The EU Member States have until October 2024 to transpose the European NIS2 Directive into national law. A look at the consecration of risk management.

NIS2 : New rules needed

Following on from the 2016 EU NIS Directive, the purpose of NIS 2 is to achieve greater cyber resilience at European level. If sectors such as banking, insurance, energy, health or transport were already concerned by this directive, waste and wastewater management, food, internet service providers and datacenters, space, public administration and postal services are now also targeted.

This is an important and necessary regulatory step, given the particularly heterogeneous level of protection and maturity in terms of cybersecurity of European entities. If at the French level, the number of entities targeted by NIS2 should approach 15,000, it is estimated that between 120,000 and 150,000 European entities should fall within the scope of this directive. In France, the enlargement of the sectors is creating a new disparity in the awareness of company management of the fundamental nature of cybersecurity and the protection of sensitive data. And the nomenclature is changing. Henceforth, entities are essential or important according to precise criteria, namely, the number of employees, turnover and sector of activity. While the obligations are the same for both categories, the application of the directive will be stricter for entities considered essential.

The importance of Risk Management

Article 21 requires “appropriate and proportionate technical, operational and organisational measures to manage the risks to the security of networks and information systems used by [critical and important] entities in the course of their business or in the provision of their services, and to eliminate or reduce the impact of incidents on the recipients of their services and on other services”. This can only be done through agile and effective risk management.

There are technological solutions that offer a platform based on two approaches depending on the level of maturity of the essential and important entities of European states. For those with an established cyber strategy, the need will be concentrated on the new entities concerned by NIS2. For the second, it is a more global approach capable of accompanying States whose need for compliance with NIS2 would be more important.

For the latter, it is possible to use this type of platform to regulate their market. Then, the State in question could make this platform available to all its entities, both essential and important, in a mutualised manner. In this way, compliance monitoring of the entities concerned will be facilitated by a uniform risk-based approach.

Beyond the importance of risk management for essential or important entities, companies are indeed obliged to comply with the Directive or face much higher penalties than those provided for in the NIS 1 Directive. As a reminder, in case of non-compliance, critical entities are subject to a fine of €10 million, or 2% of total worldwide turnover, and significant entities to a fine of €7 million, or 1.4% of total worldwide turnover, whichever is higher. The national competent authorities, ANSSI in France, are responsible for compliance and have the associated enforcement powers.

The supply chain affected by a knock-on effect

NIS 2 integrates the entire value chain of the sectors concerned. Thus, all suppliers and companies working with a company covered by this directive must also comply with the new regulation.

The supply chain, long referred to by professionals as one of the “weak links”, is now in the front line. The number of entities concerned has increased tenfold. Among them are now many SMEs and SMIs that have not necessarily made cyber risk a priority until now. They will have to change and invest in risk analysis to remain compliant.

Turning constraint into opportunity

Risk management can truly become a decision-making tool that adds unprecedented value to executive committees. Risk management and analysis solutions can engage management by transforming a cyber risk into a quantified financial risk. Cyber risk then becomes an asset for the company with a risk posture that can be reduced through a detailed action plan. Quantifying the risk engages the company’s management and involves all stakeholders: its shareholders, but also the European regulator, partners and insurers. In this way, the company proves to them that it is in control of its risk. However, there is no need to wait for the transposition of NIS2, the platforms and solutions already exist and their financial added value is a major asset. Knowing its cyber risk and implementing the resulting measures will enable a company to save 300% of the costs incurred, according to a study by IBM and the Ponemon Institute in 2022. While COMEXs may be reluctant to measure the return on investment of implementing operational measures to reduce cyber risk, this percentage should make them aware of the savings that can be achieved through these measures.

So why wait for a transposition into national law when the benefits of the risk could be visible within a few months?

Source: Le Journal du Net