What tough new internet regulations mean for big businesses | Real Time Headlines

NIS 2 stands for Network and Information Security Directive 2 and is an EU directive aimed at improving the security of IT systems and networks across the EU. The law was introduced in 2020 and is an update to the earlier indications, or NIS.

NIS 2 expands the scope of its predecessor to address recent cybersecurity challenges and threats that have emerged as criminals find new ways to breach companies and compromise their sensitive data.

The directive applies to organizations that operate within the EU and provide essential services to consumers, including banks, energy suppliers, healthcare providers, internet providers, transport companies and waste handlers.

The main areas it will address are risk management, corporate responsibility, reporting obligations and business continuity planning in the event of a cyber breach.

Geert van der Linden, executive vice president of global cyber security services at Capgemini, told CNBC that NIS 2 effectively sets a new benchmark for companies to determine what is acceptable to protect citizens, maintain operations, and respond to cyber threats. Stay resilient when attacking.

Van der Linden added that when NIS 2 is enforceable, “judges will view it as a global standard”. “For our clients, regardless of whether they are deemed essential or significant in regulation, they must consider that baseline and ensure they are compliant.”

Van der Linden added that by meeting this baseline, companies will effectively protect themselves against claims. He likens it to buying home insurance to protect your home from burglars.

“Where do burglars go? That’s always the least protected house. They open every door to see where they can get in,” he said. The same is true for companies looking to protect themselves from cyberattacks, van der Linden added.

Under NIS 2, companies must also review their digital supply chains for cyber threats and vulnerabilities. Today, companies use many different products and tools every day, giving criminals more potential avenues for attack.

Chris Gow, head of Cisco’s EU public policy team, told CNBC that “bottom work” will be carried out under NIS 2, and companies must scan their technology suppliers to assess any potential risks.

Under NIS 2, businesses also have a “duty of care” to report and share information about cyber breaches and hacking attacks with other companies, even if this means having to admit to being a victim of a cyber breach.

Companies that don’t comply with the new law could face hefty fines and other punitive measures.

For entities deemed critical, such as transport, finance and water companies, failure to comply with NIS 2 could result in fines of up to €10 million ($11.1 million) or 2% of global annual revenue – whichever is the higher final amount .

Meanwhile, companies deemed critical such as food companies, chemical companies and waste management services face fines of up to €7 million, or 1.4% of their annual global revenue, for non-compliance.

Businesses may also face service suspensions if they fail to comply with NIS 2 and be subject to stricter oversight to see if they are compliant.

If businesses fall victim to a cyber breach, they will have 24 hours to submit an early warning notification to the authorities. This is stricter than the 72-hour window in which companies must notify authorities of a data breach under the EU’s separate data privacy law, the GDPR (General Data Protection Regulation).

“Preparing for NIS 2 is not a race to see what you can get away with, but a race to see which of the strongest organizations rise above the baseline and capitalize on this effort,” said Carl Leonard, EMEA cyber security strategist at Proofpoint The race to gain a competitive advantage.

“I expect that organizations will be better supported through coordinated efforts at EU level,” Leonard said. “This will include shared threat intelligence, a higher common level of cybersecurity and a ‘we are all in this together’ mentality. “

Businesses have been racing to develop internal processes and controls, as well as a broader cybersecurity culture, before the October 17 deadline.

Cisco’s Gao said that even without new regulatory threats looming, companies have been working to change their internal culture to ensure they take the threat of network breaches and outages seriously.

“Even without looking at what’s happening on the regulatory side, we’re seeing reporting from the CISO (chief information security officer) level all the way up to the board and management.”

He added that NIS 2 is forcing enterprises to move faster to bring their network controls and practices up to speed with the new rules.

“It’s definitely going to have an impact,” he said. “I’ve seen this myself. People internally are asking sales and management questions, asking ‘How does this impact us?'” He added that businesses “prepare now” to ensure they meet the requirements of NIS 2.

Still, while cybersecurity has become a greater focus for boardrooms, that hasn’t stopped cyberattacks from happening.

Earlier this year, UK private healthcare provider Synnovis suffered a ransomware attack that disrupted more than 3,000 hospital and GP appointments. The attackers, a Russian hacker group called Qilin, demanded a ransom of £40 million.

Gow said it was a mistake to think new regulations would prevent similar incidents in the future, but added that NIS 2 would help “do some review and focus resources on showing how to improve the overall level of safety”.