NIS2 Implementation: Challenges And Tips From EU Experts

Ignacio Graglia June 3, 2024
- 10 min read

Let’s be honest. Keeping up with cybersecurity regulations and directives, especially if your organization operates within the European Union (EU), can be really challenging. And NIS2 implementation is no exception. 

If you are working in this field, you might already know the reasons that originated this legislation, its objectives, and the risks that organizations face as technology evolves. However, there is a gap between understanding NIS2 and its current implementation. How do we actually implement directives like NIS2? What should we consider? Where do we start?

To outline the process, we invited Morten Eeg Ejrnæs Nielsen (Advisor and Public Speaker on Information Security and Compliance), Wathagi Ndungu (Security Expert at ZEISS Group), and Gennady Kreukniet (CISO and Senior OT Security Consultant at CNV Cyber), three cybersecurity specialists, to discuss the first steps towards implementing the directive, the main challenges facing the cybersecurity field, and some reflections based on their personal experiences.

These are the main highlights of Episode 80 of our podcast, Ticket Volume.

Let’s get into it!

 

 

What is NIS2? Background and context 

NIS stands for Network and Information Systems. The number 2 at the end of the acronym means that this is a revised version or a second version of the same directive. And what do we mean by directive? Well, a directive, in the context of the European Parliament, is a piece of legislation that sets out specific goals or objectives that all member states must achieve within a certain timeframe. 

In this particular case, the NIS2 directive was approved to achieve a high common level of cybersecurity across the European Union. What you should remember is that the directive has a deadline: all EU member states must implement the directive by October, 2024. This poses a huge challenge for governments (as they must pass specific laws) and for organizations classified as essential (as they must adapt to the new directive). 

Luckily, we reached three cybersecurity specialists to know how they are feeling about the NIS2 deadline, how it is being implemented, what countries are leading the movement and what needs to be done in order to achieve such an important goal. 

NIS2: Should we be panicking?

As we mentioned earlier, NIS2 implementation is becoming a reality (or will be by next October). But, should we panic? Are we adequately prepared? To start off the conversation, Morten, Wathagi, and Gennady shared their initial impressions of the directive and discussed how different countries are incorporating it into their Compliance Management strategy. 

For Wathagi, the prevailing sentiment in the IT atmosphere is not anxiety but rather optimism. She thinks that the original directive had a lot of good intentions but fell short due to its limited scope and inconsistent implementation. Not only NIS2 corrects these past issues, in her consideration, but it may be setting a globe standard for cybersecurity. 

 

However, Gennady added that there are still some issues with the directive's implementation as we approach its deadline because it requires collaborative efforts from both the Member States and the organizations operating within them. He also makes a point about the time it takes for countries to translate that directive into laws, and likewise, the time it takes for each organization to adapt to that new regulation. 

On his side, Morten also expressed optimism about the possibility of achieving a successful implementation of the directive, as he believes that many of its guidelines should already be part of an organization's strategy. He also showed a lot of excitement regarding some of the new ideas the directive brings to the table, especially the accountability that rests with management. This is what he said about this particular issue: 

 

 


"What I really like about the directive is how very explicitly places the accountability at the top level management saying they are the ones that have some requirements that they should fulfill. They need knowledge to be able to fulfill this roles but they can also actually be sanctioned. And talking to management about security can be hard, but when you say we are also doing it for your safety, that kind of get them more interested.
"

Morten Nielsen
Advisor and Public Speaker on Information Security and Compliance
Episode 80 of Ticket Volume

Countries that are leading the way with NIS2  

There are some European countries that are more advanced with their respective implementation processes. They serve as a reference and therefore a great opportunity for those who are halfway there or encountering some difficulties in meeting the deadline. According to Wathagi, Hungary and Croatia have already implemented laws to follow the directive. 

Beyond the countries that have already succeeded in passing their respective laws, the underlying question for the rest is how to initiate their process in an organized manner. According to experts, there are several alternatives, but none perfect. It's about exploring different possibilities.

Gennady prefers a “harmonize approach” because it prioritizes efficiency. But then he also mentioned as a possibility the path chosen by Germany, that has detailed regulations and even an Excel spreadsheet with a lot of requirements that can be followed. He also said that Belgium recently came up with an implementation guideline. 

Biggest challenges for NIS2 implementation

One of the biggest challenges regarding the implementation of the cybersecurity directive is where to begin. Morten came to a great conclusion. It’s really simple: just get started. No matter if you have the law in place or not, there is a lot that you can do as a company or as an IT professional with the documentation, directives, and frameworks that are already put in place. 

Wathagi focused on the fact that this is not the first regulation we need to take into account. So, you are not starting from zero and that’s really important not to panic. This is what she meant, in her words:

 

 

"If you’ve been doing any security in your organization, you already have something, so you are not starting for zero. There have been all these other regulations. Try to use what you already have and start from there making small continuous improvements."

Wathagi Ndungu 
Security Expert at ZEISS Group
Episode 80 of Ticket Volume

Gennady went further and gave a sort of step by step guideline to begin the process. He puts it in this words: 

 

 


"First, have your Asset Management in place. So, know what you have. Know your systems, what updates they have, and have that basic information in some proper systems that are at least more modern than an Excel sheet that we still see laying around.

Then, second, I would say, make sure that all the access that you have to that system, all the remote access is all known and secure.

And if it goes wrong, the third item would be your disaster recovery and your business continuity. So, make sure you know what you have, how to get to your systems, and how to be resilient and bounce back if something goes wrong.
"

Gennady Kreukniet
CISO and Senior OT Security Consultant at CNV Cyber
Episode 80 of Ticket Volume

In addition to agreeing with Gennady, Wathagi relied on the phrase "know what you have" but also applied it to the supply chain. This allows checking vulnerabilities and security procedures, and what happens when an incident occurs. It’s a great place to start. 

Final thoughts  

Episode 80 of Ticket Volume focused on one simple question: how to implement the NIS2 directive and meet the deadline set by the EU for October. We gathered three experts who not only provided insightful information but also shared their own experiences in dealing with cybersecurity challenges.

They also introduced a fundamental concept into the discussion: the need to create a security culture that puts the focus on education, awareness, and ownership. You can access the full episode on Apple Podcasts, Spotify, YouTube, or your favorite podcast platform.

Read other articles like this : risk management, Ticket Volume, Cybersecurity