First in a three-part series (Assess – Implement – Manage) on achieving NIS2 compliance
Understanding the latest EU regulation, The NIS2 Directive
If any business was in any doubt about how seriously the European Union enforces its regulations, the number and size of financial penalties handed out to US along with other Global multinationals by information commissioners around Europe, in the last five years will be a wake-up call. These penalties were for GDPR breaches, failing to comply with laws around the management of personal data. The number of data compromises reported in the U.S. last year alone (2023) jumped 78% to a record high of 3,205 incidents where collectively GDPR fines reached over €4 billion. The level of enforcement is an early warning of how seriously a raft of new regulations need to be taken.
With NIS2, the stakes are raised even higher because more companies fall within its scope where senior management will be made accountable for non-compliance with a temporary ban on holding management positions. Other liabilities include compliance violations being made public and identity disclosure of individuals responsible for the breach.
The original Network and Information Security (NIS) directive of 2016 was targeted at essential services; NIS2, which passes into national law on October 18, now includes other sectors considered critical. Every multinational needs to check where it fits within the scope of the two categories. More ‘Essential Entities’ have been added to the original NIS directive and the ‘Important Entities’ are all new:
- Essential Entities: health, energy, transport, water (drinking and waste), digital infrastructure, space, banking, ICT service management, public administration, financial market infrastructure
- Important Entities: digital service providers, research institutes, food production/distribution, postal/courier services, waste management, manufacturing, chemical manufacturing/distribution
Fines for non-compliance could equal €10 million or up to 2% of global turnover, whichever is higher for Essential Entities, and €7 million or 1.4% of global turnover for Important Entities.
Planning a proportionate response
Compliance with NIS2 is mandatory. Even if an organisation is not physically located in the EU, it will be subject to the regulation if it’s doing business in countries where the legislation applies. NIS2 is about ensuring companies have security measures in place that are proportionate to the severity of the incidents and breaches they may face. To cut though the complexity, BT are here to help. We have a long history supporting global multinational companies that are grappling with EU regulations. We are currently supporting our customers getting NIS 2 ready by providing risk assessment workshops and preparing a gap analysis of where the business is and where it needs to be to achieve compliance.
We have a global footprint and are used to working with multinationals across different countries and jurisdictions, all with unique regulatory requirements. Our consultants have had to acquire an in-depth understanding of national and international data protection regulations and use tried-and-tested control frameworks to match appropriate levels of security to the compliance need.
We will devise a Governance, Risk and Compliance (GRC) strategy that includes an analysis of your risk profile pertaining to NIS2. We will carry out a security risk assessment that identifies gaps in defences that need to be plugged, and a compliance audit to implement an appropriate and long-lasting framework that can be adjusted if regulations change.
Our experts will quantify your risk profile across people, processes, technology and cybersecurity products. Crucially for NIS2 compliance, we will examine your supply chain relationships and ensure that rigorous security standards extend into the business ecosystem you operate in. The outcome will be a holistic approach to compliance, where all the components are governed with a single view, rather than run in silos.
Reaping benefits by association
BT will also advise on putting policies in place to meet some for the more exacting demands of NIS2. For any security incident that threatens a company’s ability to fulfil its service obligations, an incident notification process must be adhered to. We can advise on an end-to-end process, from the use of early warning detection tools to reporting the incident to the competent authority meeting the demanding deadline set out by the directive" and not be time specific.
All our clients will get the benefit of BT’s global experience and a threat intelligence capability that follows industry best practice, assimilating inputs from a wide range of external sources alongside proprietary data pooled from our own global network. It’s a unique and powerful combination, made possible by BT’s position as an international communications company that has built its reputation on the resilience of its networks and services.