Regulatory mandates. Whatever you may think of their intention, execution, or implications, they’re a critical part of the landscape for security teams. This is particularly true for organizations based in the EU and for entities that do business with EU-based organizations. A new directive will be introduced within the next year that promises to have a huge impact.
The History of NIS2
In 2016, the European Commission established the first set of EU-wide cyber security directives, known as the Network and Information Security (NIS) Directive. While this represented a step forward in terms of helping to improve the resilience of agencies and businesses in the EU, it proved to be difficult to implement, and both its application and enforcement proved to be fragmented.
To address these obstacles, the commission launched the development of the next standard, Directive (EU) 2022/2555, known as NIS2. This directive took effect at the beginning of 2023, and by October 2024, all member states must apply this mandate to national law.
The NIS2 directive has generated many opinions and perspectives. While much has been said and written about the standard, security leaders are encouraged to review the actual directive. Management teams need to get acquainted with the details of the standard and determine how to best apply it within the context of their specific organization.
NIS2: Key Takeaways
The NIS2 standard will significantly impact several areas, including mobile security, an arena in which Zimperium specializes. The sections below will highlight some of the most critical takeaways from the NIS2 directive.
#1. There’s a Strong Justification for the Implementation of NIS2
Whether you view this and other regulatory mandates as useful and well-conceived or as a costly, time-consuming annoyance, the fact is that there are some excellent reasons for the development and adoption of standards like NIS2.
The reality is that, in the EU and almost every region worldwide, cyberattacks have continued to become more prevalent and costly for organizations.
To thwart these attacks, the EU Commission set out to strengthen the initial NIS directive. Article 1 of NIS2 offers a distillation of what the EU Commission is looking to achieve. The standard is intended to define “measures that aim to achieve a high common level of cybersecurity across the Union, with a view to improving the functioning of the internal market.”
#2. NIS2 Represents a Non-Negotiable Baseline
When every entity handles cybersecurity differently, with widely diverging levels of security, it creates a situation in which attacks keep growing in number and severity.
The NIS2 directive is the EU Commission’s push to establish a common, sufficient, and scalable level of security among all covered organizations. Article 5, in part, reads the directive “shall not preclude Member States from adopting or maintaining provisions ensuring a higher level of security…” While each organization’s specifics may vary, and organizations can opt to go above and beyond these security standards, the NIS2 directive should be viewed as the bare minimum and the absolute, non-negotiable, must-have requirements for security.
#3. NIS2 Applies to a Broad Range of Entities
Compared to the initial version, NIS2 significantly expands the entities that are covered. Effectively, the new standard applies to pretty much every entity that contributes to day-to-day operations of the EU or of EU citizens. This includes automobile manufacturers, food distributors, banks, retailers, transportation firms, waste disposal agencies, and more.
Annex I (essential entities)
Annex II (important entities)
#4. NIS2 Applies to Any Network-Connected Device
Article 6 reads in part that the definitions apply to “any device or group of interconnected or related devices” as well as systems in which “digital data [is] stored, processed, retrieved, or transmitted.” In addressing NIS2, security teams must account for desktop and laptop computers, internet of things (IoT) devices, printers, and mobile phones and tablets. Corporate databases, enterprise applications, and mobile applications will also need to be addressed.
Devices and applications must be able to resist any cyberattack. This includes unknown or zero-day attacks that target mobile devices.
#5. NIS2 Holds Management Accountable
Article 20 outlines who’s liable for non-compliance: “the management bodies of essential and important entities.” Ultimately, management teams are responsible for approving cybersecurity measures and liable for infringements of the directive. The intent is to create some urgency around addressing the directive and establishing clear accountability for failure to do so.
#6. NIS2 Requirements are Comprehensive
Article 21 provides some of the details around how to establish effective safeguards. The article features requirements for establishing risk analysis and information system security approaches, including handling incidents, securing supply chains, ensuring business continuity, and employing cryptography. Across these areas and more, teams will need to establish strong, thorough, and auditable workflows and technologies.
#7. NIS2 Applies Across the EU and Beyond
Any entity governed by NIS2 must take responsibility for “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.” For organizations that work with, or seek to work with, EU businesses, it will be vital to address NIS2 standards and to be able to attest to the defenses implemented.
#8. NIS2 Penalties are Significant
Article 33 spells out the consequences of failure to comply with the directive. Organizations may face the very real danger of having EU Commission officials instituting supervisory measures, which can be costly and labor-intensive. For example, a team may be required to implement a specific solution, forcing them to scramble to negotiate pricing and contracts and then embark on testing, implementing, and deploying a solution, training staff, and more. While it remains to be seen how these enforcements may be handled, it is clear that having to respond to these supervisory requirements will be far less efficient and productive (not to mention less pleasant) than getting ahead of the curve and establishing security measures as part of a well-designed, planned initiative. As systems grow more complex, it is crucial for customers to find solutions that do not require a complete rework/reorg of their existing workflows.
Further, these compliance failures can result in steep penalties. Article 34 specifies that, in the event of an essential entity’s infringement, member states shall apply administrative fines of up to 10 million Euros or 2% of an organization’s prior year’s gross income, whichever is higher.
In some ways, you can see these fines as another way to justify security investments. Previously, organizations that failed to implement robust cybersecurity measures would be susceptible to the risk of costly cyberattacks and ransomware attacks, which can cost millions. With NIS2, these organizations will also be exposed to potential fines, which can be equally steep.
Conclusion: How Zimperium Can Help
Complying with the NIS2 directive will represent a significant, broad-based effort for security teams, and strengthening the security of mobile devices and mobile apps will be a key part of those efforts. The good news is that Zimperium can help.
Zimperium is a mobile-first company. All the solutions and services are focused on securing mobile devices and mobile applications. Zimperium has secured millions of devices around the world, including both corporate- and employee-owned devices for some of the world’s largest businesses and government agencies. Our on-device threat detection offers protection around risky user behavior and against malware and even zero-day threats. Our mobile application security solutions safeguard applications throughout their lifecycle, from development to runtime.
To learn more about the NIS2 and what it means to your organization, contact us today.
