The NIS2 Directive: why cyber-resilience is the new normal for European organisations

Due to be adopted as law by member states by October 2024, the EU Network and Information Systems (NIS2) Directive is the most important cybersecurity legislation ever enacted across member states.

While the original NIS1 Directive of 2016 was viewed as a major evolution in cybersecurity regulation, a lot has changed since then, particularly assumptions about the risk posed by an expanding range of cyberattacks. At that time, cybersecurity was seen primarily as a problem faced by individual organizations. Today, cybercrime is understood to be a threat to entire industry sectors and the stability of the wider digitally connected economy.

Within this, the public sector, government, and critical national infrastructure (CNI) are especially vulnerable. A deepening of geo-political tensions has raised the likelihood of CNI being targeted in a way that could result in a large-scale cyber-incident. Defending this was never going to be easy at a time of constricted budgets and a shortage of technical skills.

To address this, NIS2 imposes complex new cyber-resilience demands while broadening the range of industry sectors covered from 7 to 15, including a large swathe of digital infrastructure. Organizations across the 27 member states will be required to adopt more sophisticated risk management, impose more controls across their systems, as well as improve their incident handling. One of the biggest challenges will be NIS2’s emphasis on boosting supply chain security, widely acknowledged as a major potential weakness.

The purpose of EU-wide legislation is always to impose minimum standards across organizations, sectors, and countries on the same timescale. Central to this will be how the new rules and standards are communicated to and understood by the cybersecurity professionals expected to meet its demands. Practitioners must not only assess the impact on their own systems but consider how their own security might impact the resilience of the many organizations they interact with.

This is hugely ambitious. NIS2 implies a different approach to cyber-resilience than the ‘this is the best we can do’ approach and optimistic assumptions of the past. The threat has become a matter of national security. Organizations will not only need to conduct risk assessments of their cyber-resilience but analyze their ability to continue operating under pessimistic scenarios. Where NIS2 rules are breached, organizations must quickly grasp the reporting requirements and possible financial penalties.

HPE webinar series

The Cyber Resilience for the public sector programme from HPE offers cybersecurity professionals a three-part webinar series designed to  explore the challenges of NIS2 in greater detail. Tailored for EU public sector IT teams with a full Q&A at the end of each session, the webinars comprise presentations by a range of independent and HPE experts. Subjects covered include:

• Understanding the new requirements of NIS2
• Best practice for public sector cybersecurity
• How the public sector can take advantage of cloud without increasing vulnerability
• The importance of cybersecurity agility
• The cybersecurity challenge faced by public sector IT departments
• The latest thinking on mitigating ransomware
• The role of zero trust in future security
• Squaring vulnerability created by digital transformation with NIS2

• Webinar 1 (January 25) – Cyber resilience for public sector 1
• Webinar 2 (February 1) – Cyber resilience for public sector 2
• Webinar 3 (February 8) – Cyber resilience for public sector 3