Global Economy

A tough new EU cyber law is off to a messy start, with many countries failing to adopt the rules


Businesses have been working hard to shift their culture internally to ensure they’re taking the threat of cyber breaches and outage incidents seriously.

Andrew Brookes | Image Source | Getty Images

New European Union regulations requiring businesses to bolster their cyber defenses are off to a slow start as many member states have failed to adopt the rules in time to meet a key enforcement deadline, according to research monitoring the progress of the directive.

The EU’s NIS 2 cybersecurity directive sets a high benchmark for companies over their internal cybersecurity systems and practices. It imposes tougher requirements around risk management, transparency obligations and business continuity planning, in the event of a cyber breach.

On Thursday, the new directive officially became enforceable by member states. That means firms have to now ensure their operations are up to scratch with the rules. However, most EU member states have yet to implement NIS 2 in their own respective national laws, meaning that enforcement is likely to be spotty.

Two countries — Portugal and Bulgaria — haven’t begun the transposition process for NIS 2, where directives are incorporated into the national laws of EU member states, according to a tracker tool from internet research organization DNS Research Federation.

The governments of Portugal and Bulgaria were not immediately available for comment when contacted by CNBC Wednesday.

The European Commission told CNBC that it’s urging EU member states that haven’t yet implemented NIS 2-compliant laws to do so quickly.

“So far, Belgium and Italy notified full transposition, and Croatia, Latvia and Lithuania partial transposition of the NIS2 Directive,” a spokesperson for the Commission told CNBC via email. “We urge the remaining Member States to follow suit.”

Read More   Euro zone inflation rises to 2.6% in July, above expectations

The Commission said it’s been supporting member states over the past 21 months by providing guidelines and replying to questions, and warned it stands ready to “use … the tools that it has at its disposal” to ensure member states finish transposing the rules.

What is NIS 2?

NIS 2 — or the Network and Information Security Directive 2 — is an EU directive that aims to increase the security of IT systems and networks across the bloc. First proposed in 2020, the law serves as an update to an earlier directive simply called NIS.

NIS 2 expands the scope of its predecessor to address more recent cybersecurity challenges and threats, as criminals have found new ways to hack companies and compromise their sensitive data.

The directive applies to organizations that operate within the EU and provide essential services to consumers, including banks, energy suppliers, health care institutions, internet providers, transport firms, and waste processors.

Watch CNBC's full exclusive interview with Google Cloud CEO Thomas Kurian and Accenture CEO Julie Sweet

Businesses will have a “duty of care” to report and share information on cyber vulnerabilities and hacks with other companies under the new regulation — even if it means owning up to being a victim of a cyber breach.

If a business falls victim to a cyber breach, they’ll have 24 hours to submit an early warning notification to authorities — a stricter timeline than the 72-hour window firms have to notify authorities about a data breach under the General Data Protection Regulation, a separate data privacy law in the EU.

Firms will also have to vet their technology vendors one by one for cyber threats and vulnerabilities.

Read More   Chinese tech giant Baidu's shares rise 2% after revenue beat

Will it be effective?

Tim Wright, partner and technology lawyer at Fladgate, told CNBC that effectiveness of NIS 2 as a regulation will largely depend on consistent implementation and enforcement across EU member states.

“Bad actors may target countries lagging in their NIS2 transposition or look for weaknesses in supply chains, targeting smaller, less-secure vendors and suppliers to gain access to larger, better-protected organisations,” he told CNBC.

Businesses have been working to get their internal processes, controls and broader culture around cybersecurity into shape for years ahead of the Thursday deadline.

Chris Gow, enterprise tech firm Cisco’s EU public policy lead, said that the spotty nature of NIS 2’s implementation has also been “exacerbated by local adaptation of the law.”

This, in turn, is “creating discrepancies that can prove difficult to navigate, especially for smaller organisations with limited resources,” Gow told CNBC in emailed comments.

State-backed cyber attacks are on the rise this year: DXC Technology

He recommended that, rather than being “overwhelmed” by discrepancies in local adaptations of NIS 2, organizations should “identify a common core of security controls and processes that stand them in good stead to both meet and demonstrate compliance at scale.”

What if a company fails to comply?

For “essential” entities like transport, finance and water companies, failure to comply with NIS 2 can lead to fines of up to 10 million euros ($10.9 million) or 2% of global annual revenues — whichever ends up higher.

Meanwhile, “important” businesses — such as food companies, chemicals firms, and waste management services — are looking at fines of up to 7 million euros or 1.4% of their global annual revenues for breaches.

Read More   Putin and Kim Jong Un's relationship is a marriage of convenience: Here's how it works

Firms can also face possible suspensions of service if they fail to comply with NIS 2, as well as closer supervision.

“NIS 2 makes it clear – large fines, possible suspension of service and monitoring of compliance are being used as levers to encourage organisations responsible for critical services to pay attention to cybersecurity threats and their response to those,” Carl Leonard, EMEA cybersecurity strategist at Proofpoint, told CNBC.

“A baseline has been set in terms of risk-management and mitigation measures including incident handling, staff training, leadership accountability and many others,” Leonard added.



READ SOURCE

This website uses cookies. By continuing to use this site, you accept our use of cookies.