A wave of cybersecurity regulation is about to hit Europe, and many organizations are still unprepared. To assist your organization along the road to compliance, we have summarized the core elements of the Network and Information Systems Directive (NIS2), the Digital Operational Resilience Act (DORA), the Critical Entities Resilience Directive (CER) and the proposed Cyber Resilience Act (CRA) below.
How Well Are Nordic Companies Prepared for EU's Cyber Security Regulations? Insights from Nixu Experts
Peter Hellström
Business Unit Leader, Advisory
June 25, 2024 at 09:00
Critical infrastructure industries and numerous companies will soon be largely affected by the more stringent regulations of the NIS2 Directive introduced by the European Union. The directive broadens the scope of previous directives to incorporate more industries and companies within them. So, where do organizations stand based on observations and interactions with clients, and what kind of projects can a cyber security services company like Nixu, a DNV company, help with? Nixu’s experts, Kimmo Kröger, Head of Sales for Enterprise & IT, Peter Hellström, Head of Cyber Security Management Consulting, and Jouko Juhola, Lead Security Consultant share their insights based on their interactions with the market.
Where Does the Nordic Market Stand with the Upcoming NIS2 Directive?
Kimmo: I think that Nordic companies are well-prepared for the NIS2 directive. Those that aren’t aware of it are now getting up to speed. However, as they say, the devil is in the details. Especially within larger entities, we’ve noticed that there are always gaps, even though information security is generally considered well-managed.
Peter: To be honest, the companies are not very well prepared in general. This is mostly due to unclarities in the upcoming legislation and the rules deciding who will be affected by NIS2. Companies seem to take the stance ‘not until I am told’ and, therefore, wait.
Jouko: We’ve seen companies taking steps to evaluate their current practices in anticipation of the expected compliance level of NIS2, but initiating real investments for improvement seems to be difficult. Nevertheless, the NIS2 directive is going to create new laws that will come into force in less than a year. It has its requirements for managing cybersecurity risks, so there should not be any excuse to leave everything until the last minute.
Nixu has been conducting NIS2 readiness assessments and roadmap projects that have been scoped for NIS2 and other cyber compliance. The work has included development programs based on built roadmaps that typically start with implementing a proper Information Security Management System (ISMS) for the customer. In addition, these programs have included concrete control, process, or technological implementations, such as Incident Management, Security Monitoring, Business Continuity, Vendor, or Identity and Access Management (IAM).
What Are Your Thoughts on the Timeline?
Kimmo: Well, the directive becomes effective in just four months! Some say that Finland’s legislative work is quite advanced compared to other Nordic regions, but things are moving rapidly now. We actually delivered our first NIS2-related projects over a year ago. Surprisingly, demand has been slower than expected. Many clients are still handling NIS2-related work internally, while some are waiting for local legislation to be ratified. However, we’re now witnessing growing demand. The lack of internal resources and shorter timelines are pushing organizations to seek external reviews of their compliance status. Additionally, awareness is increasing regarding other related directives.
Peter: It seems companies are still waiting. In fact, many companies have not started any initiatives at all, and this is disturbing. I believe we will see a surge in initiatives and advisory requests during the second half of this year. The situation is very similar to the one we had with GDPR; Many waited until the last minute.
Jouko: What Peter said.
What About Other Regulations in the EU’s Pipeline?
Kimmo: As anticipated, we thought there would be more consulting work related to NIS2. However, we’re increasingly occupied with DORA (Directive on Open Banking), CRA (Cyber Resilience Act) and RED (Radio Equipment Directive). Industries that are heavily impacted by these directives are more mature in dealing with compliance. NIS2 companies, on the other hand, exhibit more heterogeneity. Nevertheless, these directives and acts are not isolated islands, and some organizations need to be compliant with multiple cyber-related regulations. This means that clients are adopting a holistic approach, involving their businesses, group IT, management support functions, and even collaborating with clients at the same table to tackle the “regulation tsunami”.
Peter: There are, like Kimmo states, several new pieces of legislation coming up in the next few years. I think the ones that will include the biggest challenges are the NIS2 directive combined with CER (Critical Entity Resilience) and CRA combined with the EU Data Directive. Both combinations will require large investments and internal changes to companies.
Jouko: I’ve been primarily following the NIS2 to maintain my focus, but I’m very interested to see how the AI Act will be received and where AI will truly lead us as a technology. Currently, many AI-related activities, from a management perspective, are being delegated to cybersecurity teams, so we need to be prepared for AI and continue educating ourselves in this area as well.
What kind of impact has NIS2 had so far?
Kimmo: Well, time will tell. NIS2 is a rather strong push to reinforce the security posture of European organizations. It could be a wake-up call for the board of directors or a way for CISOs to request more investments in information security.
Peter: Companies have started asking questions with NIS2 and the other directives as drivers. Since the purpose of, at least, NIS2 is to create a baseline security for all, I think that’s excellent. Right now, the directives spawn curiosity, and hopefully, this will turn into action soon.
Jouko: It has alerted company management to ask the right questions about their current security practices, such as ‘Are we NIS2 compliant?’, ‘Do we belong to these critical sectors?’, and most importantly ‘Do we need to do something?’. So, I would say that there has been at least an increase in awareness of security practices if not initiation of development programs or adjustments in risk management approaches.
In the best case, if the security team has already done its job and built an ISMS or found some other way to manage the organization’s cybersecurity, they have most probably already been able to satisfy the management with their confident response.
With a well-established ISMS, fine-tuning the processes from a NIS2 perspective is much less work than for those who are already behind schedule in starting to build one from scratch.
The new compliance requirements provide an opportunity for organizations to elevate their cyber security practices and gain a competitive advantage. Non-compliant organizations will find it difficult to sell their products and services and might face the risk of sanctions. Now is the time to start assessing whether your organization is in scope and what implications being in scope will have. We strongly recommend that, if not already initiated, you start preparing for the new laws and developing your capabilities to meet the new requirements.
For more information on NIS2, CER, CRA and DORA, including details on who is in scope, what that means, and relevant deadlines, download our whitepaper: European Cybersecurity Regulation and Compliance.