Business Reporter: NIS2 is here - turning regulatory pressure into resilience with GRC

NIST2, designed to harmonise cybersecurity legislation in the EU, has so far been transposed into national law in 22 member states, albeit with significant variations, which makes cross-border compliance challenging, particularly when done manually. These variations must also be considered when reporting an incident to different national authorities, which further intensifies the pressure that strict reporting timelines put on companies.

 

As under NIS2, directors can be held personally liable for breaches if they fail to uphold their approval and oversight duties, now they must also familiarise themselves with the member-state nuances of the legislation. However, as Julian Hirsh points out in a Business Reporter Talk, AI-enabled compliance systems can automate horizon scanning, extracting local legislation, as well as highlight gaps in regulations between different countries.  

 

Compliance versus resilience 

Meanwhile, Tiago Rosando feels that a unified approach from the EU could have resulted in a better compliance outcome. The fact that various operations of the same company can be at different stages of cyber security maturity adds yet another layer to the complexities of reporting. Participants also voiced criticism that NIST2 seems to put more stress on the legal aspects on compliance than the actual improvement of cyber defences. The right question is not how to get compliant but how to become resilient.  

 

Most companies are aware of the new governance expectations of NIS2, as well as its benefits from improved supply chain security to better risk management to lower cyber insurance premiums, unless they regard compliance as a tick-the-box exercise. While for lawyers a relevant ISO certificate equals compliance, CISOs need controls in place to prove the business’s cyber resilience. Ideally, lawyers, CISOs and risk officers should sit down together and discuss what cyber security means from their perspectives in the shared language of business and include board members too in these conversations to change their perception of cyber security as a technical issue rather than a business risk.  

 

Achieving NIS2 readiness 

GRC is a framework that can guide conversations around NIS2. The only novelty in NIS2 is the liability of the CEO and the board – all the other elements are already familiar from other legislations. As Hirsch points out, companies that have the ISO 27001 certification and policies with third parties are already about 75 per cent NIS2 compliant. The new EU legislation can also be seen as a tool to consolidate the data silos across all functions into a unified dashboard that the C-suite can also easily monitor.

 

For best results, Ana-Maria Matejic argues, it’s also key that cyber security is embedded in every aspect and department of the business. As for threat modelling, CISOs shouldn’t limit it to cyber security but should also include other types of risks, such as data privacy and sovereignty, contractual agreements and compliance frameworks. To get their message across to the C-suite, they must present them the cost of mitigating certain risks – no matter whether they come from sales or the legal department – against the cost of an incident happening thanks to the lack of controls.  

 

 

The 24 hour reporting deadline of NIS2 can only be met via operated workflows: AI can help with triaging and assessing the criticality of the incident. While having a GRC is key, copy-pasting the policy of another business won’t work. For a policy to become a living document, it must be concise and easy to update.

 

Responsibility to communicate an incident will always lie with the individual appointed by the board. As Ana-Maria Matejic emphasises, communication channels must be established in advance, so they can already be operational when the worst happens. To demonstrate readiness for NIS2, businesses must prove that the company policy is working, as well as provide statistics regarding the number of detected incidents and false positives.