What strategic actions can organizations take for NIS2

The NIS2 Directive has the potential to change the way cyber security is approached by organizations in Ireland and across Europe. The directive aims to strengthen the cybersecurity capacity of organizations across a wide range of key industries and the public sector and introduces fines of up to €10 million or 2% of an organization’s global turnover for non-compliance.

Focus entirely on individual responsibility

The main difference between NIS2 and its predecessor, the NIS Directive, is the first introduction of personal responsibility in cybersecurity. As with the Individual Accountability Framework (IAF) in the financial services world, senior executives will be responsible for their organization’s compliance with the guideline.

If an organization is found to be out of compliance, responsible officers, including the CIO, CEO and board members, may face sanctions, including bans from performing their functions within the organization.

The impact of this aspect of the directive should not be underestimated. It is simply a game changer for the way cybersecurity is discussed and approached by organizations. Until now, Chief Technology Officers (CTOs) and Chief Information Security Officers (CISOs) have struggled to make the business case for cybersecurity investments, largely due to a lack of appreciation for its importance at broader C-suite and board levels.

Making the case for investment in new technology can be relatively easy by comparison. The CTO or other responsible official may point to cost savings and efficiencies or improvements to the employee or customer experience or other value-generating outcomes when making the business case. Board and C-suite members understand the value of moving systems to the cloud, but are typically unaware of the need to add additional layers of security.

Cyber ​​hasn’t been an easy sell yet, but this will likely change for the better. Focus and investment typically increased in the aftermath of cyber incidents and decreased during periods of relative calm, when senior executives and board members could be lulled into a false sense of security.