Ready to raise the bar on cyber resilience? Preparing for NIS2 compliance

In our digitally dependent, hyperconnected world technology networks underpin societies and economies. COVID-19 accelerated our digital dependence, as online processes replaced in-person interactions, helping us to overcome many challenges of the pandemic.

But, while digitisation has enabled us to leap forward in terms of speed and convenience, it has also introduced risk. When our energy grids, water supplies, health services, banking facilities, transport networks and more rely on digital infrastructure, that infrastructure must be robust, reliable, and defended against disruption caused by malicious cyber attacks.

In a volatile geo-political and socio-cultural environment, such attacks – whether they originate with nation-state-sponsored actors or criminal enterprises – are inevitable and potentially life-threatening. Not only that, but the interconnected nature of networks means an attack on one company, in one country, can quickly escalate to impact a vast number of organisations across multiple countries. You cannot easily close the borders to a cyberattack.

Recognising this expanding risk, the European Union introduced the Network and Information Systems Directive in 2016. Its aim was to improve the resilience of network and information systems in the Union against cybersecurity risks and prevent attacks from disrupting the physical, social, and economic welfare of its citizens. Now its successor, NIS2, is in the process of transposition into law across EU member states. From October 2024 it will apply to all entities designated “essential” and “important” in a broad range of industries that are critical to the safe functioning of modern society.

NIS2 is broader in scope and contains notable new areas of activity and accountability. Penalties for non-compliance are significant, reflecting the potential severity of disruptions to critical national (and international) infrastructure (CNI). It also includes a focus on supply chain cybersecurity that will have a cascade effect extending beyond the organisations that are directly required to comply.

NIS2 represents a major area of governance, risk, and compliance responsibility for not just “essential” and “important” entities, but also for the thousands of businesses that are key suppliers to those entities. From leadership competence and culture-setting to internal controls and monitoring, there are wide-ranging, multi-disciplinary factors to address.

In this white paper we’ll review NIS2, its requirements, and where companies should focus their preparations.