More Cybersecurity Audits With NIS2: What to Expect From the New EU Cyber Law

With the EU's new NIS2 cybersecurity law coming into effect soon, thousands of companies are about to face a whole new world of cybersecurity audits and requirements. For many organizations, this is going to mean a major shakeup in how they handle cyber risks and protect data. Get ready for more accountability at the highest levels of management, new incident reporting rules, and extra diligence around suppliers. In this article, we'll break down exactly what's changing so you know what to expect when the auditors come knocking. Spoiler alert: cybersecurity is about to get a whole lot more serious thanks to NIS2. We'll explain what this EU law aims to achieve, which sectors it covers, the steeper fines for violations, and key measures like supply chain diligence and tightened incident reporting that will soon be mandatory. Read on to get up to speed on NIS2 and make sure your organization is prepared.

Understanding the Current NIS Directive

The existing NIS Directive applies to operators of essential services (OES) and digital service providers (DSPs) in specific sectors like energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure. If your organization operates in any of these areas, you likely fall under the scope of the NIS Directive.

Obligations for Operators of Essential Services

For OES, the NIS Directive requires implementing risk management measures and reporting cyber incidents. This includes conducting regular risk assessments, implementing security measures based on the risks identified, and notifying authorities about incidents with a significant impact on network security. Non-compliance can result in penalties under national laws.

Obligations for Digital Service Providers

DSPs like online marketplaces, cloud computing services, and search engines must also implement risk management measures and report incidents. However, their obligations are less stringent than for OES. For example, DSPs only need to notify incidents that have a substantial impact on the provision of their service. Member States can also exempt small and micro DSPs from some requirements.

Supervision and Enforcement

Each EU country must appoint a national competent authority to monitor the application of the NIS Directive. These authorities can conduct audits and inspections and request information from entities under the scope of the legislation. They are also responsible for determining penalties in case of non-compliance with the NIS Directive.

The NIS Directive was an important first step towards strengthening cyber resilience in the EU. However, as cyber threats have evolved, the European Commission has proposed NIS2 to expand and enhance the existing legislation. NIS2 will impact not only organizations directly in scope but also their supply chains and service providers. Understanding your potential obligations under NIS2 is key to ensuring compliance with the upcoming changes.

Key Changes Introduced by NIS2

NIS2 significantly expands the scope of entities covered under the legislation. Many more sectors will now face mandatory cyber risk management and reporting obligations. This includes public administration, postal and courier services, waste management, food production and distribution, and digital infrastructure.

Increased Accountability of Management

Under NIS2, management bodies like boards of directors will be directly accountable for their organization’s cybersecurity compliance. They must implement adequate cyber risk management measures and oversee the organization's cybersecurity policies and procedures. Failure to do so could result in penalties, including temporary bans from managerial positions.

Supply Chain Risk Management

NIS2 requires entities to conduct risk assessments of third-party suppliers and service providers in their supply chain. You'll need to evaluate how their security practices and access to your systems could impact your cyber risk exposure. Based on the outcomes, you may need to mandate improved security controls, limit access, or replace certain suppliers.

Revised Incident Reporting

NIS2 introduces a phased approach to cybersecurity incident reporting with tighter deadlines. You must report incidents within 24 hours of becoming aware of events that could disrupt network and information systems. Follow-up reports providing intermediate and final updates are also required. The goal is to improve threat information sharing across sectors and enable faster, coordinated responses.

In summary, NIS2 aims to strengthen cyber resilience across critical infrastructure and essential services in the EU. By expanding the scope, increasing accountability, mandating supply chain risk management and revising incident reporting, NIS2 should help to build a higher level of cybersecurity maturity and cooperation.

More Cybersecurity Audits and Assessments Expected

With NIS2, organizations can expect an increased focus on cybersecurity audits and assessments to evaluate their compliance. These will likely be conducted by national cybersecurity authorities in each EU member state. The scope and frequency of audits may vary in each country, but in general, they will aim to determine whether your cyber risk management and incident response plans meet the minimum standards set by NIS2.

During an audit, authorities will review documents like your risk assessment reports, cybersecurity policies, and incident response plans. They may also conduct interviews with relevant staff members to assess their knowledge and the effectiveness of implemented controls. Some audits may involve on-site visits to physically inspect systems and controls.

It's important to be prepared for these audits to demonstrate your compliance with NIS2. Make sure all required documentation like risk assessments, policies, and plans are up-to-date and readily available. Relevant staff should be familiar with the content of these documents and the technical/procedural controls that have been implemented. Gaps or areas of non-compliance identified during an audit will likely need to be addressed to avoid potential penalties.

You should also conduct regular internal assessments and audits to identify any issues before an authority audit. This could involve exercises like tabletop simulations of cyber incidents to assess the effectiveness of your response plan. Penetration testing and vulnerability assessments are also useful for identifying technical weaknesses and ensuring controls are functioning as intended. Making continuous improvements based on the results of these internal audits will put you in the best position to demonstrate compliance when the time comes for an official authority audit.

In summary, NIS2 aims to improve cyber resilience across critical sectors by mandating more rigorous standards for risk management and incident response. Organizations can expect closer oversight and scrutiny from authorities to ensure these standards are met, including through more frequent audits and assessments. Conducting continuous self-assessments and being well-prepared for authority audits will be key to demonstrating compliance under NIS2. Overall, this legislation signifies a push for stronger cybersecurity and greater accountability that will likely impact organizations both directly and indirectly within its scope.

NIS2's Relationship With GDPR and Data Privacy

NIS2 and the GDPR are separate but complementary pieces of legislation. While NIS2 focuses on cybersecurity risk management and incident reporting, the GDPR centers around data privacy and protection. However, there are areas where these two directives intersect and influence each other.

Under NIS2, entities must implement technical and organizational measures to manage the risks posed to the security of network and information systems. This includes safeguarding the availability, authenticity, integrity, and confidentiality of stored and transmitted data. By enhancing cybersecurity defenses and the security of processing systems, NIS2 can help support GDPR compliance and the protection of personal data.

At the same time, the GDPR’s data privacy requirements must be considered in the context of cyber risks and incidents under NIS2. For example, a cyberattack could compromise personal data, in which case both NIS2 and GDPR breach reporting obligations may apply. NIS2 also mandates supply chain risk management, which includes assessing third-party data privacy practices.

In practice, organizations should adopt an integrated approach to privacy, data protection and cybersecurity. This means:

• Aligning NIS2 and GDPR governance and accountability structures. For example, designating a Data Protection Officer (DPO) to also oversee NIS2 compliance.

• Harmonizing NIS2 risk assessments with GDPR privacy impact assessments. Analyzing how cyber risks could affect personal data.

• Ensuring cybersecurity policies and procedures incorporate data protection principles. For instance, limiting access to personal data and systems to only authorized individuals.

• Providing NIS2 and GDPR training holistically. Educating employees on both cyber risks and data privacy responsibilities.

• Streamlining NIS2 and GDPR monitoring and audit activities. Cross-checking that technical controls address both cybersecurity and data protection needs.

While NIS2 and GDPR have distinct objectives, organizations should leverage synergies between these frameworks where possible. An integrated cybersecurity and data privacy strategy is the most effective approach in today’s digital economy.

Preparing Your Organization for Compliance With NIS2

With the upcoming adoption of NIS2, now is the time for organizations to start preparing. Even if your company is not directly in scope of the new law, you may still be impacted as a third-party supplier. It’s important to understand what will be expected and make a plan to address any gaps.

The new legislation places more accountability on management boards and C-Suite executives. They will need to actively oversee cyber risk management and ensure compliance across the organization. This means implementing risk assessment procedures, monitoring controls, and keeping detailed records to demonstrate compliance. For many, this will require designating a Data Protection Officer or other leadership role to take charge of these efforts.

You’ll also want to review and likely expand your cyber risk management programs. This includes identifying and mitigating risks, monitoring for threats, and responding to incidents. Providing cybersecurity training for employees at all levels of the organization is key. They must understand their role in protecting systems and data, as well as how to spot and report potential issues.

NIS2 mandates performing due diligence on third-party suppliers and service providers. You’ll need to evaluate how much access and control they have over your systems and data. Then determine if their security measures meet your standards before engaging them or renewing contracts. You may need to renegotiate terms or find alternative providers if risks are identified.

The new reporting timelines require having an incident response plan in place ahead of any events. Your team needs to know exactly what constitutes a reportable incident under NIS2 and be able to investigate, contain, and report within 24 hours. Regular testing of response procedures is highly recommended.

While the obligations under NIS2 may seem daunting, taking a methodical approach to assess risks, identify gaps, and implement solutions will help ensure your organization is prepared for the new requirements. With strong cyber risk management and executive leadership, compliance can become an ongoing practice rather than a one-time project. The end result will be improved security and data protection overall.

Boosting Cyber Defenses across critical sectors 

The new NIS2 Directive aims to boost cyber defenses across critical sectors in the EU. While the expanded scope means more entities will face audits and need to step up their cybersecurity game, this greater oversight is intended to strengthen protections for our interconnected digital world.

For companies in scope, start preparing now to align with the new rules. Perform risk assessments, review third-party security practices, and build response plans to meet tighter incident reporting timelines. Though achieving compliance takes effort, improving cyber resilience is an investment that pays dividends in the long run. With cyber threats growing globally, we all benefit when public and private organizations work together to lock the windows and bolt the doors. NIS2 moves us one step closer to a safer online future.