skip to main content

My thoughts about NIS2

Company setting

July 12, 2024, Jeffrey

NIS2 and ISO 27001

I decided to read up on the NIS2 Directive, and I realized it feels like an enforced and partially defined ISO 27001. And you know what? I love it!

Key takeaways for me after some reading:

  • It has a very specific scope based on critical and important sectors
  • It enforces stricter requirements on companies in its scope, which includes risk management, incident reporting and actual implementation of security measures.
  • The accountability has shifted upwards towards the CEO/Board, no longer focussing on the CISO and Cyber Security Professionals.
  • Incident reporting is mandatory, which fosters coordination and response for the entire EU.
  • The penalties feel fair but serious. I listened to a podcast from #delloite, and it was mentioned that the penalties are around the same percentage that a lot of the ransomware gangs would demand from a company (based on turnover).

Why is this a good thing? Because it means critical companies must step up and take responsibility for their cybersecurity practices. It's time we start prioritizing the security of our digital infrastructure in Europe, especially in sectors that are essential to our daily lives, as we have seen during Covid.

The accountability that NIS2 places on leadership is something that is interesting to me. If CEOs or the board neglect their responsibilities, they will now bear personal liability. When the top leadership is accountable, it ensures a trickle-down effect (dirty sentence after Liz Truss :P), fostering a culture and cooperation of security throughout the organization and eventually Europe.

This is about more than just compliance; it's about strengthening Europe's cyber-resilience and focusing on relevant security.

Let us embrace these changes, support our organizations in meeting the NIS2 directive and its country-specific iterations, and work to create a more secure online environment for everyone.