The EU’s NIS2 directive came into force on October 17, 2024. Notis Iliopoulos, VP MRC. Obrela explores the latest cyber resilience Directive’s pros and cons and suggests an alternative route the UK government might consider in developing its cybersecurity framework post-Brexit.
The NIS2 Directive, which builds upon the original Network and Information Systems (NIS) Directive, aims to enhance the cybersecurity posture of critical sectors across the European Union.
The original 2016 NIS Directive aimed to enhance the cyber resilience of EU Member States by establishing common security standards and incident reporting requirements for critical infrastructure and digital services. However, its implementation proved challenging, leading to fragmentation across the internal market. Each Member State was given considerable flexibility in interpreting and applying the directive, resulting in varying levels of compliance, inconsistent regulatory approaches and differing cybersecurity practices across borders.
It became apparent that this lack of uniformity created complexities for organisations operating in multiple countries hindered effective cross-border cooperation and reduced the overall effectiveness of the directive in creating a cohesive and secure digital environment across the EU.
More Cohesive EU Cybersecurity
As analysis from Global Regulatory Insights puts it: “The [original] NIS Directive makes an earnest attempt to foster cross-border cooperation for bolstering cybersecurity within the European Union. While it has made notable strides in promoting information sharing and mutual assistance, certain limitations, chiefly operational complexities and resource constraints, still need to be addressed. With the directive undergoing review and updates, there is an opportunity to refine these mechanisms to create a more cohesive and effective cybersecurity environment across the EU.”
So, in 2021, the EU proposed a new, more encompassing directive, NIS2, which would address the issues relating to the original directive, while strengthening security requirements, addressing supply chain security, streamlining reporting obligations and creating more stringent supervisory measures and stricter enforcement requirements, and standardise penalties.
NIS2 officially entered into force in January 2023 – underlining the urgency of the new Directive – with Member States being given until October 17, 2024, to incorporate it into national law.
Stricter cyber security
NIS2 attempts to address the emerging threats and vulnerabilities organisations face, mandating stricter cybersecurity measures and greater accountability. But, while offering several strengths in bolstering cyber resilience, it still has some weaknesses.
One of the new directive’s primary strengths is its comprehensive approach to cybersecurity. It significantly broadens the scope of entities required to comply, including medium and large organisations in more sectors than its predecessor. By extending the directive’s reach to cover a wider range of services, NIS2 ensures that more essential and important entities are adequately protected against cyber threats. It also introduces more stringent security measures and incident reporting requirements, compelling organizations to adopt a proactive stance on cybersecurity. This is crucial, as cyber threats are growing in both volume and sophistication, and businesses need to be resilient in the face of persistent cyberattacks.
NIS2 is the latest attempt to bring a unified standard to cybersecurity across the EU, which can reduce fragmentation and improve the overall security posture of member states.
By harmonising cybersecurity regulations, NIS2 aims to create a level playing field, where all entities are subject to the same rules and standards. This not only simplifies compliance for organisations operating in multiple EU countries but also fosters cross-border cooperation in tackling cyber threats, which are often transnational in nature. In doing this, NIS2 enhances collective cybersecurity efforts, enabling better sharing of threat intelligence and coordinated responses to incidents.
NIS2 Weaknesses
But while NIS2 has its merits, it is not without its weaknesses. One of the key criticisms of the directive is its potential to place a significant burden on organisations, particularly smaller entities that may lack the resources to implement and maintain the required security measures. While the directive aims to exclude micro and small enterprises, the expanded scope to include medium-sized entities may still pose challenges. Costs associated with compliance, including investments in technology, personnel, and training, can be substantial. For organisations operating on thin margins or with limited cybersecurity expertise, these requirements may become overwhelming, potentially leading to reduced competitiveness or even non-compliance.
Another perceived weakness of NIS2 is the directive’s prescriptive nature, which may not fully account for the dynamic and rapidly evolving nature of cyber threats. The directive mandates specific security measures and reporting procedures, which, while necessary to some extent, can also lead to a ‘checkbox’ mentality among organisations.
Rather than fostering a culture of continuous improvement and adaptation, organisations might (have to) focus on mere compliance, potentially neglecting the broader strategic aspects of cybersecurity. Reliance on standardised measures may not always align with the unique risk profiles and needs of different sectors or organisations, resulting in a lack of flexibility in addressing diverse cybersecurity challenges.
The UK Opportunity
Given these strengths and weaknesses, the UK, no longer bound by EU directives post-Brexit, has an opportunity to chart its own path in cybersecurity regulation. Rather than adopting NIS2 wholesale, the UK government might consider an approach that balances regulatory oversight with flexibility and innovation.
A potential alternative route, for example, might involve a more risk-based, outcome-focused framework, where the emphasis is placed on achieving specific security outcomes rather than adhering to rigid requirements.
This approach would allow organisations to tailor their cybersecurity strategies to their specific risk profiles and operational contexts, promoting a culture of continuous improvement rather than mere compliance.
The UK could also encourage greater collaboration between the public and private sectors, fostering an environment where threat intelligence is shared openly, and best practices are developed collectively. By adopting a more adaptive and collaborative approach, the UK could not only enhance its own cybersecurity posture but also position itself as a leader in cybersecurity innovation on the global stage.
The UK could also focus on incentivizing organizations to invest in cybersecurity by offering financial support, tax breaks or other benefits to those that demonstrate robust security practices.
Such measures could help alleviate the burden of compliance costs, particularly for smaller entities, while encouraging a proactive stance on cybersecurity. By aligning incentives with desired outcomes, the UK government could foster a more resilient and secure digital environment, where organisations are motivated to go beyond the minimum requirements and continuously enhance their security capabilities.
While the NIS2 Directive certainly presents a well-considered, robust framework for enhancing cybersecurity across the EU, it is not without its flaws. The directive’s prescriptive approach and the potential compliance burden on organisations highlight the need for a more balanced strategy.
The UK, with its newfound regulatory independence, has an opportunity to take a more flexible and innovative approach, focusing on risk-based outcomes, collaboration and incentivisation. By doing so, the UK can not only ensure a strong cybersecurity posture for its own organisations but also set an example for other nations to follow in the global fight against cyber threats.
How Obrela can help with the compliance challenges?
It is essential to view compliance as an integral component of the wider governance framework, which is grounded in international standards and best practices. As such the holistic view of Compliance could become a tool to achieve effectiveness, using a structured risk-based approach. Adopting a holistic approach to compliance could turn NISII (and other regulatory requirements) into a tool to enhance effectiveness, turning the compliance program into a competitive business advantage.
Obrela is focusing on maximising the effectiveness of the required cyber security controls by enhancing their adoption and not by simply implementing them. Obrela combines business-focused risk management with threat detection to deliver real-time cyber defence Governance Risk & Compliance orchestration.
Comprehensive, proactive cybersecurity measures, such as those offered by MDR and MRC, are essential for meeting both the letter and spirit of the directive. The enterprise governance and compliance management capability of MRC smoothly connects all major elements of Information Security Management from framework establishment and maintenance to continuous monitoring and reviewing, delivering a robust platform specifically designed for Information Security Governance and Compliance. While MDR services help prevent incidents from escalating by detecting them early and mitigating the damage. With continuous monitoring and immediate response, businesses are able to stay compliant with DORA’s resilience and reporting requirements, while strengthening their overall security posture
