The impact of the NIS2 directive for Company Directors
1. Introduction
The digital economy underpins all business today, and cybersecurity is at the heart of strong digital maturity. However, as more data is generated and more trade happens online, governments and companies are facing increasingly sophisticated and prolific threats. Against this backdrop, cybersecurity legal and governance frameworks are having to evolve to keep pace.
One key aspect of the governance dimension is related to the duty of directors, management, and other key stakeholders that hold a governance position. That is, ensuring that their corporations are compliant with new and emerging cybersecurity standards, of which a significant example is the EU's NIS2. In addition to this compliance, it is generally acknowledged that good NIS2 compliance would denote the workings of a strong governance framework.
Revised NIS2 has the potential to have a major impact on the cybersecurity landscape across the EU. Company directors and shareholders alike should therefore be interested in understanding: 1) The main challenges in making key strategic and transparency decisions in relation to complying with NIS2, especially as regards having a sufficient evidential basis on which to rely. 2) The way forward in terms of addressing these outstanding concerns to provide both company directors and key stakeholders with a greater understanding and blueprint/roadmap of how to navigate the uncharted terrain the NIS2 Directive has mapped out.
Throughout the article, 'company director' is used to capture any person or group fulfilling a governance role.
2. Understanding the NIS2 Directive
NIS2 (Network and Information Systems 2) falls within a regulatory framework aimed at increasing the protection of digital services and cybersecurity within the European Union and is part of a series of measures to support the development of cybersecurity in the EU. NIS2 is the historical evolution of an effective NIS1 (Network and Information Systems 1) where other than public authorities have the primary objective of introducing a standard cybersecurity requirement for companies, as well as implementing cybersecurity.
Legal definition: The NIS2 Directive regulates the obligation of operating entities to introduce special, specifically applicable technical-organizational measures in order to ensure a standard of security. Applicability: The NIS2 Directive is transposed into domestic law and applicable to the provider of digital services located in the public domain and in the private domain (in this respect, a distinction is made between the independent and the dependent ones of the digital system: one is not more important than the other).
Legal treatment: From the directive, civil proceedings concern the form of professional liability: obligations and damages to be made, essential or important. Exaggeration of regulation: Ex-post regulation in competition with the normal ex-ante common law.
The main purpose of NIS2 is to nurture Member States to develop a culture of cybersecurity, to share information, and to face the risk before it happens, which is political value-based. It defines what are essential and important – assigning public digital service providers – specifying a minimum framework, an obligation to the entities regulating essential and relevant digital services, a supervisory body, and a support and contingency system. The NIS2 Directive sets the rules for how the Single Market for cybersecurity should be prepared and carried out.
By acquiring the tools to face the risks, we are ready at both individual and collective national and European levels.
The NIS2 situation is read out by analyzing the positions in which the operating entities providing digital services live, and especially for the actors, the directors, and their personal relationships.
For directors, the NIS2 Directive is simplistically prudentially amongst the directors. It is an instrument that, in addition to the performance achieved, controls who is able to do more and protects those who follow others.
2.1. Key Objectives and Scope
Objectives The main objective of the NIS2 Directive is to improve the overall level of cybersecurity in the Member States, thereby protecting the Digital Single Market and addressing systemic risks. The NIS2 Directive’s overall scope is the set of obligations and requirements that apply to relevant entities designated in the NIS2 Directive.
It is infamously broad, impacting a vast number of entities ranging from the whole public sector to almost all private sector organizations, including companies of any size, SMEs, and micro-entities.
The NIS2 Directive demands close cooperation between Member States so that a consistent approach to identifying significant cross-border operators can be realized through the SUBC3 model. The template application of the SUBC3 model seeks to secure both the cyber and physical dependencies of Member State OESs.
It should be noted that the NIS2 Directive is a minimum harmonization regulation, meaning that Ireland can choose to take a more proactive approach to the assessment and inclusion of other entities apart from those whose identification is based on the template compliance of the Union baseline requirements.
It is important for company directors to understand the overarching objectives in proactively addressing risks. The central thrust of the Directive confirms that security issues are every company’s problem, not just IT’s concern. In reality, this is a welcome and long-overdue recalibration of understanding.
The Directive sets out the objectives, drafted within the context of a broad security framework that emphasizes the critical role of digital technology in everyday life, and the need to ensure that such technologies can be trusted to be secure. It also recognizes that trust in digital technologies is a barrier to unlocking economic potential, suggesting that trust is not a given and must be hard-won.
2.2. Main Requirements for Companies
Management requirements regarding risk and incident handling are some of the most important recurring security measures. It is important for company directors to translate this into the following strategic considerations:
Implementation of Risk Management Practices: To enable early threat detection and a detailed security strategy, companies are required to engage in risk management, which is an ongoing practice. The company should show ongoing work in this area.
Incident Response Measures: Companies are required to have incident response measures in place capable of handling security threats. Early reporting can be a risk, but companies are to report after the detection. This can have a reason in time to protect stakeholder reputation. Early correction can reduce the scope of the problem but also act as early reporting and as damage limitation.
Supply Chain and Third-Party Security Measures: The recent trend in security includes increased requirements for third parties to ensure that a company’s digital security posture is not weakened, which in turn can impact the company. The main point recognizes the wider impact of a security incident or breach, stating that attacks are generally not limited to the targeted organization’s systems.
Managers are required to handle cybersecurity on an ongoing basis, such as through security strategies, audits, and risk assessments. The latter is also intertwined with the daily operations of companies, as wage costs are an important variable in risk assessments.
Recommended by LinkedIn
Directors should therefore follow the practice of the risk management process to ensure risk assessment does not lead to biased results.
3. Responsibilities of Company Directors under NIS2
The NIS2 Directive implies some important additional responsibilities for those running companies in the EU. The Directive introduces a higher level of personal accountability for directors when it comes to ensuring that organizations within the NIS2 remit are meeting the requirements and can demonstrate that they are indeed doing so. One part of the core question is whether security should be a risk management issue or something taken far more seriously. With directors explicitly required to oversee the implementation of cybersecurity measures and account for this, the requirement for risk management should be much easier to adhere to and can be seen as a result of an increasing general awareness at government level of the nature of cyber threats.
Due to the role of company directors, they are in an important position to be able to help promote a compliant approach within the organization that they manage. Part and parcel of the in-depth overview process is for company directors to get involved in the overall risk management of cybersecurity, instead of perceiving it as just an IT risk. The NIS2 scope is much broader than just an IT risk management exercise, and so company directors will need to fully understand that cybersecurity risk should be elevated to main enterprise risk, and this requires regular interaction with other external markets, supply chain partners, and independent assurance.
Running such an exercise at the top level within an organization at the present time, and no matter the exercise, is still highly educative as to the true state of cybersecurity in an organization, as only the most mature and proactive organizations are currently working in this way.
What is certain is that the threat from cyber and more widely IT is considerable to just about all business environments, particularly with brand and IP being readily destructible, in addition to the safety of individuals and national infrastructure.
Clearly, if only to ensure the ongoing capability to make money, NIS2 will support the commercial business case for committing to such powerful cybersecurity processes and policies.
As part of the growing culture of strongly cybersecurity-aware businesses, company directors need to further quality cybersecurity expertise within the organization.
4. Challenges and Opportunities for Directors
The complexity of data protection and governance in cyberspace is a challenge for directors. They find it difficult to monitor whether their businesses genuinely comply with legal standards, and they are often unable to ensure that the necessary resources reach those responsible for cybersecurity. These tasks are becoming even harder due to the NIS2 Directive, as legal expectations and technical standards for managing these problems have evolved more quickly than many company policies.
In addition to the difficulties in managing technical and legal risks, the cost of doing so may not seem worthwhile due to a lack of faith in the effectiveness of security measures generally.
The biggest companies in Poland claim to have incurred an average of over EUR 200,000 in reforming their activities in the shadow of the NIS2 Directive – roughly halved as a result of EU COVID-19 response funding. These enterprises and their regulatory compliance officers see these adaptations as a costly burden, and a portion of the people who responded to surveys even express deep distrust of the European Union for imposing such reforms.
However, on closer inspection, these executives who are not afraid of being fair to the European Union for demanding that they get their act together produce a future-oriented ethical culture.
By making necessary changes in policy and company culture now, these executives will be in a better position to build an attractive reputation for future clients and consumers who are increasingly keen on patronizing innovative, future-proof firms.
Directors should use the implementation of NIS2 to be more informed about the current state and future risks of their businesses and invest time and resources in strengthening business resilience and information governance. What, therefore, are some best practices that will turn this seemingly difficult, costly compliance task into a competitive advantage?
Firstly, business leaders can identify and promote the opportunities for progress and innovation that emerge when companies are human-centric and offer workers clear, enforceable working conditions. Secondly, they can link directly, through regular internal or external reporting, their provision of a secure, smart working environment to their compliance with the NIS2’s definition of a ‘cyber-resilient’ operator or an operator ‘managing risks at the level of compliance with cybersecurity requirements’.
Directors can make use of these operational executive functions to shift the value of their security policies from simply avoiding financial penalties and reputational harm to developing a market position at the forefront of the digital transformation for clients and workers who share their vision.
In so doing, directors can create added value for their enterprise and brace themselves for the next challenges to come.
5. Case Studies and Best Practices
Multiple regulated sectors have undertaken the journeys of compliance with the NIS2 Directive because the Directive impacts sectors including energy, health, finance, transport, telecommunications, and public administration. Notwithstanding the heterogeneity of such companies, some emerging best practices are beginning to shine through in terms of sector-specific divergences in achieving outcomes and general evolving trends. On a high level, directors across regulated industries must be cognizant that there is no strict right or wrong way to implement the Directive. Organizations will develop their own approaches to align with their broader risk management frameworks.
Case studies of supportable tactics can help inspire action within companies that are preparing their boards and senior management in line with the new mandate. It can be helpful to reflect on companies' past and ongoing experiences in implementing the NIS2-style cybersecurity requirements in practice. In another sector, electricity companies shared that their approaches to cybersecurity governance had shown both successful and less positive outcomes.
In their efforts to comply with an earlier legal mandate, electric utilities and grid operators found their initial policies and procedures tilted the oversight and management balance too far towards compliance. The electricity sector probably overstated their security preparedness to keep market confidence high.
As the electricity sector's oversight of digital systems has evolved, however, grid operators now universally agree that taking a learning approach and revising security governance arrangements constitutes a best practice.
These practices evolve because they ensure that electricity companies retain their ability to respond to an evolving and adaptive realm of threats.
Threats presented to the electricity sector were not expected to be mitigated so much as they are managed. While there is no magic bullet to make an electricity company invulnerable, the same learning approach that has produced a degree of commercial readiness in electricity may also be expected in digital services across the NIS2-regulated industries.
The stories of these companies highlight that implementing cybersecurity systems and organizational adjustments in line with the NIS2 framework is a continuous, performance-focused, and highly adaptive process. Directors should read and learn about NIS2 and be inspired by what are essentially insights from the front lines of compliance.
They should study, refine, and adapt their policies, and rotate their senior managers on a regular basis to enlarge their sense of cybersecurity governance awareness and priorities.