How should organisations prepare for the revised EU policy on cybersecurity?

The NIS Directive (EU 2016/1148) was the first piece of EU-wide legislation on cybersecurity. Its revision, NIS2, is currently under negotiation, and it is expected to enter into force in 2024. But what is NIS2 about and what preparations are needed from organisations?

To increase cyber resilience, the EU is launching new policy initiatives that will come into force in the next three years. The revision of the NIS Directive will enter into force in 2024, and it is expected to impose stronger requirements to a broader scope of actors. NIS2 will introduce fines and enforcement, a broader set of mandatory security measures and new incident notification requirements for essential and important entities. Management bodies will have a crucial and active role in approving cybersecurity risks, and non-compliance will be punished with fines up to €10 million or 2% of global annual revenue. 

Why is it an opportunity for CISOs?

With increasing controls from governments and regulators, there is momentum for CISOs to pursue their security objectives. The EU is setting up a budget of €2 billion to support new cybersecurity initiatives aimed at strengthening cyber resilience.

New sectors under NIS2

The following sectors will be under the scope of the NIS2 regulation: 

  • Essential entities: energy; transport; banking; financial markets infrastructure; health; drinking water and wastewater; digital infrastructure; public administration; space
  • Important entities: postal and courier services; waste management; the manufacture, production and distribution of chemicals; food production, processing and distribution; manufacturing; digital providers 

Key changes

Even though NIS2 is largely built on the NIS Directive, there are major upcoming changes that will require consideration.

Action points and next steps

Boards and senior-level management should amend their companies’ cybersecurity strategy in order to improve the cyber resilience of their organisation. Requirements of the NIS2 Directive must be addressed on three areas:

As the final shape of the NIS2 legislation is taking shape, CISOs need to start planning their response. These may be some of the first steps to consider:  

  • Implement ISMS, taking into account NIS2 and other relevant requirements 
  • Advise on the implementation of security controls 
  • Provide training and awareness for the board of directors 
  • Conduct an incident management maturity assessment 

Support from the EU on Policy Implementation

Deloitte monitors EU cyber policy developments to anticipate the business impact of regulatory changes on its wide network of clients. We collect our insights from multi-stakeholder groups active in the EU cyber community, such as European Institutions, EU Member States, national CSIRTs, Competent Authorities and Operators of Essential Services.

Our Cyber Services, aimed at supporting entities to comply with NIS2, are eligible for (co-)funding by the EU under the Digital Europe Programme (DIGITAL). The budget for the Cybersecurity actions covered by this Work Programme is €269 million distributed as follows: 

  • A budget of EUR 177 million for actions related to the “cyber-shield” announced in the EU Cybersecurity Strategy, including Security Operation Centres (SOC); 
  • A budget of EUR 83 million for actions supporting the Implementation of relevant cybersecurity EU Legislation; 
  • A budget of EUR 9 million for programme support actions, including evaluations and reviews. 

In addition, actions supporting the deployment of the Secure Quantum Communication infrastructures (QCI) are included in the Digital Europe Work Programme for 2021–2022, with an indicative budget of EUR 170 million.

The previous version of this article was written by Martina Calleri. It was originally published here by Deloitte Belgium.

Oliko tieto hyödyllistä?