NIS2: A Stark New Spotlight on Cybersecurity

Bart Salaets Thumbnail
Bart Salaets
Published September 29, 2023

New EU directive means many more businesses need better security, visibility and control

Imposing stringent new requirements, the revamped Network and Information Security (NIS) Directive will demand that many more EU companies take cybersecurity seriously. 

In less than a year, NIS2 (as the new directive is known) will make it a legal requirement for a wide range of organizations to fully secure internal systems and ensure external interfaces aren’t vulnerable to attack and data theft. 

It places a big emphasis on risk management, reporting and recovery, with fines for non-compliance set to reach €10 million or 2% of annual global revenues (whichever is higher). 

Yet such fines could be the tip of a much greater financial iceberg.

With NIS2 applying to a far broader group of companies than its predecessor, the impact will ripple through supply chains. Cybersecurity will become a priority in procurement processes and could determine which businesses win new contracts.

Unfortunately, most organizations do not have the in-house skills to manage the new directive’s many requirements, particularly as their systems increasingly span multiple cloud environments and large numbers of staff continue to work from home. 

NIS2 makes full visibility a must have

Covering any business that has more than 50 employees and an annual turnover that exceeds €10 million, NIS2 will apply to telecoms, food, waste management, digital platforms, public agencies, and delivery services. It will also have a major impact on essential services covered by the original NIS like energy, healthcare, banking, and transport.

As NIS2 is implemented by EU member states, affected businesses will need to ensure all external interfaces are protected, including the applications used to interact with customers and suppliers. 

If a breach occurs, they will have to submit an early warning report within 24 hours of becoming aware of an incident, followed by an initial assessment within 72 hours, and a final report within one month. 

Consequently, it will be essential for businesses to have full visibility of what is happening in their digital operations and their digital interfaces with customers, partners, and suppliers. 

In an ideal world, a regulatory stick shouldn’t really be necessary: most commercial interactions now take place online, so business leaders should already be demanding that kind of visibility. 

Nevertheless, many smaller businesses falling under the new directive's scope won’t necessarily have a security operations center and the related reporting tools needed to comply. What’s more, they’re unlikely to have the necessary skills and resources to build and engineer those tools in-house.   

Needless to say, the pressure is on to deploy easy-to-implement mechanisms to meet NIS2 obligations. And to do so without adversely affecting their customers’ and partners’ experience. 

In particular, they’ll need a centralized console through which they can manage their full application portfolio. Cloud-based application security and application delivery propositions, such as F5 Distributed Cloud Services, can meet that need.

It’s no walk in the park for larger organizations either. One of the biggest challenges presented by the intensified regulatory spotlight on security is the added complexity of both securing and monitoring a digital infrastructure that increasingly spans multiple clouds and in-house data centres.

Today, many run applications and their constituent microservices across several environments. While the front end of an app might be running in a public cloud, the back end could be in an internal data center. At the same time, employees are increasingly logging into systems and apps from many different locations, such as their homes and co-working spaces.  

In order to secure this increasingly complex digital landscape in an NIS2-friendly way, many businesses will need a managed service equipped to span multiple different cloud, computing, and networking environments. Again, at F5, we have that expertise. 

Although the clock is ticking ever louder, there is still time to act.

EU member states must incorporate the new directive into their national laws by 18 October 2024 , so the race is on for all impacted organizations ensure their security and monitoring capabilities are robust enough to avoid the fines, and, more importantly, the reputational damage associated with compliance failure(s). 

Fortunately, the technology they need to thrive in this new regulatory environment is ready to go. 

We’ll delve into the detail in a future blog post exploring how F5 is already helping customers comply with NIS2. Stay tuned!