It’s been eight years since GDPR (The General Data Protection Regulation) was brought into force by the EU, which promised wholesale changes across multiple industries in the way companies secured their users' data and what they could, and could not, do with it. Eight years on and we’ve seen little tangible change outside of a few fines settled behind closed doors; a few more instances of GCP or AWS being hosted in the EU versus North America; and a lot of legal bills to draw up inter-company transfer agreements to avoid the requirements of GDPR. The requirements were too vague, too easy to self-declare and too hard to assess and enforce.
The EU is giving it another go but this time, at least at first glance, it seems very different. The Network and Information Security Directive (NIS2), yes there was a NIS1, which also didn’t achieve its objectives, was written into law almost unnoticed last January and will come into force in all member states, and in some form in the UK in October 2024. So why will this time be any different I hear you ask? NIS2 is different from previous efforts. It’s focussed on critical infrastructure, which everyone worries about; has more granular requirements; and requires annual evidence of compliance not just self-attestation.
What is NIS2?
NIS2 is a regulation focussed on the protection of critical infrastructure in the EU. It was drafted into law in January 2023 but member states have until October 2024 to enforce it at a national level. It covers a large range of industries including critical infrastructure, banking, healthcare, energy, transport, public administration, digital infrastructure (telecommunications, data-centers, etc) and ICT providers (MSPs and MSSPs). It does not have outreach outside of the EU but any international organizations with security decision makers in the EU or large security teams in the EU fall into scope. It is also very likely that the UK will enact comparable regulation in a similar timeframe.
It focuses on four key areas:
- Risk Management
- Protections Against Cyber Attacks
- Detecting Security Events
- Minimizing the Impact of Incidents.
You can learn more about these in the NIS2 Directive.
Reading between the lines on the controls required, the real focus appears to be on:
- Access controls
- Third party risk management
- Compliance (Policy & Governance)
Aptien published a great blog on some more detailed controls.
Unlike some previous regulations it requires some organization to submit evidence annually in order to demonstrate compliance. It is also highly likely that partners and customers will require evidence of compliance prior to agreeing terms in the future.
The penalties are focused on revenue similar to GDPR with a maximum fine of either €10,000,000 or 2% of the global yearly revenue, whichever is higher. Additionally, and in line with recent trends, security leaders can also be found personally liable for negligence in respect to the regulation.
Overall it is more prescriptive, more direct and more focused than comparable regulations, such as GDPR, have been and the onus being on the entity to evidence their posture not just attest it will make the whole thing more meaningful and more real.
What do GRC professionals need to know about NIS2??
Firstly, there’s the obvious fact that this will become another framework that GRC is responsible for managing compliance to. It has the inevitable overlap of control requirements with the usual suspects of SOC 2 and ISO 27001, I’d say at least 80% of the requirements of NIS2 will already be in place if both these frameworks are active within an organization.
It’s exactly this overlap though that makes it interesting. There is a significant focus within NIS2 on several areas that classically fall under GRC teams and could lead to increased exposure, collaboration, and budget for wider programs. Risk Management, Policy Governance & Third Party Risk are all key domains within the regulation.
As we pointed out earlier, evidence collection and maintenance are key parts of NIS2 compliance. Unlike other standards that follow an audit cycle with a defined timeline for when evidence will be required, NIS2 compliance can be audited by a regulator at any point in time with minimal notice provided. This means there is a need for evidence to be collected and retained, in near real time so that you are always ready for a regulator audit or customer request. Ivanti recently published an article on the importance of audit readiness for NIS2.
Finally NIS2 presents GRC professionals with an opportunity. If you work for a company that falls under the scope of NIS2 then this is a chance to build a more robust program and mature some of the controls that budget hasn’t previously allowed. If you’re a consumer of critical services under the scope of NIS2, which most of us are, then we now have the opportunity to get a greater level of comfort over that part of our supply chain and to benefit from the improvements made throughout the wider supply chain in response to the new requirements.
How can Anecdotes help?
NIS2 is a new compliance framework focused on evidence-led compliance and requiring audit readiness at a moment’s notice. There probably isn’t a more perfect use case of Anecdotes data-driven compliance platform. We can help with the end-to-end journey from gap assessments and defining and implementing controls, to assessing control efficacy and maintaining an audit ready evidence-based posture that the regulator will love. Learn more about our data powered audit readiness.