NIS2 is now in force around the EU – can business keep up with new compliance obligations?
The EU’s flagship cyber resilience framework NIS2 is finally here, but research indicates businesses are not ready, with compliance officers facing a herculean task
NIS2 has officially come into effect, with EU member states transposing the directive into law on 17 October, but are businesses prepared for their new compliance obligations?
NIS2 is an expansion of the legal framework set out in NIS1 aimed at uplifting the cyber resilience of operators of essential services in the EU, outlining a set of reporting obligations and security measures organizations must adhere to.
The second iteration of this directive expands the range of entities that will now be subject to regulatory oversight, which now includes manufacturing firms, postal services, food suppliers, and digital service providers.
The framework is estimated to impact 160,000 organizations in the EU, and while entities based in the UK and beyond are not strictly bound by NIS2, if they wish to continue doing business in the EU they will also need to get their house in order.
Compliance officers will have been working tirelessly since NIS2’s announcement to ensure all relevant stakeholders in their organization of what the new rules mean for them, but research indicates they have had their work cut out for them.
A study from compliance specialist Skillscast found compliance professionals have been under immense pressure to ensure leaders know where they stand in relation to NIS2.
The results showed one compliance professional could be entrusted with the data of up to 14,315 people, calculated using the organization’s total number of staff and customers.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Using data from LinkedIn, Skillscast also found compliance professionals constitute just 3% of the overall workforce in FTSE companies, but are tasked with ensuring a large swathe of these employees are aware of their responsibilities regarding new government policy.
Business are struggling with complexity of implementing NIS2
Patrick Scholl, head of OT at Infinigate, emphasized that getting one’s organization adequately compliant under NIS2 had been - and will continue to be - a pain-staking process, particularly as they are at varying stages of cyber readiness.
“Companies impacted by these regulations should start the implementation process sooner rather than later, as achieving NIS2 compliance may demand considerable time and effort, particularly with organizations being at different stages of cybersecurity readiness.”
A survey from Irish law firm Mason Hayes & Curran published two days before the deadline for EU member states to codify NIS2 into law revealed businesses in Ireland were far from ready for the new legislation.
The results stated 38% of Irish businesses reported they would not be ready by the 17 October deadline, with the same number noting they had not updated their security policies.
Asked what was hindering their compliance efforts, 67% of respondents identified the complexity of implementing NIS2 as a security framework as the biggest challenge facing their organization.
The survey also found that 25% of Irish businesses expressed they were not confident in their organization’s ability to meet their new reporting obligations under NIS2, which requires incidents to be disclosed to the relevant authority within 24 -72 hours of detection.
Mike Smith, director of Engineering and Security at Qodea, added that he thinks the new requirements for businesses to secure their supply chains will be the biggest challenge for organizations, noting non-compliance could be costly.
“NIS2 also includes some significant changes to how supply chain security is handled, which is an area that many organizations continue to face difficulties in — despite it being an area of particular interest to malicious actors. This is likely to be the most challenging area for companies to adapt to across the board,” he explained.
“It will be crucial for organizations in all industries to maintain visibility and transparency in their interactions with suppliers and partners. This must also be coupled with a robust process for due diligence of onboarding and ongoing governance. There is zero room for error when it comes to complying with regulations as sweeping and important as NIS2."
More from ITPro
Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.