The Network and Information Security (NIS) 2 Directive is one of the most important cybersecurity regulations ever adopted in Europe.
The 27 EU member states have until 17 October 2024 to adopt and publish the national laws that organizations need to comply with the NIS 2 directive, which imposes increased security targets to respond to cyber threats and more regular reporting obligations with shorter deadlines in the event of cyber-attacks.
The scope of the NIS 2 directive has been significantly extended. In France, the number of affected entities is expected to rise from 500 to around 15,000, entities with the greatest potential impact on the French economy and society. This presents a significant challenge for national authorities as it requires them to cascade security requirements to each new participating organization and sector, coordinate the gradual ownership of requirements and process many more incident reports.
In addition, the consequences for non-compliant organizations are potentially greater, including the possibility of fines for failure to meet deadlines and personal liability for managers of affected companies.
However, as businesses prepare for this new era of compliance, another question arises: What impact will NIS 2 have on cybersecurity innovation? Will regulatory developments lead to a spike in investment spending on new security solutions? or on the contrary, will the burden of regulation stifle the capacity for innovation and condemn organizations to implement, in successive steps, the tools designed to maintain compliance?
Need to strengthen practices through regulations
The need for more ambitious cybersecurity measures is undeniable. They are necessary to combat increasingly efficient and fully equipped malicious actors. According to a recent study IDC, led by Palo Alto Networks, only 28% of CISOs in EMEA and Latin America regularly test their incident response plans. This comes at a time when the threat landscape is evolving rapidly, especially due to generative artificial intelligence.
For example, Palo Alto Networks’ Department 42 recently observed a case where malicious actors extracted 2.5 terabytes of data in just 14 hours, demonstrating a level of efficiency never seen before. In light of these statistics, the European Commission hopes that its landmark regulatory text will usher in a new era of cyber resilience, where cyber resilience becomes a key pillar of organizational culture rather than an afterthought.
Global European approach, but transposition facing national specificities
Each EU member state is progressing in a heterogeneous way in terms of the adoption and transposition of the directive, which according to ANSSI (National Agency for the Security of Information Systems) “marks a paradigm shift, both at national and European level”.
In France, the Resilience bill to be debated by Parliament will transpose both NIS2, DORA (for the financial sector) and REC (resilience of critical entities).
Regarding NIS2, ANSSI organized consultations with professional organizations in the sectors covered by the directive, on the one hand, and with associations of elected officials of local authorities, on the other.
The results of these consultations highlight the expectations and needs of stakeholders who hope to be heard during the development of the implementing texts. Although they are aware of the vulnerabilities and challenges of raising the level of protection, the associations of elected officials have united to demand adaptability to the existing level of maturity in the organizations, progressiveness over time and technical and financial support, in particular for the functioning of regional CSIRTs (Cyber ​​Incident Response Centres) which are intended to be part of the Cyber ​​Incident Notification System.
Thus, whether in different regions or sectors of activity, consultation and collaboration with the CSIRT and with the National Cyber ​​Security Authority will determine the successful application of the new requirements to a heterogeneous and diverse environment by organizations that are alert to the difficulty and cost of compliance.
Ability to channel investment into sustainable innovation
Some critics fear that the NIS 2 directive goes too far in “over-regulation”, particularly with its two levels of regulation affecting far beyond organizations deemed critical. Strict regulatory provisions and the possibility of penalties for non-compliance could encourage organizations to remain cautious in their approach to cybersecurity, as well as in their future investments, which may no longer be appropriate for a world where the threat landscape is evolving more rapidly and it gets more and more complex.
For example, organizations may choose to use legacy technologies from long-established practices instead of newer AI-based detection systems that provide more accurate identification of culture-specific threats.
In fact, taking a more innovative approach would allow organizations to not only protect themselves today, but also protect their future investments and operational security over time. Thus, the NIS 2 directive invites regulated entities to “pursue the integration of cybersecurity-enhancing technologies, such as artificial intelligence or machine learning systems, to strengthen their capacity and the security of networks and security systems.”
An “individual” approach to risk, not a certificate of compliance
For others, the NIS2 Directive may have limited effectiveness given the too narrow scope of cybersecurity risk management measures, such as the lack of specific measures focused on the detection phase of a cyber attack. However, the use of technologies that use machine learning and artificial intelligence is a solution, as they can contribute to the implementation of effective preventive measures adapted to the evolution of cyber attack tools, tactics and threats.
NIS2’s focus on cybersecurity standardization and uniform reporting obligations across EU member states may discourage innovation in cybersecurity practices tailored to each country’s specific needs and challenges, in favor of a common approach favoring consensus and standardization of practices.
Current cybersecurity regulations are insufficient to address major cybersecurity challenges. A more universal and ambitious approach, such as that proposed by NIS2, may provide a solution. Its well-defined framework will help build greater confidence in the market by providing organizations with a clear compliance roadmap.
Provided it is understood for its purposes and not just for compliance, this approach gives NIS2 the potential to encourage investment in the development of innovative solutions that meet the requirements and adapt to the specific needs of organizations.
Compliance as a drive to achieve efficiency and better share in cybersecurity
The NIS2 Directive can stimulate innovation in the cybersecurity sector in several ways. A crucial transformation is to approach cybersecurity by promoting the integration and consolidation of technologies and data sources, rather than resorting to a patchwork of isolated technologies responsible for blind spots unable to generate a global view of the cybersecurity situation across desktops, networks and cloud environments.
In this way, organizations will gain better visibility into threats, be able to detect them faster, and take corrective action faster. This would reduce the potential risk that a cyber threat could pose to the organization, be it reputational or financial.
This approach also allows organizations to easily scale their cybersecurity operations and automate many tasks often performed manually, which would help them achieve NIS2 compliance across the organization. Additionally, with 360-degree visibility and real-time alerts, organizations will be much more efficient in meeting the shorter reporting deadlines set by NIS2.
To meet NIS2 compliance requirements, it will also be necessary to adopt new cybersecurity technologies and practices, such as advanced threat detection and incident response capabilities. The use of AI and automation can significantly reduce the time and resources required to respond to security incidents and ensure that actions taken are consistent and in line with best practices.
AI can also provide advanced security services, such as using threat filtering and prevention to counter sophisticated web-based threats, zero-day threats, hidden command-and-control attacks, and DNS hijacking.
Finally, the common goal of complying with the NIS2 directive will drive collaboration and knowledge sharing between organizations, industry players and regulators. Collaboration is an essential element of innovation. The exchange of best practices, knowledge and new technologies can lead to significant advances in cybersecurity.
Accelerating the evolution of cybersecurity
It is understandable that businesses and public authorities are concerned about their ability to comply with the requirements of this directive, especially since stiff fines and personal liability are introduced as sanctions. However, the potential for innovation in the cybersecurity sector is undeniable.
The new security needs required by the NIS2 directive, combined with the emphasis on collaboration and knowledge sharing, are paving the way for creativity in the cybersecurity sector that will radically transform the global landscape as we see it.