How NIS2 will impact sectors from healthcare to energy

In this Help Net Security interview, Mick Baccio, Global Security Advisor at Splunk SURGe, discusses the far-reaching implications of the NIS2 Directive beyond traditional IT security. He explains how NIS2 will fundamentally change cybersecurity governance, making it a core aspect of organizational strategy and accountability.

Many experts suggest that the NIS2 Directive has far-reaching implications beyond IT security. Could you expand on the specific non-technical requirements that companies must be aware of?

The NIS2 Directive significantly broadens its focus beyond traditional IT security, emphasising governance, risk management, and executive accountability within organisations.

One of the critical non-technical requirements is for senior management to receive regular cybersecurity training. This ensures that leadership fully understands the risks associated with cyber threats and their potential impact on the business. As a result, cybersecurity becomes a central concern for the board, rather than merely a technical issue.

The directive also imposes stringent incident reporting requirements, mandating that organisations report incidents within specified timelines. Furthermore, it emphasises the need for detailed documentation and compliance, which necessitates cross-functional coordination among legal, administrative, and operational teams.

Additionally, organisations are required to register with and be supervised by relevant cyber authorities. This enhances oversight and accountability, ensuring that management is actively involved in cybersecurity measures. Overall, cybersecurity under NIS2 becomes an essential part of the organisation’s strategic operations.

What primary sectors and entities will be affected by the NIS2 Directive? How do you foresee the impact on critical infrastructure providers?

The NIS2 Directive significantly broadens its scope compared to NIS1, now encompassing critical sectors such as telecommunications, food production, waste management, energy, healthcare, and chemical manufacturing. This expansion affects at least 110,000 entities across the EU, which is seven times more than under the previous version.

Many of these newly included sectors, which are vital to societal and economic stability, will face greater challenges in meeting the EU’s cybersecurity compliance framework for the first time. They must enhance their cybersecurity defences and navigate complex regulatory frameworks, which may require significant investments in technology, staff training, process adjustments and audits and certification to demonstrate compliance.

Additionally, securing entire supply chains and managing third-party risks will place further demands on resources. However, these challenges also present opportunities for organisations to strengthen their resilience and security, ensuring essential systems and services are safeguarded against cyber threats.

How does NIS2 harmonise cybersecurity practices across the EU? Do you see this as a positive shift toward more unified security standards, or do you anticipate any challenges related to national differences in cybersecurity maturity?

NIS2 aims to establish a strong, unified baseline for cybersecurity practices across the EU, helping to prevent fragmentation and creating a more cohesive security landscape. However, challenges will arise from the differences in how each member state transposes the directive into national law. With many member states expected to miss the transposition deadline, the applicable requirements will be revealed to entities at different times across the continent, and we expect national laws to create different timeframes for entities to meet those requirements, leading to staggered compliance timelines. Moreover, as not all services benefit from a one-stop shop jurisdiction regime, some entities will face up to 27 distinct registration, auditing, and enforcement regimes.

Businesses with mature cybersecurity frameworks will likely find the transition to NIS2 smoother, while those with less mature programmes or not previously subject to regulatory frameworks may have a larger compliance gap to close. Additionally, companies within the supply chains of entities subject to differing national regimes will need to navigate these variances in flow-down requirements.

To manage these challenges, it will be crucial for organisations to monitor the varying national implementations, map compliance gaps, identify ways to distil requirements into common security controls and set out a roadmap to meet them. Cisco’s Cloud Controls Framework (CCF) maps security requirements from various regulations and standards in a scalable way, offering a useful resource for navigating regulatory changes. It is available for use by the community at large.

We also expect ENISA (European Union Agency for Cybersecurity) to publish guidance this month that will map security controls against common standards, helping organisations better understand and meet NIS2’s requirements.

As NIS2 requires a greater emphasis on governance and risk management, what role do you see CISOs playing in strategic decision-making within organisations?

Under NIS2, the CISO’s role will be elevated to a more strategic position within corporate leadership. With the directive placing a greater emphasis on governance and risk management, CISOs will play a pivotal role in conducting risk assessments, closing security gaps, and ensuring that cybersecurity strategies align with broader business goals. They will also be responsible for driving incident response readiness and overseeing regulatory compliance.

As cybersecurity becomes a critical factor in business continuity planning, CISOs will have a more influential voice in board-level decisions, helping to balance security concerns with business goals. This shift emphasises that cybersecurity is not only about protecting data but also about managing risk in a way that supports long-term business success.