With the NIS2 law, Europe obliges companies from various sectors to give security the highest priority. If you fall under the law, there is no escaping it. But do companies know what to do, and how?
The time has come: NIS2 has arrived. After the European Parliament agreed on the directives in late 2022, member states were given until Oct. 17, 2024, to transpose them into national law. The deadline has passed, putting the ball in the companies’ camp. “Many companies are not ready,” said Siska Hallemeesch, security expert at Nviso Security and Silver Member of Isaca.
Plethora of tools
Hallemeesch recognizes the need for the legislation. “With NIS2, it was decided at the European level to increase the security maturity of organizations, especially medium to large organizations. This should better prepare them for geopolitical risks and cyber attacks, and increase the overall level of security. The first NIS Act was limited to critical infrastructure such as energy. NIS2 pulls this open to multiple sectors.”
“When I talked about geopolitical risks five years ago, people looked at me as if I were speaking Chinese. Security was viewed from a technical perspective, but not from business or geopolitics. As a result, many companies are left with a plethora of IT tools that offer no solution,” Hallemeesch said.
“As a company, you have to look at what your security risks are and how you are going to set up an end-to-end solution from there. This process depends on the business context. For a hospital, this will be completely different than for a manufacturing company,” she continued.
New role for CISO
According to Hallemeesch, NIS2 will provide a different interpretation of the role of the CISO. “Now there are still a lot of technical people in the role. But a CISO must also learn to understand the business and speak to other departments within the company. This is still much more difficult, I notice.”
“I’m not saying that technical knowledge about the tools isn’t important anymore, but CISO will no longer be a purely technical role. The CISOs of tomorrow will be business people who also have that technical knowledge, but more importantly understand how to implement security management and the tools available in the business context.”
Security is viewed too much from a technical perspective. The CISO must also learn to understand the business.
Siska Hallemeesch, CISO-as-a-service Nviso
Copy paste
Since Oct. 18, the NIS2 law has been enshrined in Belgian law. With that, Belgium finished its homework on time, which is the exception rather than the rule. Belgium and Croatia are the only member states that met the NIS2 deadline. During a roundtable discussion organized by ITdaily, experts waved praise to the CCB, which pulled the cart.
read also
Belgium pioneer in NIS2 regulation: why?
Hallemeesch comments. “That Belgium is on time with the legislation is because the package was largely taken directly from the European Union text. I wonder if that was done with much consultation. Laws are first adopted only to wait for the impact on companies. It is good to have a European legislation that is the same for everyone, but this is not the case in reality either.”
From law to practice
Companies will still have some time to comply with the guidelines, but according to Hallemeesch, it will not be obvious. “How NIS2 will roll out in practice remains to be seen. There are still many questions among companies. Now NIS2 brings with it obligations to report on incidents, but by 2027 some companies will have to obtain certification.”
To help companies get started, CCB developed a three-level framework. Hallemeesch: “This framework is very descriptive. Companies do ultimately have to apply it in their specific context. I also question the proportionality. For companies, it involves a lot of administration. New companies will be able to incorporate these things more easily, but for larger organizations it’s much harder to turn the ship around.”
read also
Like a lion in a cage: how SMEs are affected by NIS2
A shortage of people and resources, which many companies struggle with, can cause problems. Hallemeesch advises companies in this case to get help early. “NIS2 comes with a price tag. Not every company needs a full-time CISO. If you don’t have the people yourself, talk to outside experts who can help you determine your current maturity and develop a plan to increase it. It is important that executive management be involved as well.”
“Without NIS2, some companies might not have done anything. That wouldn’t have been a good thing either,” Hallemeesch admits. “Many companies have not yet realized that they can also be victims of a cyber incident. They almost have to have experienced it to realize that something like this happens every day. In that context, it is also important for companies to talk to each other and learn from each other. Sharing is caring in security”.
Many companies are not ready. NIS2 comes with a price tag.
Siska Hallemeesch, CISO-as-a-service Nviso
Checkbox
Halleemeesch would like to see a more coordinated approach from Europe. NIS2 does not sit in a vacuum. In recent years, Europe has been pushing through one new law after another. All those proposed rules aim to increase the security of organizations, but the legislations are mixed up, creating confusion.
“Why can’t we arrive at one regulation that applies to everyone? There is no doubt that the maturity of organizations needs to go up, but over-regulation is not good either. Laws are proposed by people who have no practical experience of what they mean for companies. I am also concerned that auditors who will visit companies will mainly check a ‘checkbox,'” Hallemeesch says.
Roads to Rome
IT is evolving rapidly. Whether NIS2 is strong enough to stand the test of time will be seen in the coming years. Will we need a NIS3 law soon? Hallemeesch passes on her wish in advance. “A next version should give companies more flexibility on how to achieve goals. Multiple roads lead to Rome, they always say.”
But most of all, Hallemeesch hopes it doesn’t have to come to NIS3. “Do we really need more regulation? I sincerely hope that Europe will ask itself this question. Personally, I am more in favor of giving companies more room within the current framework to fill in the proportionality in relation to their cyber risks themselves. Then, if more legislation should prove necessary, I hope there will be more general guidelines instead of even more different legislation.”
Is more regulation needed? Can’t we give companies more flexibility to achieve goals within the current framework?”
Siska Hallemeesch, CISO-as-a-service Nviso
ITdaily recently organized a roundtable on NIS2 with experts from the Belgian security industry. Visit our topic page to view all articles .