Foot to the floor: what NIS2 means for your business

The SailPoint Blog
| SailPoint | Market Views

Authored by Steve Bradford, SVP, EMEA

In December 2022, the European Union’s updated Network and Information Security Directive, more commonly known as NIS2, came into force. This means that EU Member States will have until 17 October 2024 to put this new law into their national legislation. With just one year to go, businesses must put their foot to the floor when it comes to NIS2 compliance and get ahead on their cyber preparation.

The original NIS Regulations were introduced into national law in 2018. These currently apply to organisations that provide ‘essential services’ (think: healthcare, energy, and transportation) as well as digital service providers (for example, online marketplaces and search engines). The regulations place requirements on those organisations to ensure appropriate security measures to help manage cybersecurity risks, and they impose certain reporting obligations in the case of security incidents.

Yet it is incontrovertible that there is an increased reliance of the economy and wider society on digital services, and this is driving ransomware attacks globally. We also live in a more connected world – ever more linked and complicated supply chains are leading to higher levels of cyber risk. In fact, 90% of companies polled in the latest IDSA survey said they had an identity-related breach in the past year, and 96% believed the breach was preventable.

Organisations and businesses need to integrate cyber resilience into their business models and risk management strategies – and this is where the updated NIS 2 directive comes in.

NIS2 targets all public and private entities operating in the EU that are critical to the economy and society. Sectors such as healthcare, energy, transport, digital infrastructure, financial market infrastructures, the food sector, social networking services platforms, cloud computing services, data centers, and more will fall under the NIS2 directive.

The NIS2 directive strives to deliver a broad, comprehensive, and holistic improvement of cybersecurity across the EU. Whilst much of the onus lies on governments (for example, Computer Security Incident Response Teams will be needed in each country and cross-border cooperation between those bodies for information sharing and where incidents require it), there is still a great deal for businesses to be aware of and prepare for.

All organisations in EU member states should familiarise themselves with the requirements of the directive and begin shaping their cybersecurity strategy over the next 12 months. With just one year to go, businesses must ensure they are both compliant and secure when the updated directive comes into force.

SailPoint recently surveyed 1,500 IT decision makers and found there is still a lot of preparation for organisations to complete. Despite the 12-month countdown underway, only a third (34%) of organisations across the UK, France and Germany have completed preparations for NIS2, according to recent SailPoint research. With fines for non-compliance costing up to €10 million, or 2% of an organisation’s global annual revenue, taking the necessary steps to become compliant must be top of the agenda for businesses.

As the clock ticks, organisations need to put policies and procedures in place for risk analysis, information system security, assessing the effectiveness of cybersecurity risk management measures, and more. Some examples of this include: companies need to ensure access is disabled when employees or contractors stop working for it (obvious enough, right?), companies should not use ‘generic’ accounts (read: accounts that are not tied to a named individual), and granting access to sensitive applications and/or data is subject to approval and risk analysis to prevent toxic situations that could lead to fraud or data leakage.

NIS2 will require senior management to approve the cybersecurity risk- management measures taken and oversee their implementation. And take heed! Under NIS2, senior management can be held liable for any infringements. The new legislation will be far reaching according to a new IDC report, “Identity governance will be a key to NIS2 compliance.” It will impact:

  • Training: The NIS2 directive also stipulates the need for cybersecurity training and awareness for all employees, as well as for the broader ecosystem. Yet three-quarters of EU organisations (72%) still need to provide efficient cyber security training to staff.
  • Supply chain security: The NIS2 directive will mandate coordinated risk assessments of critical supply chains that cover critical ICT services, CIT systems, or ICT products, but almost 4 in 5 (80%) of EU organisations still need to properly secure their supply chains.
  • Cybersecurity assessment: Organisations often struggle to assess the efficacy of their cybersecurity measures or identify vulnerabilities that remain despite those measures. Many organisations struggle to ensure access is promptly rescinded for employees that change roles or leave the company. Managing all these risks must be addressed through a proactive and policy-driven approach. The European Commission recommends that essential and important entities adopt zero-trust principles and identity and access management. Least-privilege access that is implicit through zero trust approaches can be fundamental to managing that access for partners and contractors. However, 76% of EU organisations still need to assess the efficiency of existing cyber measures and three-quarters of organisations also need to add new risk management measures (74%) as well as implement HR security (76%).

European organisations have until October 2024 to conduct NIS2 gap assessments and implement strategies to address the outcomes of those assessments.

Let the implementation of the EU’s General Data Protection Regulation (GDPR) serve as a warning that European regulators are more than ready to penalise businesses that have been dragging their heels when to comes to managing data security, privacy, and cyber risk. The punishments may come in the form of regulatory penalties. Add this to the costs of operational downtime, reputational damage, customer loss, and system restoration that follow any breach, and it becomes quite clear all that is at stake for businesses.

European organisations face an ever-growing burden of management for identities and access, for human and non-human accounts and identities, and for employees, partners, contractors, and customers. The capabilities of legacy identity security solutions are inadequate to address the volume and velocity of identity-related tasks that most organisations must now address. Modern identity security solutions, such as those offered by SailPoint, are changing the game. The artificial intelligence and machine learning-based capabilities offered by SailPoint enable organisations to automate identity processes and build contextual insights to improve the detection of suspicious behaviour and trigger quicker and more impactful responses.

These benefits will be crucial as devices, bots, and all manner of other non-human identities proliferate at a much faster rate than manual capabilities can handle. Proactive and automated identity and access management should be a pillar of every organisation’s cybersecurity risk management strategy.

Not sure where to start? We partnered with IDC to develop a Technology Spotlight Report that uncovers key insights on how identity governance will play a key role in helping organisations attain NIS2 compliance.