Anita Molitor, Cyber Risk and Insurance Specialist at GrECo Specialty discusses the benefits of NIS2 and explains why businesses shouldn’t wait for the new law to be passed before acting.
The NIS2 deadline is looming large, and whilst many simply see this new directive as a hassle and extra work, it actually offers companies a solid framework to protect themselves against cybercrime.
Surge in Cyberattacks Reaches Alarming Levels
For years, experts in cybersecurity have been trying to raise awareness of the dangers of cybercrime and yet sadly, there are still some who don’t believe in the risks of the digital age. Stealing money (data) from businesses or individuals is really a very easy exercise, and it’s not like in the real world where the burglar has broken in next door but you’re safe at home. If a cyberattack targets a company in your supply chain, it will likely impact you too due to the interconnected nature of your operations.
Allianz wrote in its recent Cyber Security Trends paper that in “2023 there was a 143% increase in the number of ransomware victims globally during the first quarter”. And, according to the IBM COST of Data Breach 2023 report, the average cost of a data breach in 2023 was USD 4.45m, a 15% increase over three years.
Cybercrime is a booming industry, costing companies a fortune. By 2025, damages from cyberattacks are projected to reach USD 10 trillion. With cybercriminals raking in billions, it’s clear they won’t be stopping anytime soon.
In the face of these eye-opening statistics, the European Commission has been forced to review NIS1 and enforce the more restrictive NIS2. The deadline to transpose the directive into national law is the 17 October 2024.
In Croatia, Hungary, and Belgium this has already happened. Whilst in Austria, Slovenia, Czech Republic, Poland, Latvia, Finland, Germany, Luxembourg, Netherland, Slovakia, and Cyprus a draft law has been published. But in other countries, a draft is yet to be introducedi. As the October deadline rapidly approaches, this status is changing every day.
NIS2 Highlights and the Incident Notification Timeline
15 industries are affected by NIS2, and the directive divides the affected sectors into two groups:
Other critical sectors:
Furthermore, it’s important to distinguish between Essential and Important Entities: An Essential Entity operates in one or more of the sectors of high criticality and has more than 250 employees or an annual revenue of over €50 million. An organisation is an Important Entity if it operates in one or more of the sectors of high criticality or one or more of the other critical sectors and has more than 50 employees or an annual revenue of over €10 million.
Despite these relatively well-defined classifications, there’s always a but! NIS2 comes with a series of appendices, which make things not so clear cut. For example, a DNS service provider is classed as an Essential Entity, meaning other small businesses may still fall within the scope of NIS2. Those who are unsure, should check with a lawyer to see if their company is affected.
If there is an incident which has a ‘significant impact’ on the provision of services, a company must notify the relevant competent authority or CSIRT (Computer Security Incident Response Team). The first notification should be within 24 hours, a so-called early warning. Within 72 hours an official incident notification should follow and after the incident is closed, within one month a final report must be made. This early warning system and reporting timeline means everyone in the supply chain and clients are aware of the situation and can act appropriately.
Cyber Security Risk Management Measures
NIS2 requires a minimum of ten measures to manage the risk and prevent or minimise the impact of incidents on a business and their associated suppliers and clients:
Management to be Held Culpable
Cybersecurity is not just an IT issue; it requires top management’s understanding and involvement in risk management and decision-making regarding cyber resilience. Ultimately, top management approves the budgets for IT and cybersecurity training for employees. Non-compliance can lead to serious consequences, including liability, temporary bans, and hefty administrative fines.
Essential Entities face fines of at least 10,000,000 EUR or up to 2% of their worldwide annual turnover, whichever is higher, for non-compliance. Important Entities can be fined at least 7,000,000 EUR or 1.4% of their global annual revenue, whichever is higher.
What Are You Waiting For?
The most crucial action to take right now is not to wait for the law. Hackers won’t wait for regulations to be enforced before attacking, so begin preparing for NIS2 today. It’s never too early to enhance your cyber resilience.
Use the NIS2 framework and check your IT system. If you need assistance, our sister company, Certainity, can help you through all the technical requirements, but you will need to allow time for this.
Ask your legal department which sector your company falls under and get in touch with your risk consultant to discuss the relevant insurance to mitigate against the risks for directors and officers and against cyberattacks.
And, last but not least, allocate the role of NIS2 fulfilment to a set person or team. Their specific role will be to monitor compliance with the NIS2 directive and manage the IT and legal teams to ensure standards are being met.
Regardless of how you feel about the additional paperwork NIS2 entails, its purpose is clear: protection. It will bolster business cybersecurity, heighten awareness, and enhance cooperation among Member States, making us more resilient. We must be ready. The countdown is already over!
Anita Molitor
Cyber Specialist
T +43 664 962 40 08
