The next few months are likely to be dominated by the NIS2 Directive in the cybersecurity industry. Let’s find out which article will trigger the most reactions! There are emblematic passages in European cybersecurity regulations that can be found in everything from the press, through sales presentations by major technology [...]
The NIS2 Directive (https://eur-lex.europa.eu/eli/dir/2022/2555) will certainly open a new chapter in Europe’s cyber defence. Although the expectations that all Member States will have to apply it by 18 October 2024 at the latest, details are still poorly understood by the organizations covered by the new legislation. While NIS2 will certainly be discussed on many platforms over the next year and a half, there are a number of details hidden in the text of the legislation that require deeper analysis. Let’s start right away with an introduction to NIS2 and the role of Managed Security Service Providers (MSSPs)!
Today, it is difficult to imagine the secure operation of a modern enterprise’s electronic information systems without the involvement of an external MSSP. This is most evident in the area of incident management, where it is not feasible for most organizations to set up their own Security Operation Centre, as neither the technology, nor the human resources, nor the appropriate process are available, and these would be disproportionately expensive to procure and set up. This fact is also stated in NIS2 (83) which states that „Essential and important entities should ensure the security of the network and information systems which they use in their activities. Those systems are primarily private network and information systems managed by the essential and important entities’ internal IT staff or the security of which has been outsourced. The cybersecurity risk-management measures and reporting obligations laid down in this Directive should apply to the relevant essential and important entities regardless of whether those entities maintain their network and information systems internally or outsource the maintenance thereof.”
According to the Directive, ’managed security service provider’ means a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management. But what does this mean in practice? NIS2 imposes a number of cybersecurity tasks on essential and important entities that they may not have dealt with before. Not least because the scope of entities covered by the Directive has been significantly extended compared to previous European and national legislation. By way of example only, organizations which manufacture motor vehicles, trailers and semi-trailers (https://eur-lex.europa.eu/eli/dir/2022/2555#d1e32-148-1) were not necessarily obliged to deal with security measures under Article 21 (2) (https://eur-lex.europa.eu/eli/dir/2022/2555#d1e3337-80-1):
Of course, any legislation is only as good as the amount of compliance, which is why NIS2 introduces the possibility of fines (https://eur-lex.europa.eu/eli/dir/2022/2555#d1e4350-80-1) , similar to the approach taken for GDPR. For example, failure to implement the listed countermeasures for essential entities will be subject to a maximum of at least EUR 10 000 000 or of a maximum of at least 2% of the total worldwide annual turnover in the preceding financial year of the undertaking to which the essential entity belongs, whichever is higher. For important entities, this is EUR 7 000 000 or 1.4%.
Building cybersecurity processes is not primarily important for regulatory compliance. In recent years, we have helped to manage a number of incidents where the organization’s management never imagined that they would be the target of a ransomware virus. Having seen first-hand the financial and reputational damage caused by the destruction of such malicious code, we recommend a thorough study of NIS2 because the information it contains can help you build risk-appropriate security before an incident occurs. Considering also the size of the penalty that can be imposed by the national authority, information security in a planned way is certainly a more cost-effective solution than scrambling and fire-fighting. An MSSP, which is also subject to the requirements of NIS2, can be of great help in this respect. But we will write about this and more NIS2 secrets in a future blog post. Stay tuned for more!
Ferrari’s recent incident shows yet again why the automotive industry is a prime target for cybercriminals and ransomware groups – joining a long line of similar attacks including Ferrari’s hit last year, the “Conti” incident of Volkswagen and Audi or [...]
