Blog Post

Expanding Cyber Risk Management Accountability in the EU With NIS2

March 19, 2024

Table of Contents

TL;DR

  • The EU's NIS2 Directive, proposed in 2022 and enacted in October 2024, legislates the need for comprehensive cybersecurity regulations across diverse industries.
  • NIS 2 updates seek to protect critical EU services against cyber attacks and enhance cyber risk management practices, helping to safeguard market stability.
  • Managers are now personally liable for compliance, extending beyond timely, detailed incident reporting to investing in adequate cyber risk management measures.
  • Non-technical stakeholders' mandated increased involvement in cybersecurity matters demands that they develop stronger relationships with chief information security officers (CISOs) and their organization's respective cybersecurity leaders. 
  • To facilitate this collaboration, ensure compliance, and create high-end resiliency programs, organizations should adopt an on-demand CRQ solution that can translate cyber risk into broader business terms. 
  • Thanks in large part to the NIS2 Directive, business success in the EU now depends on effective communication between CISOs, the C-suite, and the board, which can only be achieved once everyone speaks the same language. 

More Comprehensive European Cybersecurity Regulations

No organization, no matter the industry, is exempt from suffering from a cyber attack. The European Union formally recognized this modern-day reality in late 2022 when it published Directive (EU) 2016/1148, more commonly known as the NIS2 Directive. As an updated version of the original directive enacted in 2016, this newer, sweeping cybersecurity regulation expanded its original scope to encompass even more business sectors.

When NIS 2 officially comes into effect in October 2024, executives will have already needed to invest heavily in upgrading their organization's cyber risk management processes and incident response plans, tasks much easier to legislate than comply with. Indeed, notoriously technical cybersecurity matters have traditionally been left to be dealt with by those with relevant expertise.

But as the market becomes more digitally intertwined and the threat of a cyber catastrophe looms large, the EU has determined that this delegation is no longer acceptable. This situation has left many corporate leaders in the sticky position of quickly needing to understand the ins and outs of cyber risk, simultaneously placing new demands on the organization's chief information security officer (CISO) or relative cybersecurity leader.

A Shared Language for a Shared Cyber Responsibility

By leveraging financial cyber risk quantification (CRQ) and translating the more technical terminology of cybersecurity into a broader business language, CISOs can significantly streamline this new responsibility, helping executives adhere to the NIS 2 Directive.

With the common vocabulary, key stakeholders are equipped to collaborate, ensuring cybersecurity initiatives not only keep the organization secure and resilient but also enable growth. The EU's underlying sentiment is that it's going to take a concerted effort to protect the market against malicious cyber actors, and with CRQ, such teamwork can transpire.

What Is the NIS2 Directive?

The NIS 2 Directive is an updated European Union regulation that seeks to protect organizations within the EU that provide critical services against cyber attacks, bolster cyber risk management programs, and create best-practice standards within the region. NIS 2 has much stricter requirements than its predecessor, including new disclosure obligations and enforcement procedures for a wider scope of industries.

NIS 2’s Enhanced Cybersecurity Risk Management Rules

A major component of the NIS2 Directive is the enhanced emphasis and explicitness of the cybersecurity measures that all entities must adhere to. The upgraded language focuses on ensuring organizations proactively protect their networks, information systems, and physical environment against cyber attacks or malicious actors. 

NIS 2 requires companies, regardless of size, revenue, and industry, to define and document:

  • Risk analyses and IT security policies
  • Incident handling procedures
  • Business continuity plans 
  • Third-party service provider security measures
  • Processes for assessing current cyber risk 
  • Training and awareness programs for staff
  • Access control management and two-factor authentication requirements

Which New Industries Must Now Adhere to the Upgraded NIS 2 Directive?

Among the new business sectors that must now adhere to the upgraded policy are:

  • Public Administration
  • Postal Services
  • Waste Management 
  • Manufacturing

See here for the full list of the 15 industries that are now subject to the EU's NIS 2 cybersecurity standards and the full text of the NIS2 Directive.  

NIS 2 distinguishes entities between "highly critical" and "other critical," as well as between "essential" and "important.” Organizations across the now-included industries are classified according to the type of services they provide, the number of employees, and annual revenue. This classification determines the level of scrutiny they will face for cybersecurity evaluations, as well as the amount they need to pay should there be non-compliance. 

Essential Entities

"Essential" entities are those organizations that operate in highly critical sectors, such as energy and transportation, employ more than 250 people, and have a balance sheet of a minimum of €43 million. Trust service providers, DNS entities, and public electronic communications vendors also fall into the essential category. Essential entities can, and most likely will, be proactively supervised to ensure compliance. 

If found in violation of the NIS2 Directive, essential entities can be fined, at minimum, €10,000,000 or 2% of their global revenue.

Important Entities

"Important" entities, in contrast, refer to all other critical organizations that don't meet the "essential" framework, meaning those with fewer than 250 employees and a balance sheet of less than €43 million. The primary difference, in terms of accountability, is that important entities are scrutinized for compliance "after the fact," meaning authorities will take action only if there's reason to believe non-compliance has occurred.

If found in violation of the NIS 2 Directive, important entities can be fined, at minimum,  €7,000,000 or 1.4% of their global revenue.

How Does NIS2 Increase Corporate Responsibility?

One of the most noted changes of NIS 2 is the imposition of direct obligations and subsequent consequences on management positions within an organization, regardless of essential status. Under the regulations, managers are considered senior stakeholders who are qualified to act as entity representatives, have the authority to make decisions, or can exercise some measure of control.

These management figureheads can be held personally liable for failing to comply with the regulations, which not only includes neglecting to report an incident but also falling short of investing in the necessary cybersecurity risk management initiatives. Moreover, in certain extreme cases, compliance failure may result in suspension and even disbarment from board and C-suite roles.

NIS 2’s Cyber Event Reporting Obligations

Adequate and timely incident reporting is another key component of NIS2. According to the regulations, organizations must disclose any cyber attack that has caused a "significant" impact, which is defined as having caused severe operational disruption or financial loss or having caused considerable "material" or non-material damage to other persons. 

The attacked entity must file an initial report within a day of becoming aware of the significantly impactful incident, which must be followed by a more formalized disclosure within 72 hours. The EU can also demand the organization make a public statement on the incident. Lastly, entities are required to submit a report one month later detailing how they have taken measures to mitigate the issue. 

Defining “Significant” and “Material” Impact

Defining highly subjective terms such as "significant" and "material" is posing challenges to organizations worldwide now faced with new cybersecurity regulations. Indeed, the US SEC and Australia's APRA also demand that registered entities disclose "materially" impactful cyber events to the relevant governing bodies but also, similarly, offer little more direction on how to determine this threshold in absolute terms.

The lack of concrete definition is not wholly unfounded, however, considering "significant" and "material" impact is context-based according to an organization's specific makeup. Still, considering that under the NIS 2 Directive, organizations are compelled to report such incidents within 24 hours, it's crucial that key stakeholders determine quantified loss benchmarks for "significance" long before an event occurs, streamlining the reporting process.

Moreover, with preliminary data-driven figures that can guide "significance" determinations, entities can better ensure compliance. To learn more about calculating loss thresholds for reporting purposes, check out Kovrr's Cyber Materiality Report

Uniting Stakeholders to Ensure NIS 2 Compliance and Cyber Resilience

Although the NIS2 Directive has set forth a slew of upgraded cybersecurity rules, its underlying message rings louder and clearer: It's no longer an option for high-level stakeholders to avoid cyber risk governance. By mandating increased liability, more specific cyber management requirements, and tighter disclosure deadlines, the new legislation effectively demands a greater relationship between these executives and CISOs.

Ultimately, the EU has formally recognized that market stability and resiliency are only going to be achieved once these parties discard the historic barriers between them and start working together to understand how cybersecurity drives the business toward growth and success.

Preparing for NIS2 Compliance With Cyber Risk Quantification

As NIS 2 begins to reshape cybersecurity risk management practices across the EU, it's become imperative for organizations to develop methods and solutions that can bridge the gap between non-technically oriented executive managers and cybersecurity leaders. Unification, alignment, and compliance demand these key stakeholders speak a common language, and with cyber risk quantification, they finally can. 

On-demand CRQ quickly transforms the more complex aspects of cyber risk into broader business terms, facilitating this all-too-necessary collaboration. This translation not only helps organizations ensure they are compliant with NIS 2 requirements but also provides a strategic advantage in navigating a market that is increasingly dependent on cyber activities. As this trend continues to accelerate, CRQ has emerged as the secret to success.

 

To learn more about how CRQ platforms like Kovrr’s can help executives govern cyber risk and ensure cybersecurity alignment, schedule a free demo today or contact our cyber risk experts.

Shalom Bublil

Kovrr Co-founder & Chief Product Officer

No items found.
Industry Recognition