NIS2: What To Do (And Who’s Going to Do It)?
By 17 October 2024, Belgium must have transposed the European NIS2 Directive into national law. NIS2 contains all kinds of rules and regulations on the cyber resilience of businesses, and many organisations will have to get to grips with it. Do you have the right people in-house to scrutinise these rules and obligations?
Having the right expertise is more important than ever. The first version (NIS1 from 2016) was limited in scope and mainly relevant to large companies in critical sectors. NIS2 goes a lot further: even companies not directly covered by the directive would do well not to ignore it. This may mean that you need to attract new talent – at a time when other organisations are casting their fishing line into the same talent pool.
The chance that you will come into contact with NIS2 is high. Organisations that employ more than 50 people and are involved in energy, transport, logistics, but also matters such as IT infrastructure management, fall directly within its remit. If your business falls outside this definition, bear in mind that companies that are covered by the directive are obliged to request guarantees from their suppliers. Anyone who works with companies that have to comply with NIS2 is thus indirectly obliged to take the directive seriously.
Who understands the risks?
NIS2 is far from revolutionary: Europe simply plans to require governments and companies to follow recognised best practices. Unfortunately, this is news for many companies. The directive isn’t based on technical specifications or jargon but is constructed around risk: it is up to you to identify risks, take appropriate measures to limit them and also give some thought to a strategy for if something does go wrong.
That sounds reasonable enough, but to be compliant you need very specific competencies. Everything starts with the risk assessment. Whoever is going to carry this out needs a thorough understanding of both the IT infrastructure and your operational business. It’s not enough to set up a firewall, install an antivirus and say that digital risks are covered: you need to understand the ways in which your business processes are vulnerable and act accordingly. A firewall isn’t going to block a clever phishing email, so what are you going to do about that? And what if a hacker exploits a new vulnerability to hide in your network so as to strike later on?
You will only get answers to these questions from people with a thorough understanding of your business and sector. Some companies will already have the perfect person in-house, but others are lagging behind and are struggling even today with a gap between IT and their business, irrespective of NIS2. Yet the situations we’ve just outlined are already a daily reality: with NIS2, the EU plans to oblige European businesses to protect themselves against existing, current threats.
Looking for technical expertise
Once the risk assessment is completed, the next phase begins. Businesses looking to comply with NIS2 need to cover the risks by raising their security to a sufficiently high level. The people in charge of the IT department today lack the knowledge or experience to perform forensic analysis of logs, for example.
It may be tempting for the layman to think that ‘it’s all IT’, but the very mindset of the profiles you need is different. A systems engineer’s job is to build and implement something as quickly as possible, but the first question a security engineer asks is how safe a technology or implementation is. You need people who not only understand a technology down to the last detail, but are also aware of the associated pitfalls.
Further training, recruitment or outsourcing?
There are various steps you can take as an organisation. An essential first move is to integrate IT with your business if there’s still a gap in this respect. You then need to look at the competencies you have in-house, which ones are missing and which ones you want to bring in. In some cases, you can simply offer further training to existing IT talent.
In other cases, outsourcing may be a good idea. Do you need a security operations centre (SOC) for your company, where security experts monitor your infrastructure and network round the clock? If so, your company needs to be a decent size to make this profitable. Not to mention the recruitment you will need to undertake from a limited pool of talent.
3, 2, 1… go!
Whichever approach you take, you’ll need to attract the right people if you want to be NIS2-compliant. Don’t leave it too late. The deadline for the government to prepare Belgian legislation is 17 October. Transition periods will be used, but the available time is running out fast. To meet future deadlines, it’s best to get started right now. Begin with the risk assessment, and entrust it to the right people. After that you can give more thought to what you need to protect, how and with whom.
Looking for a technical genius who feels at home in your sector? Or a security analyst who puts fear into hackers both here and abroad? CHRLY is happy to help.