The lively debate was unsurprising, given the sweeping implications of the new legislation for various entities and institutions across the EU. However, it's crucial to clarify that EU Member States have until October 17, 2024, to transpose the NIS2 directive into their national laws. This means companies won't have a specific compliance date until each member state finalizes its national legislation.

So what are the experts' views on this legislation? What are their views on its benefits and potential problems?

Extraterritorial cybersecurity legislation was long overdue

Robbert Santifort, principal associate at Eversheds Sutherland, looked at the new legislation from a lawyer’s point of view, emphasizing the ever-rising costs of cyber-crimes and the pressing need for extraterritorial legislation that would protect EU entities and institutions. Santifort explained the position of the NIS2 directive within a pan-European infrastructure composed of national and cross-border security operations centers (SOCs) across the EU.

The directive affects not only EU institutions and companies but also their suppliers and all entities running their business and carrying out their activities in the Union. The law expert also highlighted the need to bring the theme of cybersecurity into the boardrooms of governments, companies, and institutions, as well as the need to educate its management accordingly. Santifort says:

“Why is NIS2 that important? Why is it getting so much attention? As I said, it brings cybersecurity to the boardroom. What does it mean in practice? It means that management bodies must be able to identify and assess those cybersecurity risk management measures, approve those measures in relation to the risk management framework that’s applicable within the company, to oversee the implementation of those measures. And the management board also needs to be educated, trained to be able to govern the implementation of any of those obligations.”

Santifort also praised the much larger scope of NIS2 compared to its predecessor, the NIS directive, and its improved enforcement not only on the company level but even on a personal one.

Security is always a snapshot

Dave Maasland, CEO of ESET Nederland, named three key components for an efficient implementation of NIS2: communication, awareness, and collective resilience. He believes that it should not be a matter of duty for any institution or individual whom NIS2 affects to comply with it but rather a matter of desire. Maasland trusts that once individuals and companies understand that it is, in fact, a tool of protection, they will realize it is in their best interest to comply with it.

The digital security expert also pointed out that: “Security is always a snapshot. You can be secure now. Microsoft has an exploit and tomorrow you might be less secure.” That means security is not a one-time achievement but an ongoing process. It requires constantly evaluating your security posture, addressing evolving threats, and taking a proactive approach so you can minimize the risk of being caught off guard.

Maasland suggests that being prepared for cyberattacks and effectively dealing with their aftermath is vital. The last important key feature he mentioned was sharing knowledge and working together against threats. All of these are, as per his words, embodied by NIS2.

A short deadline might mean extra workforce

Maik Wetzel, the strategic business development director at ESET DACH, urged everyone who will be affected by NIS2 to not hesitate and start aligning the processes and policies of their companies and institutions with it right away. He pointed out that since NIS2 is an EU directive, there will be some nuances on the level of individual countries.

Using Germany and its cascade of federal but also state institutions dealing with cybersecurity as an example, Wetzel pointed out that some extra specialized workforce may be needed to achieve compliance with NIS2 within the rather short deadline. 

MAIN POINTS

 

  
   

NIS2 is a key new EU legislation that builds resilience against cybercrime.

    
   

It will affect up to 160,000 entities.

    
   

Communication, awareness, and collective resilience are crucial.

    
   

Implementation might require an additional specialized workforce.

    
   

 

All three presenters agreed on the necessity of a directive such as NIS2 and the unified cyber protection legislation across the EU. They turned to all entities that will be affected by it, urging them to start working towards NIS2 compliance right away, amplifying that it is in their best interest to do so. The speakers also highlighted the importance of straightforward and clear communication and effective education of the involved entities as the best means of getting them on board with the new legislation.

So, if you know your company will be affected by NIS2, follow Maik Wetzel’s advice:

“Don’t hesitate. Start now.”