are many useful guides for this, here’s a couple to help you get started, from both legal and consulting perspectives:
- Till it becomes law you will be working against the guidelines in the directive, and you won’t be able to be compliant until you see the national implementations that turn the directive into local law.
- Even if you don’t think it applies to you, consider your customers & supply chains if you are likely to be vicariously accountable.
Cybereason falls under this category, and is actively preparing to ensure it helps its customers, partners and supply chain on their journey to become compliant.
