To increase cyber resilience, the EU is launching new policy initiatives that will come into force in the next three years. The revision of the NIS Directive will enter into force in 2024, and it is expected to impose stronger requirements to a broader scope of actors. NIS2 will introduce fines and enforcement, a broader set of mandatory security measures and new incident notification requirements for essential and important entities. Management bodies will have a crucial and active role in approving cybersecurity risks, and non-compliance will be punished with fines up to €10 million or 2% of global annual revenue.
With increasing controls from governments and regulators, there is momentum for CISOs to pursue their security objectives. The EU is setting up a budget of €2 billion to support new cybersecurity initiatives aimed at strengthening cyber resilience.
The following sectors will be under the scope of the NIS2 regulation:
Even though NIS2 is largely built on the NIS Directive, there are major upcoming changes that will require consideration.
Boards and senior-level management should amend their companies’ cybersecurity strategy in order to improve the cyber resilience of their organisation. Requirements of the NIS2 Directive must be addressed on three areas:
As the final shape of the NIS2 legislation is taking shape, CISOs need to start planning their response. These may be some of the first steps to consider:
Deloitte monitors EU cyber policy developments to anticipate the business impact of regulatory changes on its wide network of clients. We collect our insights from multi-stakeholder groups active in the EU cyber community, such as European Institutions, EU Member States, national CSIRTs, Competent Authorities and Operators of Essential Services.
Our Cyber Services, aimed at supporting entities to comply with NIS2, are eligible for (co-)funding by the EU under the Digital Europe Programme (DIGITAL). The budget for the Cybersecurity actions covered by this Work Programme is €269 million distributed as follows:
In addition, actions supporting the deployment of the Secure Quantum Communication infrastructures (QCI) are included in the Digital Europe Work Programme for 2021–2022, with an indicative budget of EUR 170 million.
_____
The previous version of this article was written by Martina Calleri. It was originally published here by Deloitte Belgium.