Directive NIS 2 : Strengthening the cybersecurity of SMEs and communities

Enacted on December 27, 2022, in the Official Journal of the European Union, the NIS 2 Directive represents a crucial evolution in European legislation for the fundamental pillar of the sustainability and prosperity of businesses that is cybersecurity. At DATASHIELD Risk Consulting, we understand that this directive is not just a response to constantly evolving cyber threats, but also a strategic opportunity for SMEs and local authorities to optimize their security posture.

The adoption of the NIS 2 Directive coincides with a period when cybersecurity transcends sectors and borders, touching every aspect of our professional and personal lives. The increasingly sophisticated cyberattacks and security incidents that marked the year 2023 underline the urgency of enhanced protection.

| Understanding the NIS 2 Directive

The NIS 2 Directive, enacted as a major revision of European cybersecurity legislation, aims to create a safer and more resilient digital environment within the European Union. This revision is part of a context of constantly evolving cyber threats and increasing interdependence of information systems and networks across the continent.

| History and context

The original NIS Directive, adopted in 2016, was the first European Union legislation on cybersecurity. It laid the foundations for better security of networks and information systems. However, with the acceleration of digital transformation and the emergence of new threats, it became evident that an update was necessary. The NIS 2 Directive addresses these new challenges by expanding the scope and strengthening the requirements of the original directive.

| Extension of the scope

NIS 2 significantly broadens the scope compared to its predecessor. It now includes a larger number of sectors and entities, including SMEs meeting certain size or impact criteria, as well as certain public entities and local authorities. This extension recognizes that cybersecurity is no longer just a concern for large corporations or critical sectors, but affects all levels of society and the economy.

| Strengthening of security and notification requirements

Under the Directive, concerned entities must adhere to stricter security standards. This includes implementing appropriate technical and organizational measures to manage security risks, as well as mechanisms to prevent, detect, and respond to cyber incidents.

In addition to strengthening security measures, the directive emphasizes the speed and efficiency of incident reporting. Entities must report serious incidents to national authorities within a very short time frame, allowing for a coordinated and rapid response at the European Union level.

| Cooperation and management of cross-border risks

A key aspect of the NIS 2 Directive is the promotion of increased cooperation between European Union Member States. This is crucial for effectively managing risks and responding to incidents that have a cross-border impact. The directive establishes frameworks for information sharing, incident response coordination, and mutual assistance among Member States.

| Impact on cybersecurity governance

NIS 2 also recognizes the importance of governance in cybersecurity within organizations. It encourages businesses and local authorities to integrate cybersecurity into their high-level management and to establish clear links between the management of cyber risks and the overall strategy of the organization.

| Impact on SMEs and Local Authorities

The NIS 2 Directive, with its extended and strengthened requirements, has a significant impact on small and medium-sized enterprises (SMEs) as well as local authorities. These entities play a crucial role in the European economy and are often attractive targets for cyberattacks due to their limited security resources.

| Challenges and Opportunities for SMEs

SMEs, in particular, may perceive compliance with the NIS 2 Directive as a challenge due to their limited resources and cybersecurity expertise. However, it is essential to recognize that adopting these measures can also bring significant benefits.

Enhanced Security and Resilience: By complying with the directive, SMEs can strengthen their security and resilience against cyber threats. This can reduce the risks of operational disruptions and financial losses due to cyberattacks.

Competitive Advantage: Robust cybersecurity can become a competitive advantage, enhancing the trust of customers and partners.

Access to New Opportunities: Compliant SMEs can access new market opportunities, especially in sectors where security is a major concern.

| Support Measures for SMEs

To help SMEs overcome these challenges, it is important that governments and EU institutions provide adequate support. This could include:

Training and Awareness: Programs to educate SMEs about cybersecurity and help them develop security strategies.

Financial Aids and Grants: Financial incentives to help SMEs invest in cybersecurity measures.

Tools and Resources: Provision of tools and resources to simplify the implementation of the directive's requirements.

| Impact on Local Authorities

Local authorities play a central role in the implementation of the NIS 2 Directive. They must not only comply with the directive but also support SMEs and citizens in their jurisdiction.

Improving Security Infrastructure: Local authorities need to invest in improving their cybersecurity infrastructure, which can also benefit local communities and businesses.

Leadership and Awareness Role: Local authorities can play a leadership role in raising cybersecurity awareness and promoting best practices within the community.

Collaboration with Local Businesses: By collaborating with local businesses, local authorities can help create a stronger cybersecurity ecosystem.

In conclusion, the NIS 2 Directive represents a significant advance in strengthening cybersecurity within the European Union, bringing major changes that affect both SMEs and local authorities. This directive not only responds to current cyber threats but also lays the foundation for a more proactive and collaborative approach to cybersecurity.

For SMEs, the NIS 2 Directive offers a unique opportunity to review and strengthen their cybersecurity measures. Although this may represent an initial challenge, especially in terms of resources and expertise, the long-term benefits are undeniable. Better digital security not only translates into increased protection against cyberattacks but can also lead to a competitive advantage, strengthening customer trust and opening the way to new business opportunities.

For local authorities, this directive underscores their crucial role not only as directly concerned actors in cybersecurity but also as catalysts and supporters for local SMEs. By investing in improving their security infrastructures and playing a leadership role in awareness and collaboration, local authorities can significantly contribute to establishing a safer digital environment for all.

Ultimately, the NIS 2 Directive is more than just a regulation; it is a call for collective action and heightened awareness of the importance of cybersecurity in our interconnected digital world. At DATASHIELD Risk Consulting, we are committed to accompanying our clients at every step of this process, providing the expertise, tools, and support necessary to successfully navigate this new cybersecurity landscape.

For further reading: we invite you to consult our white paper: NIS 2