NIS2 In Force – Roadmap to Compliance
DataProt concludes that businesses suffer ransomware attacks every 40 seconds. Statistica Cybersecurity Outlook predicts that the global cost of cybercrime is expected to surge in the next 5 years and reach $23.84 trillion annually by 2027. Cobalt State of Pentesting 2022, ranked Ransomware amongst the top concerns that keep teams up at night
The pandemic and resulting impact on the remote working environment have only amplified the risks. Businesses have observed a growing reliance on innovative technology that results in exposure to intensified vulnerabilities and an increase in the surface area of cyber-attacks. Ponemon Institute’s State of Cybersecurity Report states that 47% of businesses, now worry about the inability to control risks created by the lack of physical security in remote workers’ location, and 60% say they have experienced a targeted cyberattack.
As cyber-attacks continue to evolve in complexity, the European Union adopted the Network and Information Systems Directive number 2 ("NIS2"). It is intended to be effective in October 2024. The Directive aims to broaden Cyber Security and Preparedness for Crisis Management. NIS2 expands the scope of essential and important entities, focuses on cyber crisis management structure to ensure operational resilience, specifies management liabilities, revolves around risk and vulnerability assessment and mitigation, and addresses stricter reporting obligations.
NIS2 applies to all companies, suppliers, and organizations (referred to as “entities”) that deliver essential or important services for the European economy and society. Organizations that don't comply with the NIS2 directive can face heavy fines. - Essential entities face up to €10 million or 2% of global turnover. - Important entities face up to €7 million or 1.4% of global turnover.
Allocating appropriate resources to ensure timely compliance before 2024 is critical. The following table is an example roadmap and criteria needed to meet the new requirements:
|
S.No. |
Roadmap Steps |
Compliance Timeline |
|
1 |
Board level awareness of directive, roadmap, and timeline to compliance |
Q2 2023 |
|
2 |
Assessment of NIS2 impact |
Q3 2023 |
|
3 |
Gap Analysis |
Q4 2023 |
|
4 |
Develop plan of implementation of the gaps identified |
Q1 2024 |
|
5 |
Board level awareness on gaps identification, implementation, and any supporting next steps |
Q1 2024 |
|
6 |
Implement missing measures and strategies |
Q2 2024 |
|
7 |
Board level presentation on the compliance |
Q3 2024 |
Anyone doing business in the European Union needs to ensure that they and their vendors are NIS2 compliant. To find out more information on Opus’ preparedness, please contact your Client Relationship Manager.
Refer to the link for details on NIS2: https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2021)689333