Is NIS2 the new cyber project after GDPR?

Is NIS2 the new cyber project after GDPR?

Joachim von Schantz
insight featured image
NIS2 (Network and Information Systems Directive 2) is indeed a significant legislative initiative in the realm of cybersecurity, but it is not a successor to GDPR (General Data Protection Regulation). While both NIS2 and GDPR pertain to data protection and cybersecurity, they address different aspects and serve distinct purposes.

GDPR primarily focuses on the protection of personal data and the privacy of individuals. It sets out rules and regulations for the processing of personal data and places specific obligations on organizations that handle such data.

NIS2, on the other hand, concentrates on the resilience and security of network and information systems, especially in sectors deemed critical to society and the economy. It outlines requirements for enhancing the cybersecurity posture of these critical sectors, including incident reporting, risk management, and security measures.

In essence, while both GDPR and NIS2 are essential components of the broader European cybersecurity and data protection framework, they serve different roles, with GDPR primarily addressing personal data protection and privacy, and NIS2 dealing with the security of critical infrastructure and systems.

The NIS2 (Network and Information Security) proposal is a transformative step towards fortifying the digital landscape in the European Union. It lays out three pivotal objectives that will shape the future of cybersecurity and resilience across the EU:

  • Governance
  • Incident Detection and Response
  • Securing and Testing Perimeters and Assets

Enhanced Cyber-Resilience in a world where the digital realm permeates every facet of our lives, the first objective of NIS2 is to elevate cyber-resilience. It mandates that all public and private entities, spanning various sectors, must adopt robust cybersecurity measures. Notably, NIS2 extends its protective umbrella to encompass vital sectors like telecoms, social media platforms, and public administration. This expansion unifies cybersecurity rules, leaving no room for fragmentation as seen in the previous NIS1 implementation. It also ensures the safety of the ICT supply chain, a crucial aspect in the era of the Internet of Things (IoT).

Harmonizing Resilience To create a seamless and consistent cyber-resilience framework across the EU, NIS2 aligns multiple key elements. It standardizes the scope, security requirements, incident reporting, and enforcement measures. The proposal underscores the importance of a two-stage incident reporting process, promoting timely responses to potential threats. Furthermore, NIS2 introduces a range of administrative sanctions, including binding instructions, security audit recommendations, and significant fines for non-compliance.

€10 million or 2% of annual worldwide turnover

In the modern corporate landscape, the CEO and Board of Directors bear the responsibility of staying abreast of the latest developments, understanding the path to control, and ascertaining the organization's positioning. Consequently, a personal liability has been established for CEOs, primarily targeting Essential Entities. This liability entails financial penalties ranging from 1.4% to 2% of revenue.

By introducing personal liability, NIS2 underscores the significance of proactive leadership in the realm of cybersecurity, where ignorance is no defense.

Collaborative Preparedness NIS2 not only strengthens individual cybersecurity but also enhances the EU's collective capability to handle large-scale cybersecurity incidents and crises. By fostering trust and information sharing among competent authorities, the proposal enables a coordinated response. It establishes an EU crisis management framework, where Member States play a pivotal role in handling EU-wide cybersecurity incidents.

With NIS2, the EU is poised to create a safer and more resilient digital environment. It's a significant step towards safeguarding businesses, governments, and society as a whole in an ever-evolving digital landscape.

The directive to be reflected into national law by 17 October 2024. NIS2 based legal rules should apply from 18 October 2024

NIS2, the directive aimed at fortifying cybersecurity, presents a unique opportunity for Chief Information Security Officers (CISOs) to step into a leadership role within their organizations.

NIS2 heralds a new era where CISOs transcend their traditional advisory role to emerge as strategic leaders. No longer confined to the technical realm, they are now the torchbearers of both technical excellence and business acumen. As leaders, CISOs guide their organizations towards a future where cybersecurity is a central pillar of success.

By embracing their leadership role, CISOs can not only elevate the importance of cybersecurity within their organizations but also expand their budget and scope of action. Their primary goal remains steadfast: to champion comprehensive security in a continually evolving digital landscape.

To fulfill this leadership mission, CISOs can develop a strategic plan centered on three key pillars:

  • Governance - Ensuring that the organization's leadership fully grasps and prioritizes cybersecurity responsibilities.
  • Incident Detection and Response - Building a resilient response system to swiftly address security incidents and protect the organization.
  • Securing and Testing Perimeters and Assets - Strengthening defenses and regularly testing them to maintain a proactive and robust security stance.

With NIS2 as the catalyst, CISOs have the chance to assume a pivotal leadership role, guiding their organizations through the complex world of cybersecurity, and steering them towards a safer and more secure digital future.