Blog Post
March 19, 2024
TL;DR
No organization, no matter the industry, is exempt from suffering from a cyber attack. The European Union formally recognized this modern-day reality in late 2022 when it published Directive (EU) 2016/1148, more commonly known as the NIS 2 Directive. As an updated version of the original directive enacted in 2016, this newer, sweeping cybersecurity regulation expanded its original scope to encompass even more business sectors.
When NIS 2 officially comes into effect in October 2024, executives will have already needed to invest heavily in upgrading their organization's cyber risk management processes and incident response plans, tasks much easier to legislate than comply with. Indeed, notoriously technical cybersecurity matters have traditionally been left to be dealt with by those with relevant expertise.
But as the market becomes more digitally intertwined and the threat of a cyber catastrophe looms large, the EU has determined that this delegation is no longer acceptable. This situation has left many corporate leaders in the sticky position of quickly needing to understand the ins and outs of cyber risk, simultaneously placing new demands on the organization's chief information security officer (CISO) or relative cybersecurity leader.
By leveraging financial cyber risk quantification (CRQ) and translating the more technical terminology of cybersecurity into a broader business language, CISOs can significantly streamline this new responsibility, helping executives adhere to the NIS 2 Directive.
With the common vocabulary, key stakeholders are equipped to collaborate, ensuring cybersecurity initiatives not only keep the organization secure and resilient but also enable growth. The EU's underlying sentiment is that it's going to take a concerted effort to protect the market against malicious cyber actors, and with CRQ, such teamwork can transpire.
The NIS 2 Directive is an updated European Union regulation that seeks to protect organizations within the EU that provide critical services against cyber attacks, bolster cyber risk management programs, and create best-practice standards within the region. NIS 2 has much stricter requirements than its predecessor, including new disclosure obligations and enforcement procedures for a wider scope of industries.
A major component of the NIS 2 Directive is the enhanced emphasis and explicitness of the cybersecurity measures that all entities must adhere to. The upgraded language focuses on ensuring organizations proactively protect their networks, information systems, and physical environment against cyber attacks or malicious actors.
NIS 2 requires companies, regardless of size, revenue, and industry, to define and document:
Among the new business sectors that must now adhere to the upgraded policy are:
See here for the full list of the 15 industries that are now subject to the EU's NIS 2 cybersecurity standards and the full text of the NIS 2 Directive.
NIS 2 distinguishes entities between "highly critical" and "other critical," as well as between "essential" and "important.” Organizations across the now-included industries are classified according to the type of services they provide, the number of employees, and annual revenue. This classification determines the level of scrutiny they will face for cybersecurity evaluations, as well as the amount they need to pay should there be non-compliance.
"Essential" entities are those organizations that operate in highly critical sectors, such as energy and transportation, employ more than 250 people, and have a balance sheet of a minimum of €43 million. Trust service providers, DNS entities, and public electronic communications vendors also fall into the essential category. Essential entities can, and most likely will, be proactively supervised to ensure compliance.
If found in violation of the NIS 2 Directive, essential entities can be fined, at minimum, €10,000,000 or 2% of their global revenue.
"Important" entities, in contrast, refer to all other critical organizations that don't meet the "essential" framework, meaning those with fewer than 250 employees and a balance sheet of less than €43 million. The primary difference, in terms of accountability, is that important entities are scrutinized for compliance "after the fact," meaning authorities will take action only if there's reason to believe non-compliance has occurred.
If found in violation of the NIS 2 Directive, important entities can be fined, at minimum, €7,000,000 or 1.4% of their global revenue.
One of the most noted changes of NIS 2 is the imposition of direct obligations and subsequent consequences on management positions within an organization, regardless of essential status. Under the regulations, managers are considered senior stakeholders who are qualified to act as entity representatives, have the authority to make decisions, or can exercise some measure of control.
These management figureheads can be held personally liable for failing to comply with the regulations, which not only includes neglecting to report an incident but also falling short of investing in the necessary cybersecurity risk management initiatives. Moreover, in certain extreme cases, compliance failure may result in suspension and even disbarment from board and C-suite roles.
Adequate and timely incident reporting is another key component of NIS 2. According to the regulations, organizations must disclose any cyber attack that has caused a "significant" impact, which is defined as having caused severe operational disruption or financial loss or having caused considerable "material" or non-material damage to other persons.
The attacked entity must file an initial report within a day of becoming aware of the significantly impactful incident, which must be followed by a more formalized disclosure within 72 hours. The EU can also demand the organization make a public statement on the incident. Lastly, entities are required to submit a report one month later detailing how they have taken measures to mitigate the issue.
Defining highly subjective terms such as "significant" and "material" is posing challenges to organizations worldwide now faced with new cybersecurity regulations. Indeed, the US SEC and Australia's APRA also demand that registered entities disclose "materially" impactful cyber events to the relevant governing bodies but also, similarly, offer little more direction on how to determine this threshold in absolute terms.
The lack of concrete definition is not wholly unfounded, however, considering "significant" and "material" impact is context-based according to an organization's specific makeup. Still, considering that under the NIS 2 Directive, organizations are compelled to report such incidents within 24 hours, it's crucial that key stakeholders determine quantified loss benchmarks for "significance" long before an event occurs, streamlining the reporting process.
Moreover, with preliminary data-driven figures that can guide "significance" determinations, entities can better ensure compliance. To learn more about calculating loss thresholds for reporting purposes, check out Kovrr's Cyber Materiality Report.
Although the NIS 2 Directive has set forth a slew of upgraded cybersecurity rules, its underlying message rings louder and clearer: It's no longer an option for high-level stakeholders to avoid cyber risk governance. By mandating increased liability, more specific cyber management requirements, and tighter disclosure deadlines, the new legislation effectively demands a greater relationship between these executives and CISOs.
Ultimately, the EU has formally recognized that market stability and resiliency are only going to be achieved once these parties discard the historic barriers between them and start working together to understand how cybersecurity drives the business toward growth and success.
As NIS 2 begins to reshape cybersecurity risk management practices across the EU, it's become imperative for organizations to develop methods and solutions that can bridge the gap between non-technically oriented executive managers and cybersecurity leaders. Unification, alignment, and compliance demand these key stakeholders speak a common language, and with cyber risk quantification, they finally can.
On-demand CRQ quickly transforms the more complex aspects of cyber risk into broader business terms, facilitating this all-too-necessary collaboration. This translation not only helps organizations ensure they are compliant with NIS 2 requirements but also provides a strategic advantage in navigating a market that is increasingly dependent on cyber activities. As this trend continues to accelerate, CRQ has emerged as the secret to success.
To learn more about how CRQ platforms like Kovrr’s can help executives govern cyber risk and ensure cybersecurity alignment, schedule a free demo today or contact our cyber risk experts.
Kovrr financially quantifies cyber risk on demand. Our technology enables decision makers to seamlessly drive actionable cyber risk management decisions.
.jpg)