NIS2: A catalyst for cybersecurity innovation or just another box-ticking exercise?
The Network and Information Security (NIS) 2 Directive is possibly one of the most significant pieces of cybersecurity regulation to ever hit Europe. The 27 EU Member States have until 17 October 2024 to adopt and publish the standards necessary to comply with NIS2, which brings increased requirements to strengthen security conditions and report more regularly, with shorter deadlines, on cyber-attacks.
The scope of the NIS2 directive has been dramatically broadened: in some countries, the number of entities covered will grow to approximately 30,000 – compared to NIS1, which previously only affected 3,000. In addition, there are far greater implications for organizations not meeting the standards, such as severe fines if deadlines are not met and personal liability for C-suite leaders representing those businesses.
But with businesses gearing up for this new era of compliance, the question must be asked: what effect is NIS2 going to have on cybersecurity innovation across the continent? Could we see a surge of investment into cyber, sparking a new wave of solutions? Or, on the other hand, could the intensity of the regulation stifle innovation and force companies into a perpetual game of catch-up?
The need for enhanced regulation
The need for stricter cybersecurity measures is undeniable. According to Palo Alto Networks’ recent IDC research, just 28% of CISOs across EMEA and LATAM regularly test their incident response plans.
This comes at a time when the threat landscape is evolving at speed, especially because of generative AI. For instance, Palo Alto Networks’ Unit 42 recently observed a case where bad actors extracted 2.5 terabytes of data in just 14 hours, demonstrating a level of efficiency never seen before. Considering these statistics, the European Commission hopes that its landmark piece of regulation will result in cyber resilience becoming a key pillar of organizational culture, rather than an afterthought.
A catalyst for or against innovation?
Critics have argued that the NIS2 directive potentially goes too far towards “over-regulation”, as some of the entities included within the directive are not deemed to be of “critical” importance. The stringent regulatory stipulations and the possibility of penalties for non-compliance could push organizations to stay cautious with their approach to cybersecurity, which may no longer be fit for purpose in a world where the threat landscape is evolving faster and being more complex.
For example, businesses may choose to use widely accepted legacy technologies even though newer, AI-driven detection systems could offer more precise threat identification. Thankfully, the NIS2 Directive – in its recitals – calls on important and essential entities to “pursue the integration of cybersecurity enhancing technologies, such as artificial intelligence or machine-learning systems to enhance their capabilities and the security of network and information systems.”
Ex-ante or ex-post risk measures
Donald David Stewart Ferguson, an academic, argues that the limited effectiveness of the NIS2 Directive is primarily due to the narrow scope of the cybersecurity risk management measures, including the lack of specific measures focused on the reconnaissance phase of a cyberattack.
One hopes that the European Commission will provide further guidance in its Implementing Act later in 2024 on what preventive steps entities should take to identify malicious behavior on their networks before an incident happens.
Technologies that leverage machine learning and AI can help to implement prevention measures and should therefore be encouraged to be implemented by the EU member states’ NIS2 implementing laws.
Furthermore, NIS2’s emphasis on uniform cybersecurity standards and reporting duties across EU Member States may discourage tailoring and innovation in cybersecurity practices customized to specific organizational requirements and challenges. For example, the cybersecurity needs of the financial services sector are monumentally different from the needs of the postal services – both of which fall under the scope of NIS2.
Financial services face a greater complexity and severity of threats that directly impact financial stability and require higher levels of security investment and stringent regulatory compliance. Postal services may not handle direct financial transactions on the same scale but still require robust security measures to protect personal data and ensure the continuity of their operational services. Of course, sector-specific laws around cyber security already exist, but for businesses to achieve true holistic cybersecurity, they must adopt a tailored approach.
Current cybersecurity regulations are falling short of addressing critical security challenges. A more universally stringent approach, such as that proposed by NIS2, might provide a solution. Its well-defined framework will work to instill greater market certainty by providing organizations with a clear roadmap for compliance. This approach gives NIS2 the potential to encourage investment in developing innovative solutions that meet these standards and suit individual entities.
Driving innovation through regulation
There are several ways that NIS2 can drive innovation within the cybersecurity sector. Firstly, the broader scope of NIS2, encompassing a wider range of entities and sectors, will generate a significantly larger market for cybersecurity solutions and services. This surge in demand could act as a powerful catalyst for transformation as companies race to develop solutions that cater to evolving needs.
A big transformation would be the adoption of an approach to cyber that fosters the integration and consolidation of technologies and data sources, rather than patching multiple, isolated technologies that are unable to generate a comprehensive cyber situational picture across endpoints, networks and cloud environments. This way businesses have increased visibility to threats, can detect them and act faster.
This approach also allows businesses to easily scale their cybersecurity operations, and automate many tasks that are oftentimes handled manually, which would help them to ensure they are compliant with NIS2 across the entire organization. Furthermore, businesses will be far more effective in meeting the shorter reporting deadlines under NIS2 because of single-pane-of-glass visibility and real-time alerts.
Meeting the compliance requirements of NIS2 will also necessitate the adoption of new cybersecurity technologies and practices, such as advanced threat detection and incident response capabilities. For example, enhanced incident response platforms that integrate automation and AI can significantly reduce the time and resources required to respond to security incidents and ensure that actions are consistent and aligned with best practices. AI can also provide advanced security services, for example, leveraging filtering and threat prevention to prevent sophisticated web-based threats, zero-day threats, evasive command-and-control attacks and DNS hijacking attacks.
Finally, the shared goal of achieving NIS2 compliance will foster collaboration and knowledge sharing among organizations, industry stakeholders, and regulatory bodies. Collaboration is an integral part of innovation, and exchanging best practices, knowledge and new technologies can lead to significant advancements in the cybersecurity landscape.
Unlocking new opportunities
There are obvious concerns for businesses around meeting the requirements of NIS2, particularly as severe fines and personal liability are introduced as sanctions.
However, the potential for innovation within the cybersecurity sector is undeniable. The vast new market created by NIS2, coupled with the emphasis on collaboration and knowledge sharing, will pave the way for creativity in the cybersecurity sector that is set to transform the overall landscape as we know it.