9621 Agnes Crossing, Lake Suzanneview, New Mexico Island 84604-9295.
Companies in Europe will soon have to comply with new cybersecurity regulations or suffer the consequences. With the NIS2 directive, the EU wants to regulate the cybersecurity of
Companies in Europe will soon have to comply with new cybersecurity regulations or suffer the consequences. With the NIS2 directive, the EU wants to regulate the cybersecurity of companies. ITdaily brings four security experts together to discuss the design and impact of the rules.
Our country, like all other EU member states, must implement the European NIS2 Directive into national law by October 17, 2024. “NIS2 was developed at a European level and aims to improve the cyber resilience of organizations,” says Bart Van Vugt, Senior Cyber Security Advisor at Uptime Security.
At ITdaily’s invitation, Van Vugt sits at the table with three other security experts: Ron Nath Mukherjee, who represents the provider side as a cyber security consultant at Eset, red team operator Thomas Hayen from Easi, who makes his living as a cyber security consultant Pentester (digital) to break into companies and Pelle Aardewerk, Cyber Security Consultancy Lead at HP.
“NIS2 is a very good development of NIS1,” says Hayen. “The first regulations were more like one can youNIS2 becomes one you have to. The focus is much more on what happens if you don’t follow the rules. Even company management can be held responsible. Although I don’t necessarily support fines, they can amount to several million euros. This could be a wake-up call for companies that fall under the rules and now realize that they could get into trouble if they don’t implement certain things.”
The first regulation was more like one can youNIS2 becomes one you have to.
Thomas Hayen, Red Team Operator Easi
Mukherjee is also happy with the upcoming rules. Eset plays an important role in Ukraine’s digital defense, which he believes is indicative of the world we live in today. “The geopolitical factor in attacks is becoming increasingly important,” he says. “Organizations large and small can have sensitive data. Europe’s cyber resilience needs to be strengthened and NIS2 can help raise this awareness.”
The geopolitical factor in attacks is becoming increasingly important.
Ron Nath Mukherjee, cyber security consultant Eset
Pottery agrees. “We are living in a cyber war, even if we are sometimes not fully aware of it. Attackers target critical infrastructure because it really hurts there.” He points to all the dependencies we have today in our country and the entire EU.
NIS2 seems timely, but there are still some questions. “NIS2 comes with fines and an incident reporting requirement, just like GDPR,” notes Mukherjee. “The implementation there doesn’t seem to have gone so well.” He notes that the effectiveness of the GDPR is limited and often remains a dead letter. “In addition, there have been extensive regulations in the EU in the past, for example in the financial sector, which can deter companies.”
According to Van Vugt, the cards for NIS2 were fortunately mixed differently. “GDPR is also necessary observance“, he knows, “but you weren’t audited. This is different now, especially for the essential entities.” He refers to the key organizations that NIS2 wants to regulate most strictly because they have the greatest impact of an attack. Consider utilities, for example. “These organizations will actually invite auditors.”
However, Van Vugt notes that the expected impact of these audits is still somewhat limited as they only affect essential and non-essential companies. “Hopefully this will be expanded a little more.” Mukherjee agrees. “There are around 600 companies in Belgium. Fortunately, suppliers are also considered responsible, quickly putting 3,500 to 4,000 organizations in the crosshairs of NIS2.”
Hayen: “I think the focus will be more on the supply chain than on the companies themselves. Ultimately, criminals choose the path of least resistance. Organizations will be held more accountable.”
“Companies are being put under pressure more often,” agrees Aardewerk. “Everyone is very afraid of an attack along the supply chain and that is also reflected in the regulations. We have already spoken to one organization who has indicated that they will soon ask us if we are following the rules. They will ask all suppliers that. That’s a good thing, because it allows us to reflect the common situation.”
Independent, third-party reviews will undoubtedly reveal all sorts of things.
Pelle Aardewerk, Head of Cyber Security Consulting at HP
Aardewerk hopes that the audits will bear fruit. “Independent third-party assessments will undoubtedly reveal all sorts of things. I think this will start a very big cycle of improvement.”
In any case, it seems that NIS2 will have a little more power than GDPR. What about regulation then? Isn’t the EU overstepping its borders?
Van Vugt doesn’t think so. “The things that Europe expects with NIS2 are not really extreme. It’s not a small amount, but it remains manageable and concrete. It Cyber Foundations Frameworkbased on the NIST cybersecurity framework, is no exaggeration.”
What Europe expects with NIS2 is not really extreme.
Bart Van Vugt, Senior Cyber Security Advisor Uptime Security
It refers to the American framework that divides security into five pillars: identify, protect, detect, respond and recover. In addition, regulations are based on the risks of a company. If the front door is open but no critical assets are at risk and you’re happy with that, that’s fine. Of course you have to think about it carefully.”
“Risk, governance and compliance are important components,” says Mukherjee. “NIS2 is not just about the technical aspect, but also about the framework that a company will put in place and how that should work within the company culture.” Hayen agrees. “The themes that NIS2 mentions are quite easy to implement.”
The experts think it’s good that NIS2 is based on risk analysis and not on a technical story. Companies often still have a lot to learn. Van Vugt: “Too many companies still install an antivirus program and a firewall branch, they believe they are safe. These solutions are all well and good, but where are your critical business processes? What assets are associated with it? What actions will you take to reduce your risk?”
“The first step is actually to think about what is really critical,” agrees Aardewerk. “For example, a major oil company in the Middle East fell victim to a ransomware attack. 30,000 devices were infected, but production continued. Since production is critical, there was a very good separation between the IT and OT networks. Know what’s important and ensure good insulation.”
It will still be some time before NIS2 actually comes into force. October 17, 2024 is the deadline for the implementation of the directive into national law, although there will also be transition periods in this law. However, don’t count on too much of a margin. Van Vugt: “The details still need to be worked out, but the basic principles are already in place. It’s best to start now, otherwise it could be difficult to meet future deadlines.”
Source: IT Daily
As an experienced journalist and author, Mary has been reporting on the latest news and trends for over 5 years. With a passion for uncovering the stories behind the headlines, Mary has earned a reputation as a trusted voice in the world of journalism. Her writing style is insightful, engaging and thought-provoking, as she takes a deep dive into the most pressing issues of our time.
