By the International Cyber Threat Task Force (ICTTF), 30 September 2024
In today's interconnected world, cyber risks are no longer just a technical concern – they are a boardroom issue. If you are in a senior executive role, you are responsible for steering your organisation through a complex landscape of compliance, risk, and reputation. The NIS2 Directive – formally known as Directive (EU) 2022/2555 – is set to reshape that landscape, and it’s time to ask yourself: why should I care?
What is NIS2?
The NIS2 Directive is a major update to the European Union’s cybersecurity legislation. It builds upon the original Network and Information Security (NIS) Directive but extends its scope, introducing more stringent requirements, and raising the stakes for organisations in critical sectors.
By 18 October 2024, EU Member States are required to transpose NIS2 into national law. Following that, businesses across the EU, as well as those outside the Union providing services within its borders, will need to comply with the new standards once national laws take effect. Compliance deadlines may vary slightly depending on how quickly each country enacts the directive.
Unlike the General Data Protection Regulation (GDPR), which predominantly targets personal data protection, NIS2 is squarely focused on cybersecurity. It applies to organisations that provide essential and important services – ranging from energy providers to financial institutions and digital infrastructure operators. While GDPR might impact more businesses globally, NIS2 will set the standard for cybersecurity frameworks across the EU and beyond. And like GDPR, the penalties for non-compliance are significant.
Why should you care?
1. It’s a legal requirement – no exceptions
As an executive, compliance is non-negotiable. NIS2 is a legal mandate and failure to meet its requirements can result in severe penalties. For essential entities, fines can reach up to €10 million or 2% of annual global turnover. For important entities, the penalties can be as high as €7 million or 1.4% of annual global turnover, making non-compliance financially significant for larger organisations.
Beyond fines, there are reputational "qualitative" risks. Cyber incidents don’t just damage systems; they undermine trust. In today’s world, trust is the currency of the digital economy. NIS2 makes it clear that if you are top management, you will be held accountable for any failings in cybersecurity measures.
2. Board-level accountability and personal liability
The NIS2 Directive has a clear message for executives: cybersecurity is your responsibility. This isn’t a function that can be delegated to the IT department. You, as a leader, are expected to approve, oversee, and ensure the implementation of robust cybersecurity frameworks.
Top management can be held accountable under NIS2 for failing to ensure the organisation's cybersecurity posture. While personal liability could result from negligence, the enforcement and legal consequences will depend on the specifics of national laws.
It’s essential then that the boardroom takes a hands-on role in ensuring compliance. This means that your role in ensuring compliance is not just advisory; it’s actionable. If something goes wrong, the directive makes it clear: the boardroom will answer for it.
3. Your organisation’s resilience is on the line
Let’s be blunt. Cyberthreats are not an 'if' scenario; they’re a 'when'. From ransomware to sophisticated supply chain attacks, the risks are growing exponentially. NIS2 compels organisations to take a risk-based approach to cybersecurity, ensuring that your defences are not just theoretical but are practical, adaptive, and resilient.
NIS2 requires a comprehensive evaluation of risks, covering not just your own systems but your entire supply chain. This directive brings a sharp focus on supply chain security, acknowledging that many breaches originate from vulnerabilities within third-party partners and suppliers. You need to ensure that they are held to the same stringent standards.
4. Incident reporting is mandatory – and timely
When an incident occurs, timing is everything. NIS2 obliges organisations to report significant incidents through a phased approach. An initial notification must be sent within 24 hours of becoming aware of the incident, followed by a more detailed report within 72 hours. Delaying or failing to report can exacerbate legal penalties and damage your reputation even further.
What qualifies as a significant incident? Any breach that disrupts operations or compromises the integrity of your network and information systems. For an organisation under NIS2, there is no room for discretion here. You will need the mechanisms in place to detect, assess, and report these incidents swiftly and accurately.
What should you do?
- Engage senior management: Ensure that cybersecurity is a regular agenda item in board meetings. Leadership involvement is critical for setting the tone at the top and securing the resources necessary for effective implementation.
- Implement a cybersecurity risk management framework: This is the backbone of NIS2 compliance. You need a structured approach to identifying, assessing, and mitigating risks. This framework should encompass technical, operational, and organisational measures.
- Strengthen supply chain oversight: Cybersecurity is only as strong as its weakest link. Ensure your suppliers and third-party providers are subject to rigorous cybersecurity standards, and incorporate security clauses in contracts.
- Establish clear incident reporting mechanisms: Equip your organisation with the tools and processes to detect and report incidents quickly. This not only protects your business, but is a critical element of NIS2 compliance.
- Continuous training and awareness: NIS2 requires that all levels of the organisation, including senior management, are regularly trained on cybersecurity risks. It’s not enough to be reactive – you must foster a proactive culture of cybersecurity
Get involved and learn more
Cybersecurity is no longer just about firewalls and antivirus software – it’s about risk management, resilience, and reputation. NIS2 makes it crystal clear that the responsibility for cybersecurity sits at the top, and as a senior executive, your involvement is crucial.
Why should you care? Because the risks to your organisation’s operations, its reputation, and your personal accountability are real. NIS2 is not just another regulatory burden – it’s an opportunity to protect your business from the very real dangers of the digital age.