Companies across Europe know it’s coming. Taking steps towards NIS2 compliance now just might give you an edge, according to Omny cybersecurity expert Audun Scheide. Learn about the best actions to take to have the biggest impact and move toward compliance.
The EU’s NIS2 directive will go into effect on 17 October 2024. If you are a company engaged in economic activities in Europe, it’s highly likely you are in scope. This directive represents the minimum cyber risk management requirements to which organizations across industries must comply, or otherwise face penalties estimated up to €10 million or 2% of annual global revenue (whichever is more).
“Unfortunately, the cyber security risks facing organizations are only growing. The EU recognizes this and has responded through NIS2, their reviewable and sanctionable measures for building cyber security competence across member states – upon which local laws can be built to set even stricter regulations within the countries,” explains Scheide.
Getting started can be a daunting task, perhaps even reminiscent of the early days in GDPR enforcement. This time around, NIS2 requires companies to put in motion a course of action, one designed to both address and protect organizations from cyber security threats.
So, where should your company begin its NIS2 journey?
“There are some basic steps that need to be taken before any company deep dives into implementation,” says Scheide, “Starting early to understand how to approach NIS2 will provide your organization with some peace of mind, since you will be proactively taking steps to be a more compliant and resilient organization,” says Scheide.
Here’s Scheide’s 5 step approach to achieving NIS2 compliance
Step 1: Get a bird’s-eye view
The first step is to understand whether your company falls under the scope of NIS2. This requires an evaluation of your business and an understanding of which parts of that business may be impacted. It also means that you will need to get an overview of your assets and vendors, as the supply chain is also a focus area in the NIS2 directive.
Step 2: Know the NIS2 timeline and prioritize it
Starting early has some advantages. It enables you to plan, prepare and importantly, budget – thus avoiding last minute, unwelcome surprises. As many experienced with GDPR, compliance with new regulations can take time depending on the organization’s current level of maturity. With an overview of the organization in hand (step 1) and an early start to planning, your organization’s road to compliance will be a much smoother ride. As mentioned above, the date to keep in mind is October 17, 2024 when companies will need to legally comply with the NIS2 directive.
Step 3: Build understanding of where you are currently
The next step is to assess your current state of compliance and uncover your gaps. Review the things you are already doing to mitigate cybersecurity risks. Is there a strategy in place? What goals have you set? Do you have resources dedicated to this? This is an important step that may enable you to tick off some NIS2 compliance boxes early on, and clearly identify where you need to step it up going forward.
Step 4: Get everyone on board.
NIS2 compliance is not the job of a small task force sitting in the corner. It will require people at all levels, from across the company – and leaders, in particular. Leaders are often the ones responsible for allocating budget, assigning resources, and advocating any changes stemming from NIS2 compliance. This means that your executives need to be on board, understand what’s at stake, and take an active role in prioritizing and planning your organization’s cyber preparedness.
Step 5: Don’t just buy another tool
As you start the work to close your gaps, you’ll likely need to investigate solutions to help you implement, monitor and report on your NIS2 compliance. But be discerning. Request a demo and run a pilot. And when the time comes, choose the solution that meets both regulatory and internal requirements – one that can be easily integrated with your already established tools and processes. It’s also important that the solution you select can develop along with you as you mature in this area.
NIS2 is not a one and done kind of journey
There are a lot of uncertainties around NIS2. Knowing how this directive will affect your business can be difficult to understand. Why not start with a discussion around your needs around NIS2? Our advisors are here for to help you find the best journey to compliancy.
