NIS2 Directive: Cybersecurity Is a Joint Responsibility

NIS2 Directive: Cybersecurity Is a Joint Responsibility
Mindful of increasing digitalization and the growing impact of technology, Europe is preparing for the digital age. Unambiguous European regulations, directives and rules are of significant importance in the digital society and economy. In this light, organizations should not see the NIS2 directive as merely adding to regulatory burdens, but primarily as an opportunity, according to Elly van den Heuvel and Simone Pelkmans of Deloitte. Plus: how to get started in five steps.

First, the necessary details. NIS2 (Network and Information Security Directive) is the successor to the 2016's NIS1. NIS2 deals with legal rules for cybersecurity in the essential and important segments of the European economy and society. NIS2 revolves around two core obligations. First, the duty of care: organizations are obliged to conduct their own risk analysis and take appropriate measures to protect their network and information and ensure continuity. Second, the duty to report: organizations must report incidents to the regulator within 24 hours. Soon, NIS2 will apply to a large proportion of organizations in European member states, including their supply chain partners and suppliers. Examples include players in energy supply, transportation, financial services, healthcare, food supply, utilities, data centers and cybersecurity services, but also governments. The guideline defines the criteria for the applicability of NIS2 and identifies the categories involved. Incidentally, the distinction between ‘essential’ and ‘important’ organizations is smaller than one might think: what falls into the ‘important’ category only receives retrospective scrutiny from the regulator, and liability is more limited.

Based on international news, there is no better time to draw attention to the tightening of cybersecurity policies. The directive is therefore about much more than just the commercial use of technology. It should help maintain our open, free and secure economy and society. This involves a robust and cyber-resilient digital infrastructure to keep everyting running, but also protecting intellectual property necessary for our economic growth. This is everyone’s responsibility; it could also be argued that organizations that are non-compliant detract from - or may even threaten - that resilient, open, free and secure society. Or translated to your own organization: all employees must feel responsible for cybersecurity in the organization! This can only be achieved through working together.

For whom?
As far as we are concerned, NIS2 is not an issue for one particular team, let alone a specific officer. The guideline explicitly talks about shared responsibility and accountability of management bodies. This means that both the management- and supervisory board must know what NIS2 entails so that they can assume their respective responsibilities. Personal liability is included in NIS2 for a reason.
In this respect, ‘knowing’ what NIS2 entails is somewhat similar to the financial knowledge one might expect from directors and supervisors. The difference is that the world of technology and cybersecurity is changing much faster and stronger than anything related to corporate finance. And because digital connects everything to everything, the impact of cyber incidents on the organization - and not infrequently also on society - is often many times greater than a disappointing financial year.

Unconsciously incompetent
’It is crucial to boost the number of directors - but also employees - equipped with expertise in this field. Continuous education is essential for this purpose. We mean this literally: training and education, also to be able to translate the language of technology into company policies. Insufficient training thus also forms a business and compliance risk. It is no longer enough to have the CISO report about 18 out of 20 incidents that have been resolved once a quarter. Directors need to become proficient in cybersecurity and that is not limited to the boundaries of the organization. They must also ascertain the state of their suppliers.
CISO’s and CIO’s play a crucial role when it comes to providing board members with the right (steering) information to enable them to make the right (investment) decisions. They have the obligation to translate this into understandable, up-to-date and reliable information to their fellow board - and supervisory board members.

Getting started in five steps
Because NIS has existed since 2016, especially larger vital organizations will already have established their cyber resilience, making them largely compliant. But for the organizations to which NIS2 is new (estimated to be more than 10,000 large and medium-sized companies), there is uncertainty about what NIS2 means concretely. For this group, it is challenging to determine the correct actions and create a business case for it. If you outsource something in this area to a service provider, what can you expect, and what responsibilities remain with you?

How to get started after reading this article?
Step 1: Obtain detailed insight into the current situation compared to the new obligations using an NIS2 assessment, and do not forget to consider what you have already set up for privacy, such as incident reporting.
Step 2: Identify where the gaps in defense are and address them in a structured manner with the help of a multidisciplinary team. Recognize that there are also procurement and legal aspects associated with the implementation of NIS2.
Step 3: Organize boardroom training sessions.
Step 4: Ensure that employees become allies in creating cyber resilience through awareness training.
And finally step 5: Establish cybersecurity management regarding relationships and contracts with your supply chain. Work together to make the chain cyber resilient, for example by sharing information.

It is a missed opportunity to view the NIS2 directive solely as ‘more regulatory burden’. It does also present opportunities. Digital resilience makes an economy a safe place to do business and enables us to innovate optimally, allowing us to remain competitive on the global stage. A company that prioritizes cyber resilience ensures business continuity in this area and can integrate innovations and new processes securely. Companies that are compliant and are either acquiring or being acquired can move much faster. From the time when GDPR was implemented, we learned that during acquisitions or mergers, the data management of the new entity could sometimes lead to postponing data integration - which can have implications for the anticipated synergy benefits.

What next?
Because NIS2 is a directive, EU member states are required to translate it into national legislation. The deadline is October 17, 2024. From that date onwards, companies and institutions covered by the NIS2 directive must comply with a series of obligations. These include conducting risk assessments, implementing adequate policies (from training and education to arranging adequate IT security) and reporting incidents to the regulator in a timely manner. The regulator's approach is expected to be similar to the GDPR. Likewise, the fines that can be imposed are comparable: up to 2 percent of annual turnover. This is comparable to the average financial damage suffered by an organization in a serious ransomware incident.

Make the most of your time
There has recently been an announcement regarding the delay in transposing NIS2 into national law. This sometimes elicits the response that ‘there is still plenty of time’. But the vast majority - assume 95 percent - of the NIS2 directive is already known. Therefore, directors can already inform themselves about what lies ahead for their organizations, and will realize that they will need time to make their organization compliant. Consider conducting an assessment, implementing policies and possibly making investments. In contrast to the illusion of 'some extra time', there is also the reality of a shortage of specialists in the field. In short, those who are wise will use the time that is available now. If extra time becomes available because the government has announced a delay, it will be a bonus. In any case, not acting now will proof to be a setback.

Essay by Elly van den Heuvel, Director Cyber Risk Advisory at Deloitte Netherlands, and Simone Pelkmans, Partner Risk Advisory at Deloitte. Published in Management Scope 03 2024.