Let’s be honest. Keeping up with cybersecurity regulations and directives, especially if your organization operates within the European Union (EU), can be really challenging. And NIS2 implementation is no exception.
If you are working in this field, you might already know the reasons that originated this legislation, its objectives, and the risks that organizations face as technology evolves. However, there is a gap between understanding NIS2 and its current implementation. How do we actually implement directives like NIS2? What should we consider? Where do we start?
To outline the process, we invited Morten Eeg Ejrnæs Nielsen (Advisor and Public Speaker on Information Security and Compliance), Wathagi Ndungu (Security Expert at ZEISS Group), and Gennady Kreukniet (CISO and Senior OT Security Consultant at CNV Cyber), three cybersecurity specialists, to discuss the first steps towards implementing the directive, the main challenges facing the cybersecurity field, and some reflections based on their personal experiences.
These are the main highlights of Episode 80 of our podcast, Ticket Volume.
Let’s get into it!
What is NIS2? Background and context
NIS stands for Network and Information Systems. The number 2 at the end of the acronym means that this is a revised version or a second version of the same directive. And what do we mean by directive? Well, a directive, in the context of the European Parliament, is a piece of legislation that sets out specific goals or objectives that all member states must achieve within a certain timeframe.
In this particular case, the NIS2 directive was approved to achieve a high common level of cybersecurity across the European Union. What you should remember is that the directive has a deadline: all EU member states must implement the directive by October, 2024. This poses a huge challenge for governments (as they must pass specific laws) and for organizations classified as essential (as they must adapt to the new directive).
Luckily, we reached three cybersecurity specialists to know how they are feeling about the NIS2 deadline, how it is being implemented, what countries are leading the movement and what needs to be done in order to achieve such an important goal.
NIS2: Should we be panicking?
As we mentioned earlier, NIS2 implementation is becoming a reality (or will be by next October). But, should we panic? Are we adequately prepared? To start off the conversation, Morten, Wathagi, and Gennady shared their initial impressions of the directive and discussed how different countries are incorporating it into their Compliance Management strategy.
For Wathagi, the prevailing sentiment in the IT atmosphere is not anxiety but rather optimism. She thinks that the original directive had a lot of good intentions but fell short due to its limited scope and inconsistent implementation. Not only NIS2 corrects these past issues, in her consideration, but it may be setting a globe standard for cybersecurity.
However, Gennady added that there are still some issues with the directive's implementation as we approach its deadline because it requires collaborative efforts from both the Member States and the organizations operating within them. He also makes a point about the time it takes for countries to translate that directive into laws, and likewise, the time it takes for each organization to adapt to that new regulation.
On his side, Morten also expressed optimism about the possibility of achieving a successful implementation of the directive, as he believes that many of its guidelines should already be part of an organization's strategy. He also showed a lot of excitement regarding some of the new ideas the directive brings to the table, especially the accountability that rests with management. This is what he said about this particular issue:
Countries that are leading the way with NIS2
There are some European countries that are more advanced with their respective implementation processes. They serve as a reference and therefore a great opportunity for those who are halfway there or encountering some difficulties in meeting the deadline. According to Wathagi, Hungary and Croatia have already implemented laws to follow the directive.
Beyond the countries that have already succeeded in passing their respective laws, the underlying question for the rest is how to initiate their process in an organized manner. According to experts, there are several alternatives, but none perfect. It's about exploring different possibilities.
Gennady prefers a “harmonize approach” because it prioritizes efficiency. But then he also mentioned as a possibility the path chosen by Germany, that has detailed regulations and even an Excel spreadsheet with a lot of requirements that can be followed. He also said that Belgium recently came up with an implementation guideline.
Biggest challenges for NIS2 implementation
One of the biggest challenges regarding the implementation of the cybersecurity directive is where to begin. Morten came to a great conclusion. It’s really simple: just get started. No matter if you have the law in place or not, there is a lot that you can do as a company or as an IT professional with the documentation, directives, and frameworks that are already put in place.
Wathagi focused on the fact that this is not the first regulation we need to take into account. So, you are not starting from zero and that’s really important not to panic. This is what she meant, in her words:
Gennady went further and gave a sort of step by step guideline to begin the process. He puts it in this words:
In addition to agreeing with Gennady, Wathagi relied on the phrase "know what you have" but also applied it to the supply chain. This allows checking vulnerabilities and security procedures, and what happens when an incident occurs. It’s a great place to start.
Final thoughts
Episode 80 of Ticket Volume focused on one simple question: how to implement the NIS2 directive and meet the deadline set by the EU for October. We gathered three experts who not only provided insightful information but also shared their own experiences in dealing with cybersecurity challenges.
They also introduced a fundamental concept into the discussion: the need to create a security culture that puts the focus on education, awareness, and ownership. You can access the full episode on Apple Podcasts, Spotify, YouTube, or your favorite podcast platform.
