Examining The NIS2 Directive From Outside The EU

The NIS2 Directive, which builds upon the original Network and Information Systems (NIS) Directive, aims to enhance the cybersecurity posture of critical sectors across the European Union.  

The original 2016 NIS Directive aimed to enhance the cyber resilience of EU Member States by establishing common security standards and incident reporting requirements for critical infrastructure and digital services.

However, its implementation proved challenging, leading to fragmentation across the internal market. Each Member State was given considerable flexibility in interpreting and applying the directive, resulting in varying levels of compliance, inconsistent regulatory approaches and differing cybersecurity practices across borders.  

It became apparent that this lack of uniformity created complexities for organisations operating in multiple countries hindered effective cross-border cooperation and reduced the overall effectiveness of the directive in creating a cohesive and secure digital environment across the EU. 

More Cohesive EU Cybersecurity  

As analysis from Global Regulatory Insights puts it: “The [original] NIS Directive makes an earnest attempt to foster cross-border cooperation for bolstering cybersecurity within the European Union. While it has made notable strides in promoting information sharing and mutual assistance, certain limitations, chiefly operational complexities and resource constraints, still need to be addressed. With the directive undergoing review and updates, there is an opportunity to refine these mechanisms to create a more cohesive and effective cybersecurity environment across the EU.” 

So, in 2021, the EU proposed a new, more encompassing directive, NIS2, which would address the issues relating to the original directive, while strengthening security requirements, addressing supply chain security, streamlining reporting obligations and creating more stringent supervisory measures and stricter enforcement requirements, and standardise penalties.  

NIS2 officially entered into force in January 2023 – underlining the urgency of the new Directive - with Member States being given until October 17, 2024, to incorporate it into national law.  

Stricter Cyber Security  

NIS2 attempts to address the emerging threats and vulnerabilities organisations face, mandating stricter cybersecurity measures and greater accountability. But, while offering several strengths in bolstering cyber resilience, it still has some weaknesses.  

One of the new directive’s primary strengths is its comprehensive approach to cybersecurity. It significantly broadens the scope of entities required to comply, including medium and large organisations in more sectors than its predecessor. By extending the directive’s reach to cover a wider range of services, NIS2 ensures that more essential and important entities are adequately protected against cyber threats. It also introduces more stringent security measures and incident reporting requirements, compelling organizations to adopt a proactive stance on cybersecurity. This is crucial, as cyber threats are growing in both volume and sophistication, and businesses need to be resilient in the face of persistent cyberattacks. 

NIS2 is the latest attempt to bring a unified standard to cybersecurity across the EU, which can reduce fragmentation and improve the overall security posture of member states.  

By harmonising cybersecurity regulations, NIS2 aims to create a level playing field, where all entities are subject to the same rules and standards. This not only simplifies compliance for organisations operating in multiple EU countries but also fosters cross-border cooperation in tackling cyber threats, which are often transnational in nature. In doing this, NIS2 enhances collective cybersecurity efforts, enabling better sharing of threat intelligence and coordinated responses to incidents. 

NIS2 Weaknesses 

But while NIS2 has its merits, it is not without its weaknesses. One of the key criticisms of the directive is its potential to place a significant burden on organisations, particularly smaller entities that may lack the resources to implement and maintain the required security measures. While the directive aims to exclude micro and small enterprises, the expanded scope to include medium-sized entities may still pose challenges. Costs associated with compliance, including investments in technology, personnel, and training, can be substantial. For organisations operating on thin margins or with limited cybersecurity expertise, these requirements may become overwhelming, potentially leading to reduced competitiveness or even non-compliance. 

Another perceived weakness of NIS2 is the directive’s prescriptive nature, which may not fully account for the dynamic and rapidly evolving nature of cyber threats. The directive mandates specific security measures and reporting procedures, which, while necessary to some extent, can also lead to a ‘checkbox’ mentality among organisations.  

Rather than fostering a culture of continuous improvement and adaptation, organisations might (have to) focus on mere compliance, potentially neglecting the broader strategic aspects of cybersecurity. Reliance on standardised measures may not always align with the unique risk profiles and needs of different sectors or organisations, resulting in a lack of flexibility in addressing diverse cybersecurity challenges. 

The UK Opportunity 

Given these strengths and weaknesses, the UK, no longer bound by EU directives post-Brexit, has an opportunity to chart its own path in cybersecurity regulation. Rather than adopting NIS2 wholesale, the UK government might consider an approach that balances regulatory oversight with flexibility and innovation.  

A potential alternative route, for example, might involve a more risk-based, outcome-focused framework, where the emphasis is placed on achieving specific security outcomes rather than adhering to rigid requirements. 

This approach would allow organisations to tailor their cybersecurity strategies to their specific risk profiles and operational contexts, promoting a culture of continuous improvement rather than mere compliance.  

The UK could also encourage greater collaboration between the public and private sectors, fostering an environment where threat intelligence is shared openly, and best practices are developed collectively. By adopting a more adaptive and collaborative approach, the UK could not only enhance its own cybersecurity posture but also position itself as a leader in cybersecurity innovation on the global stage. 

The UK could also focus on incentivizing organizations to invest in cybersecurity by offering financial support, tax breaks or other benefits to those that demonstrate robust security practices.  

Such measures could help alleviate the burden of compliance costs, particularly for smaller entities, while encouraging a proactive stance on cybersecurity. By aligning incentives with desired outcomes, the UK government could foster a more resilient and secure digital environment, where organisations are motivated to go beyond the minimum requirements and continuously enhance their security capabilities. 

While the NIS2 Directive certainly presents a well-considered, robust framework for enhancing cybersecurity across the EU, it is not without its flaws. The directive’s prescriptive approach and the potential compliance burden on organisations highlight the need for a more balanced strategy.  

The UK, with its newfound regulatory independence, has an opportunity to take a more flexible and innovative approach, focusing on risk-based outcomes, collaboration and incentivisation. By doing so, the UK can not only ensure a strong cybersecurity posture for its own organisations but also set an example for other nations to follow in the global fight against cyber threats. 

Notis Iliopoulos is VP of MRC at Obrela

You Might Also Read: 

EU To Strengthen Cyber Defence In Healthcare:


If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Lockbit Ransomware Group Hacked
China Introducing Strict Controls On AI Data Centres »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Davis Wright Tremaine (DWT)

Davis Wright Tremaine (DWT)

Davis Wright Tremaine is a full-service law firm with offices throughout the US and in Shanghai, China. Practice areas include Technology, Privacy & Security.

Magic Software Enterprises

Magic Software Enterprises

Magic provide Mobile Device Management (MDM) for Secure Enterprise Mobility. Magic MDM overcomes the challenges of mobile device management security by protecting all of your devices, data and content

Chubb

Chubb

Chubb is the world’s largest publicly traded property and casualty insurer. Commercial services include Cyber Risk insurance.

Tinfoil Security

Tinfoil Security

Tinfoil is a simple, developer friendly service that lets you scan your website for vulnerabilities and fix them quickly and easily.

Silverfort

Silverfort

Silverfort introduces the first security platform enabling adaptive authentication and identity theft prevention for sensitive user, device and resource throughout the entire organization.

KOBIL

KOBIL

KOBIL is a pioneer in the fields of smart card, one-time password, authentication and cryptography.

Verodin

Verodin

Verodin is a business platform that provides organizations with the evidence needed to measure, manage and improve their cybersecurity effectiveness.

ICS-CSR

ICS-CSR

ICS-CSR is a research conference bringing together researchers with an interest in the security of industrial control systems.

CNS Group

CNS Group

CNS Group provides industry leading cyber security though managed security services, penetration testing, consulting and compliance.

David Hayes-Export Controls

David Hayes-Export Controls

David Hayes-Export Controls provides assistance to companies affected by export controls or who are considering entering the market but are unsure of the commercial and regulatory implications.

Octo

Octo

Octo, an IBM company, is a technology firm dedicated to solving the Federal Government’s most complex challenges, enabling agencies to jump the technology curve.

Syracom

Syracom

syracom is a consultancy firm specialized in development of efficient business processes. With our expertise and IT competence, we develop tailored solutions for customers in various industries.

Resourcive

Resourcive

Resourcive is the first Value Added Sourcing “VAS” consultancy. We deliver strategic IT sourcing solutions to mid-market and enterprise clients.

StrongBox IT

StrongBox IT

Strongbox IT provides solutions to secure web applications and infrastructure.

Silk Security

Silk Security

Silk is the first platform that enables enterprises to take a strategic, sustainable approach to resolving code, infrastructure and application risk.

Finlaw Associates

Finlaw Associates

Finlaw Associates is a trusted cybercrime law firm providing a wide range of taxation, legal, advisory and regulatory services to the financial, commercial and industrial communities.