With the NIS2 law, Europe obliges companies from various industries to give security the highest priority. If you fall under the law, there is no escape. But do companies know what to do and how?

The time has come: NIS2 is here. After the European Parliament agreed on the guidelines at the end of 2022, the member states had until October 17, 2024 to implement them into national law. The deadline has passed and the ball is now in the companies’ court. “Many companies are not ready for this,” says Siska Hallemeesch, security expert at Nviso Security Silver member from Isaac.

Abundance of tools

Hallemeesch recognizes the need for legislation. “With NIS2, a European decision has been made to increase the security maturity of organizations, especially medium to large organizations. This is intended to better prepare them for geopolitical risks and cyber attacks and increase the overall level of security. The first NIS law was limited to critical infrastructure such as energy. NIS2 opens this up to multiple sectors.”

“When I talked about geopolitical risks five years ago, people looked at me as if I spoke Chinese. Security was considered from a technical perspective, but not from a business or geopolitical perspective. This means that many companies have a wealth of IT tools at their disposal that do not offer a solution,” says Hallemeesch.

“As a company, you need to consider what security risks you have and how you are going to build an end-to-end solution from them. This process depends on the business context. “This will be very different for a hospital than for a manufacturing company,” she continues.

New role for CISO

According to Hallemeesch, NIS2 will provide a different interpretation of the role of the CISO. “Now there are still a lot of technical people in the role. But a CISO also has to learn to understand the business and talk to other departments in the company. This is much more difficult, I can tell.”

“I’m not saying that technical knowledge of the tools is no longer important, but CISO will no longer be a purely technical role. The CISOs of tomorrow are business professionals who also have this technical knowledge, but most importantly understand how to implement security management and the tools available in a business context.”

Security is viewed too much from a technical perspective. The CISO also needs to learn to understand the business.

Siska Hallemeesch, CISO-as-a-Service Nviso

Copy and paste

The NIS2 law has been enshrined in Belgian law since October 18th. This means that Belgium has done its homework on time, and that is the exception rather than the rule. Belgium and Croatia are the only Member States that have met the NIS2 deadline. During a panel organized by ITdaily, experts praised the CCB for taking the lead.

Hallemeesch comments on this. “The fact that Belgium is on time with the legislation is because the package was largely taken directly from the European Union text. I wonder if this was done with a lot of consultation. First the laws are passed and then we wait to see the impact on companies. It is good to have European legislation that is the same for everyone, but that is not the case in reality either.”

From law to practice

Companies will still have some time to comply with the guidelines, but Hallemeesch says this will not be a given. “It remains to be seen how NIS2 will be implemented in practice. There are still many questions for companies. Now NIS2 brings incident reporting obligations, but by 2027 some companies will need to obtain a certificate.”

To make it easier for companies to get started, CCB has developed a three-tier framework. Hallemeesch: “This framework is very clear. Ultimately, companies must apply it in their specific context. I also question proportionality. A lot of administrative effort is required for companies. New companies will be able to do these things more easily, but for larger organizations it will be much harder to turn the ship around.”

A lack of staff and resources, which many companies struggle with, can lead to problems. In this case, Hallemeesch advises companies to get help in good time. “NIS2 has its price. Not every company needs a full-time CISO. If you don’t have the people you need, talk to outside experts who can help you determine your current maturity level and develop a plan to increase it. It is important that management is also involved.”

“Without NIS2, some companies may have done nothing. That wouldn’t have been good either,” admits Hallemeesch. “Many companies have not yet realized that they too can become victims of a cyber incident. You almost have to experience it to understand that something like this happens every day. In this context, it is also important that companies talk to each other and learn from each other. Sharing is important in safety.”

Many companies are not yet ready. NIS2 has its price.

Siska Hallemeesch, CISO-as-a-Service Nviso

checkbox

Hallemeesch would like to see a more coordinated approach from Europe. NIS2 is not a vacuum. In recent years, Europe has pushed through one new law after another. All of these proposed rules aim to increase the security of organizations, but the legislation is muddled, leading to confusion.

“Why can’t we find a regulation that applies to everyone? There is no doubt that organizations need to become more mature, but over-regulation is not good either. The laws are proposed by people who have no practical experience of what they mean for businesses. “I’m also concerned that auditors who visit companies are primarily checking a box,” says Hallemeesch.

Roads to Rome

IT is evolving rapidly. Whether NIS2 is strong enough to withstand the test of time remains to be seen in the coming years. Do we need an NIS3 law soon? Hallemeesch is already passing on her wish. “A next version should offer companies more flexibility in achieving goals. Many roads lead to Rome, they always say.”

Above all, Hallemeesch hopes that NIS3 does not have to happen. “Do we really need more regulation? I sincerely hope that Europe will ask itself this question. Personally, I am more in favor of companies having more leeway in the current framework to determine the proportionality of their cyber risks themselves. If further legislation proves necessary, I hope that more general guidance will be introduced rather than even more disparate legislation.”

Is more regulation necessary? Can’t we give companies more flexibility in the current framework to achieve their goals?”

Siska Hallemeesch, CISO-as-a-Service Nviso

ITdaily recently organized a round table on the topic of NIS2 with experts from the Belgian security industry. Visit our topic page to view all articles.