SMEs that are suppliers to large organizations also need to be NIS2 compliant.

The NIS2 regulations were created to increase the cyber resilience of large companies in key sectors. Within these regulations, various aspects must be taken into account, including: Supply chain is one of them. The SME emerges in this supply chain and, as a small company, is suddenly inundated with questions about NIS2. Do SMEs know the regulations and how complex are they for them?

ITdaily brings together five experts to talk about the challenges of NIS2 for SMEs. We sit down with Alex Ongena, CEO and founder of AXS Guard, Ron Nath Mukherjee, cyber security consultant at Eset, Driek Desmet, systems engineer at Easi, Koen Pauwelyn, responsible for Industrial Cybersecurity Services at Siemens, and Yoran Dons, ICS Security Consultant at SoterICS.

Supply chain

“NIS2 is also popular with SMEs,” begins Desmet. “Many small businesses come to us with questions about what NIS2 is and what steps they need to take.” Ongena picks up on this: “It is a concern for SMEs because the security of the Supply chain is one of the aspects within NIS2.”

SMEs are in the middle of this supply chain and therefore receive long questionnaires from their customers. They try to fill out the questionnaire as best they can, “but they often don’t always know what exactly to say,” says Ongena.

uniformity

Therefore, small organizations that serve an important facility like a hospital end up occupying a high position Scope of NIS2 rightly so, even if they are very small in scope. Dons emphasizes the importance of a uniform approach to better support SMEs in the NIS2 labyrinth. “In this way we could work with the same questionnaires, since companies have to carry out the same checks at a certain level,” says Dons.

“This meant we could proactively approach SMEs with a uniform approach. “For example, there are working groups within Agoria that recognize this problem and are also working on it,” he says. Ongena also sees solutions for SMEs, namely that they can get certified. “Obtaining an ISO certificate or NIS 2 label is also a smart idea for smaller companies. If you can demonstrate this, it can lead to huge savings for an SME,” explains Ongena.

Obtaining an ISO certificate or NIS-2 label is also a smart idea for smaller companies.

Alex Ongena, CEO and Founder AXS Guard

Many SMEs are exposed to NIS2 through their major customers. The supply chain is full of small links. “Almost everyone will have to deal with this at some point. The supply chain can sometimes be very long,” adds Pauwelyn.

Part of evolution

Mukherjee looks at these friction points differently in the area of ​​NIS2 compliance for SMBs. He sees this as part of evolution. “That is exactly the purpose of the regulations: to confront reality.”

The friction points of NIS2 compliance for SMEs are part of the evolution.

Ron Nath Mukherjee, cyber security consultant at Eset

Additionally, he notes that this means his customers are viewing cybersecurity less as a cost and more as an investment. “Cybersecurity awareness really seems to be growing,” says Mukherjee. Pauwelyn agrees: “Companies have to get involved, otherwise they will fall by the wayside.”

MDR in SMEs

Mukherjee wonders how to eliminate cybersecurity complexity in small organizations in general. “For example, SMEs have more limited access to MDR services (Managed detection and response) like SOC or SIEM compared to larger companies.”

Lower budgets and more limited knowledge play an important role. Ongena: “It makes no sense to install various tools and alarms in SMEs if no one has the time or knowledge to work with them.”

Many security companies integrate standard customer components, which requires many people to properly tune them. “It has to be done the other way around. We have created a product with enough features that can be applied in a unique way for each customer. The streamlining, dashboards and SOC processes are the same for all customers, which keeps the price so low. This means that even small companies can use a fully managed SOC,” says Ongena.

Desmet also offers a solution to the SOC problem for SMEs. “We have a Belgian-made MDR system, Bluehorn, specifically designed for SMEs. This provides small businesses with a comprehensive security solution that connects all endpoints,” says Desmet.

Subsidize?

NIS2 brings new challenges for SMEs. As small businesses, they are stuck in the supply chain and are therefore forced to also be NIS2 compliant. This often leaves them at a loss and searching for answers. The consequences for SMEs have now been recognized. There are various helplines or alternatives where small businesses can still find their way to NIS2 compliance.

Various MDR alternatives tailored to medium-sized businesses will also be discussed at the table, from which small companies can also benefit fully managed SOC can install to increase their cyber resilience.

Mukherjee asks the gentlemen one last interesting question: “Should the state distribute subsidies to SMEs and cities and municipalities so that they can also be compliant?” All participants agree with this statement. “That’s a good idea. It is actually money that you put into your own economy,” concludes Dons.

This is the third editorial article in a series of three articles on the topic of NIS2. Click on our topic page to see all roundtable articles, the video and our partners.