Amidst all the publicity surrounding the drafting, adoption and enforcement of GDPR, it’s easy to forget about a lesser-known set of EU security rules. The directive on security of network and information systems (NIS) was transposed into law in member states just a couple of months after the GDPR came into force. And in many ways, it’s just as ambitious: with a laudable goal to enhance cybersecurity across the EU.
Now the details of its successor have been agreed on, what can we expect from NIS 2? Among other things it will mandate a minimum set of security measures including strong encryption, bring more types of organizations into scope, levy large fines for non-compliance, and even hold individuals responsible.
The text agreed on in May 2022 by the Council and the European Parliament sets out some clear changes from the original directive. These include:
A larger scope: NIS 2 covers organizations in some new sectors including waste water, food, and space, and will apply to all medium and large-sized organizations in the sectors deemed providers of “essential” or “important” services. Some public sector organizations will also be covered.
Updates to sanctions/fines: Authorities in members states will be able to fine serious non-compliance up to 2% of annual turnover, or €10m, whichever is higher.
Strengthened security requirements: NIS 2 introduces a minimum set of baseline measures which all complying organizations must meet. These include:
Individual accountability: This is where things get interesting. The proposals state that senior management personnel may be “held liable for breach of their duties to ensure compliance with the obligations laid down.” If so, it would mark a new level of personal accountability for the success or otherwise of information security programs and truly make cyber risk management a board-level concern. There are even suggestions that erring senior managers could effectively be banned from practicing their trade by national authorities, although according to legal experts there’s still some confusion over the wording of these provisions.
NIS 2 will apply to a huge range of new companies of different sizes in sectors not previously covered by such rules. Moreover, they’ll need to comply with a stricter set of security guidelines or risk major fines and potentially other penalties for senior business leaders. No single technology approach will be a silver bullet for NIS 2 compliance, but data-centric security can be a key enabler of one critical security requirement: strong encryption.
Comforte’s data-centric security approach leverages intelligent algorithms to automatically discover, classify and apply protection (via format-preserving encryption and other technologies) to all enterprise data – regardless of where it resides. In this way, organizations gain peace-of-mind that their corporate crown jewels are protected from data thieves and accidental loss, whilst minimizing compliance risk under NIS 2, GDPR, PCI DSS and other critical regulations.
There’s still some while to go yet on the NIS 2 journey. The directive first has to be formally adopted. Then EU member states will have 21 months in which to incorporate the provisions of the directive into their national law. It’s also assumed the UK will continue to follow the regime. Business leaders and CISOs would do well to start planning their pathway to compliance.