teissTalk: Is your organisation prepared for NIS2?

On 14 March, teissTalk host Tom Langford was joined by Jay Moloo, Corporate Information Security Officer, DB Schenker; and Lee Elliott, Director, Solutions Engineering, BeyondTrust.

 

Views on news

The EU’s second Network and Information Security Directive (NIS2) will not be implemented in time in the Netherlands, the Dutch government has confirmed. NIS2 builds on the original NIS directive which took effect in the EU in 2018. It is broader in its scope than the original directive, meaning more organisations across both the public and private sectors will be subject to cybersecurity risk management and incident reporting obligations than before. Pharmaceutical companies and operators of hydrogen production, storage and transmission are among the organisations that will be subject to the strictest requirements under the tiered system of regulation NIS2 provides for. 

NIS2 has more teeth in terms of compliance with the legislation and requires a lot of documentation.

The main problem with NIS1 was that it hasn’t been applied consistently. NIS2 also extends the scope to include not only critical infrastructure but certain essential services too. These and important services make up the three main categories of the legislation. Somewhat counterintuitively, critical infrastructure companies haven’t always been spearheading cyber security. So, these entities will have to focus now more on improving their defences to comply with NIS2. Highly regulated industries are in a better position to comply, for example those financial institutions that have already complied with DORA.

 

Can NIS2 make supply chain management easier?

You can achieve a lot with technology to ensure the security of your supply chain, but people, processes and contractual obligations are equally important. You should be able to go on site of your suppliers and audit the cybersecurity controls they have in place. In this sense, NIS2 will be a shake-up but it’ll be interesting to see how business entities will comply with the regulation. NIS2 can contribute to making the weakest chains of supply chains more resilient. For countries operating outside the EU, compliance with cybersecurity regulations used in their respective countries can be required. Companies must adhere to 13-14 different types of regulation from supply chain and HR security to encryption cryptography and backups to instant handling. Having said that, if a company is ISO 27001 compliant, they are about halfway to NIS2 compliance too.

Another key area of NIS2 is the accountability of top management. There are quite a few horror stories circulating about how C-suite leaders will go to jail but NIS2 doesn’t say that. What the EU will be entitled to do is shut the service down and take its CEO and representatives out of post if the business doesn’t repeatedly remediate the vulnerabilities that an audit has pointed out – and only put them back in post when the business has made the required upgrades. Solar Win executives were taken to court last October , though, for concealing cyber risks prior to huge cyber-attack. 

 

Although the UK is now outside the EU, UK companies will need to adopt some of its regulations anyway in response to the supply chain and third party attacks that have taken place. Compliance, however, takes place not only on the level of governments but also sectors and industries, see for example PCI.

 

The panel’s advice

• NIS2 is to ensure that NIS1 works as it was meant to.  
• NIS2 will tell companies what to comply with but gives no guidance regarding how.
• If you follow some other regulations, such as ISO 27001, it’s worth checking where the gaps are as far as
• NIS2 compliance is concerned and fill those gaps with adopting another ISO framework.

To see how the ISO 27001 methodology overlaps with NIS2, click here. However, bear in mind that the EU website for this isn’t based on the latest ISO 27001 but the 2013 version. 

ISO 27001 is the best route to entry to NIS2.