Navigating the Cybersecurity Storm: Understanding the Impact of NIS2 on Businesses and Crisis Management Response

As the digital landscape evolves, so too do the threats that companies face. In order to help improve the EU’s resilience to potential cyber threats new legislation has been introduced that will impact many companies and organisations across the region. The Network and Information Security Directive (NIS2) represents a significant step forward in strengthening the cybersecurity of organisations across Europe however there are significant implications for the impacted companies who need to act now to both improve their cybersecurity measures and comply with the forthcoming regulatory changes.

So what exactly is NIS2, who is impacted and what do you need to do today to prepare for it?

Understanding NIS2

The NIS2 Directive, which builds on the 2016 NIS Directive, is part of the EU’s cybersecurity strategy and it aims to develop a high level of network and information security – particularly in those companies that are critical for our society and economy. There are also measures contained within the Directive regarding improving supervision and enforcement capabilities and measures on improving EU level co-operation. However for the purpose of this article we will look at the implications that the increased Cybersecurity Risk Management requirements will have on businesses.

The Directive applies to organisations who have a minimum of 50 employees, a turnover of €10m and that operate in specific sectors. It classifies businesses into two categories: 'Essential entities' and 'Important entities'. Detailed information on what sectors each category includes can be found here. Briefly, it now encompasses sectors like transport, pharmaceutical and medical device manufacturing, food production and distribution, healthcare, network infrastructure, telecommunications, water supply, waste management, energy, and postal services. It should also be noted that relevant companies that are not established in the EU but offer services within the EU are also covered under the Directive. The requirements for essential and important entities are the same - the only difference is that there is supervision for essential entities. The exact definition of what constitutes ‘supervision’ is determined by each Member State but it can include inspections, audits, access to data or documents, safety scans or request for evidence of the implementation of the cybersecurity policy.

Source: EY_Ireland Are you ready for NIS2 - How will it impact your organisatio…​

With the introduction of NIS2, 'essential entities' will need to comply with supervision requirements, while 'important entities' will fall under ex-post supervision. This implies that authorities will take action if they find evidence of non-compliance. The definition of supervision will be determined by each member state. At this point, the Irish Government has not disclosed its approach.

To emphasise the significance of this new regulation, noncompliance could result in hefty fines - up to €10m or at least 2% of the annual global turnover for essential entities and up to €7m or at least 1.4% of annual global turnover for important entities.

It is important that all organisations identify NOW if they fall in scope of the NIS2 Directive and if so - then if they are considered an essential or an important entity. Ireland’s National Cyber Security Centre estimates that there will be over 3,000 companies in Ireland that will be covered under the new legislation (there are currently 100 covered under NIS).

All Member States must have the relevant legislation passed by 18th October 2024 and by the 17th April 2025, Member States will need to establish a list of the essential and important entities in its country.

Implications for Crisis Planning

According to Article 20, Member States shall ensure that the "members of the management bodies of essential and important entities are required to follow training," and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the business.

This means that companies need to be prepared not only to prevent cyber incidents but also to respond swiftly and effectively when they occur.

One of the critical aspects of NIS2 is its emphasis on crisis management and business continuity. As EY highlights, companies are expected to have a strict risk management approach with defined processes identified for incident reporting and policies on risk analysis and information system security, incident handling, business continuity, and supply chain security.

Enhanced security standards under NIS2 compel companies to develop and maintain detailed incident response plans. These plans must include protocols for early warning, incident notification and progress reporting, ensuring that all incidents are communicated effectively to relevant authorities and stakeholders.

It is not enough to simply have a crisis management plan in place - although that it is a good start. If a company is serious about having an effective crisis management framework in place - the crisis team needs to participate in regular training and simulations. A ‘muscle memory’ needs to be created to ensure that when that incident occurs the team are not learning on the job - they know how to respond and who is responsible for what.

Steps Companies Need to Take

To comply with NIS2, companies should undertake several key actions:

1. Risk Assessment and Management: Conduct thorough risk assessments to identify potential vulnerabilities in your network and information systems. Develop and implement risk management measures that address these vulnerabilities comprehensively.

2. Crisis Management Framework: Establish a crisis management framework that includes detailed incident response plans. This framework should outline the steps to be taken during a cyber incident, from initial detection to full resolution and recovery.

3. Training and Awareness: Ensure that all employees, especially those in management, are trained and aware of their roles in cybersecurity and crisis management. Regular training sessions and simulations can help prepare staff for real-world incidents.

4. Supply Chain Security: Assess the security of your supply chain and establish third-party risk management procedures. Ensure that your suppliers and service providers adhere to similar cybersecurity standards.

5. Continuous Monitoring and Reporting: Develop procedures for continuous monitoring of your cybersecurity measures and incident reporting. Ensure that any security incidents are reported in accordance with NIS2 requirements, utilising a structured reporting process.

By proactively addressing these areas, companies can not only achieve compliance with NIS2 but also enhance their overall resilience against cyber threats. As the digital threat landscape continues to evolve, robust crisis management and business continuity planning will be critical components of a successful cybersecurity strategy.

Questions to ask yourself!

• Is your organisation aware of the specific obligations under the NIS2 directive and how they impact your current cybersecurity practices?

• How prepared is your company to handle a major cyber incident? Do you have a crisis management framework in place?

• What steps have you taken to assess and secure your supply chain against cyber threats?

• Are your employees adequately trained in cybersecurity protocols and incident response?

• How does your organisation ensure continuous monitoring and effective reporting of cybersecurity incidents?

• Have you conducted a recent risk assessment to identify vulnerabilities in your network and information systems?

• When was the last time you reviewed the company’s crisis management plan? Is it up to date and are the crisis team trained on how to use it?

If you want to read more about NIS2 - check out these resources.

• The full text of the Directive eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022L2555&from=EN

• ENISA is the EU agency for cybersecurity. They have plenty of information here - https://www.enisa.europa.eu/topics/awareness-and-cyber-hygiene/network-and-information-systems-directive-2-nis2

• An excellent article from EY on how to prepare for NIS2 - https://www.ey.com/en_be/cybersecurity/how-to-prepare-for-the-nis2-directive

• Another great blog - this time from PWC Germany. https://www.pwc.de/en/cyber-security/european-nis2-directive-implications-for-businesses-and-institutions.html

If you are interested in discussing your cyber crisis responses and your crisis management framework please reach out. Reput8ion Dynamics has extensive experience in auditing and drafting crisis management plans for companies of all sizes. We also design, plan and execute crisis management simulations for companies.

Finally - I have created a GPT to help answer all some of your questions about NIS2. Obviously this is for guidance only - if you require specific advice please reach out directly or talk to your legal advisors. Check out https://chatgpt.com/g/g-F0n6vFgPO-nis2-directive