What can the new EU NIS2 cyber regulation do for your business?
In 2007, Estonia was still a relatively young country in the international community of nearly 200 nations. It was a country that was working its way out of the Soviet era. It became an independent country in 1991 and joined both the EU and NATO in 2004.
As part of its separation from Soviet history, the monument of the "Bronze Soldier of Tallinn" was relocated. This sparked a series of major cyberattacks that targeted the Estonian parliament, banks, ministries, newspapers, and broadcasters. The attacks severely disrupted national services and international Internet access. The Estonian government had to temporarily disconnect the country from the global Internet to regain control (1).
In the US, also in 2007, cybersecurity scientists conducted an unprecedented experiment - the Aurora Generator Test. They wanted to demonstrate that computer code could destroy a physical electrical diesel generator. By rapidly opening and closing the generator’s circuit breakers, they could get the generator to run in an uncontrollable fashion and thereby cause everything from wheel bearings to the rotating coupling to be incrementally destroyed. Parts were sent flying off, and in less than 3 minutes the generator had exploded and was in an unrepairable state. Just by altering the digital code controlling the circuit breakers (2).
Moving to the year 2016, the world got to experience another extraordinary cyberattack. The attempt to steal nearly $1 billion from Bangladesh’s central bank by exploiting the global SWIFT payment system. Fortunately, the hackers only managed to get away with $81 million. International cyber experts later attributed the attack to a hacker group likely sponsored by the North Korean regime (3).
In 2018, just 6 years ago, another significant cyber incident took place. During the opening ceremony of the Winter Olympics in South Korea, the Olympic CIO witnessed the worst possible scenario. The entire backbone of the Olympic IT infrastructure was shut down while the world watched the ceremony on live TV. The incident was dubbed by Wired Magazine as “The Most Deceptive Hack in History” (4) and has since been named the “Olympic Destroyer”. After a very long and thorough investigation, the hack was pinpointed by Russian military intelligence.
Impact on policy makers
While these cyber incidents shocked the world, it got things moving in the corridors of both the EU and NATO headquarter in Brussels, Belgium. Concerns shared among officials soon reached governments across both alliances, and eventually the politicians. They recognized the need to act to protect Europe, particularly to safeguard the stability of the EU’s Internal Market— a cornerstone of the EU.
In NATO, the cyber domain was officially added as the "4th Domain of Operations" at the July 2016 Summit in Warsaw, Poland (5). Meanwhile, the EU legislators agreed to their first cybersecurity regulation across the Union in the same month and year. It was the Network and Information Systems (NIS) directive, now known as NIS1.
But it was not enough. NIS1 did not meet expectations. The cybersecurity situation went from bad to worse and the EU legislators began working on the next version—NIS2.
The development of NIS2
The work on NIS2 was led by Danish EU parliament member Morten Løkkegaard, with the first draft published in December 2020. In addition to addressing major cybersecurity issues, the COVID-19 pandemic highlighted the EU's dependence on far more sectors than the original six critical ones included in NIS1. Løkkegaard explained, both in a meeting with the Danish IT Business Association in April 2022 (6) and in an interview with HK Bladet in March 2023 (7), that the NIS2 directive had an unusually smooth journey through the EU legislative process. He said, “It has been a good process. I have been here 12-13 years and been involved in many different processes, but this one has been special. It has been a lot easier than many before. Mostly because the question of IT security for many reasons has become consensual. Meaning that this is something that most can support.”
In the April 2022 meeting, he also emphasized that the war in Ukraine had a significant impact on the willingness of member states to advance the legislative process quickly.
The NIS2 directive was finally passed through the EU system on December 14th, 2022, after just two years in the making.
The basics of NIS2
The new NIS2 directive (8) covers 11 sectors of “high criticality,” referred to as “Essential,” and 7 sectors of “other criticality,” referred to as “Important.” It represents a big overhaul in terms of improving the cybersecurity status quo across both the private and public sectors within the European Union. On top of the many extra sectors added by the directive, NIS2 also includes supply chain responsibility, mandatory cyber awareness training, vulnerability management, cyber hygiene processes, and the use of open standards.
The directive can be divided into three main sections:
-
Risk assessments.
-
Reporting obligations.
-
Sanctions.
To cover the area of risk assessments, companies must implement appropriate and proportional technical, operational and organizational measures to manage the risks posed to their IT systems. They must ensure that the company's management is aware of its responsibilities and has received cybersecurity training. Furthermore, the risk assessment includes incident management, business continuity, improved supply chain security, network security, access control and encryption technologies. Finally, it encourages the business to use state-of-the-art and artificial intelligence to improve its cybersecurity.
The reporting obligation ranges from early warning within 24 hours of the discovery of the incident, through 72 hours of official notification to a final report within 30 days of the incident. Besides the strict reporting obligations, the business is required to alert any customer and supply chain partner about any significant incidents. Reporting is also knowledge sharing. The NIS2 Directive contains clauses highlighting the importance of regularly sharing intelligence on threats and vulnerabilities.
The last part of the NIS2 directive is the potential sanctions that can happen if the business is not compliant with the directive. For businesses in the Essential sectors, fines can reach €10 million or up to 2% of total worldwide annual turnover, whichever is higher. For Important sectors, the maximum fines are €7 million or 1.4% of total annual turnover. In addition to the potential fines, management may also face personal consequences.
The risks for your business and how to mitigate them
Now that you have insight into how cyber risks escalated to unacceptable levels and prompted EU policymakers to take action to safeguard the stability of the internal market while NATO integrated cyber defense into its strategy, let's explore the financial risks that these threats pose to your business.
In almost every cyber incident, businesses will lose money. Money to cover the cost of recovery, to pay compensation to anyone affected by the cyberattack in question and to pay fines as described above.
When looking at the cost of recovery, IBM and Ponemon Institute create an annual report named “Cost of a Data Breach Report” (9). The 2023 report states that the average cost for a company in Scandinavia is around $2 million or $183 per record of personal data. And the report shows more disturbing results. The report also revealed that it takes, on average, more than 200 days to detect a breach, and only one-third of breaches are discovered by the businesses themselves. In another third of cases, the breach is revealed by the attackers when they make their ransom demands.
The report concludes that the faster a business detects a breach, the lower the recovery costs will be. Lower cost also occurs if the breach is detected by the company themselves compared to the hackers calling them. So, the question is how to do it?
The Danish survey Cyberbarometeret 2023 (10), conducted by Industriens Fond, found that "more is more" when it comes to cybersecurity measures. This means that the more cybersecurity initiatives a company implements, the greater the positive impact—not only on the robustness of the business, but also, more importantly, on its competitive position in the market. Industriens Fond found a direct correlation between strong cybersecurity measures and improvements in external trust, innovation capability, and financial performance.
And this is exactly what the NIS2 Directive can do for your business. It provides a structured framework that, if followed, will increase the robustness and resilience of your business. It ensures that your business can withstand a cyberattack, or, in the event of a breach, the impact of the attack will be less severe.
By understanding the intent behind the NIS2 Directive and adopting its guidelines, you can reduce your overall cyber risk, lower long-term costs, and ultimately improve your business's profitability.
Author:
Bjarke Alling, Principal Advisor, Epical
Tel: +45 40 13 91 05
Image of meeting with Morten Løkkegaard the Danish IT Business Association in April 2022.
Image by: Troels Johansen