Utilizing AI to Manage the Challenges of New EU Tech Regulations
Introduction
As companies increasingly face a stream of directives and legislation aiming to establish secure exchange environments with cybersecurity measures across the EU, the landscape of digital security is being significantly transformed.
This is the case for the Network and Information Security (NIS) directives adopted in the European legislation firstly in 2016 with NIS1 whose goal was to enhance cooperation between Member States and create a first level of harmonization in cybersecurity. Six years later, the NIS2 directive was published in 2022 to improve the previous version. However, when European actors thought they had enough work with NIS2, the AI Act was passed in March 2024, which addressed the risks of AI and positioned Europe to play a leading role globally.
Thus, one question remains: How can we deal with this burden of European regulations, and is there any commonality between NIS2 and the AI act? In this article, we demonstrate how we can leverage AI to deal with compliance by finding commonalities between the latest regulations and, therefore, focusing on a single common solution using artificial intelligence.
The NIS2 directive
What is NIS 2?
In 2020, the NIS2 directive was proposed as a revision of NIS1. It aims to tackle new and developing cyber threats and change technology environments. Implementing new and more stringent cybersecurity regulations seeks to improve the resilience of vital services, digital service providers, and critical infrastructure. NIS2 seeks to enhance methods for reporting incidents and responding to them, promote increased collaboration between member states and other stakeholders, and adjust to the growing interconnection of digital systems.
For entities in scope, NIS2 distinguishes between two categories: important and essential services. The requirements for entities in both categories will be the same. However, there will be a difference in the fines and oversight procedures.
With the implementation of NIS2, essential entities will have to comply with supervisory requirements, and important entities will be under ex-post supervision, which means that if authorities find proof of non-compliance, they will take appropriate action. If they fail to do so, it can result in severe penalties or even a ban from the industry.
Why is it a burden and for who?
- Costs associated with compliance: Implementing NIS2 standards frequently necessitates large financial outlays for infrastructure, technology, employee training, and compliance procedures. It could be especially difficult for startups or small and medium-sized businesses (SMEs) to commit the resources necessary to achieve these compliance requirements.
- Administrative Burden: NIS2 adds new administrative responsibilities, including frameworks for risk management, incident response protocols, and reporting requirements. It can take a lot of time and resources to fulfill these commitments, which could take them away from important business operations.
- Complexity: Organizations operating across various jurisdictions or those with varied business strategies may struggle to grasp and implement the regulatory framework provided in NIS2. It can be difficult to comprehend the directive's subtleties and ensure compliance fully.
- Impact on Innovation: Although the goal of NIS2 is to encourage innovation, the strict regulatory requirements could inhibit innovative developments, especially for smaller businesses that would find it difficult to keep up with compliance requirements. This can reduce competition and impede the advancement of innovative technologies.
- Competitive disadvantage: Businesses that operate in areas not covered by NIS2 may see it as a hardship because, to enter the European market, they may need to modify their operations to conform to EU laws. Because of this, they can be at a competitive disadvantage compared to companies that are already based in the EU.
How can Anove help?
Anove developed an app explicitly addressing these issues. In addition to the general aspects, such as privacy management, risks, and security controls, the Anove app automatically generates an in-control statement per different regulations, like DORA, NEN, GDPR, or NIS2, for our case here. These unique features enable you to be proactive in your reporting and show you are in control of whoever requests it.
This also allows you to be compliant with frameworks in other regions or growth markets, such as NIS2.
Anove allows you to create an in-control statement that is tailored to your organization in just a few clicks. This can easily be done in the ‘Compliance’ section at the strategic level.
As a result, NIS2 appears to be a challenge for many European companies, and as the digital landscape evolves with the emergence of new technologies such as Artificial Intelligence, new regulations are being imposed for various European actors,such as the very recent Artificial Intelligence Act, which primarily focuses on AI-based technologies with many similarities to NIS2.
The EU Artificial Intelligence Act
The rapid development of AI-based technologies led to the creation of new regulations and directives to address any potential risks associated with the wide use of AI in our daily lives or between businesses. As a result, in April 2021, the European Commission proposed the first EU regulatory framework for AI.
It says that AI systems that can be used in different applications are analyzed and classified according to the risks they pose to users. The various risk levels will mean more or less regulation.
Although NIS2 and the AI Act are two different texts addressing different issues linked to data privacy and cyber security, they share some noticeable similarities.
In fact, it is the case of the risk assessment obligations, the security obligations, and the notification obligations.
Risk assessment obligations
- NIS2 requires vital service operators and digital service providers to conduct risk assessments to detect and manage network and information system security vulnerabilities.
- The AI Act requires suppliers of high-risk AI systems to do risk assessments to examine potential hazards to fundamental rights, safety, and liabilities associated with the deployment and use of AI systems.
Security obligations
- NIS2requires operators of vital services and digital service providers to implement sufficient security measures to protect their networks and information systems from cybersecurity attacks.
- The AI Act establishes security duties for suppliers of high-risk AI systems,requiring them to achieve specified robustness, reliability, and accuracy standards to limit risks and maintain AI system safety and security.
Notification Obligations
- NIS2 mandates critical service operators and digital service providers to notify the competent authorities of any significant incidents affecting the security of their networks and information systems.
- The AI Act mandates suppliers of high-risk AI systems to notify designated authorities of certain information, including incidents,malfunctions, and changes in the AI system's intended purpose or design, that may impact Act compliance.
Now you may wonder how we will address all these issues within your company with Anove technology.
Indeed, our AI-powered technology can provide you with the solution you need to “test once, comply many”. There is no need to consider the ton of requirements coming from NIS2 or AI Act or any future regulation; we propose a solution to comply with all the SRF (Standards,Regulations and Framework) within the scope of your company at once.
How can these common challenges be successfully addressed on the Anove App?
AnoveAI supports you in drafting controls.
AnoveAI streamlines the control writing process, saving Information Security Officers substantial time and effort. Based on our significant expertise, we trained AnoveAI to provide exact, relevant, and complete control descriptions.
These descriptions methodically handle critical factors such as Who, What, when, how, and why,guaranteeing a systematic approach to meeting criteria. Our solution is intended to generate comprehensive, industry-standard control documentation.
To do this, we rigorously trained our large language model utilizing a variety of control examples, sticking carefully to Kipling techniques, and targeting specific user scenarios. Whether the audience is comprised of control owners, risk managers,or auditors, using the Kipling technique (5W1H) guarantees that the results are clear and coherent.
Finally, we aim to bring more visibility by successfully helping you deploy and evaluate your controls to demonstrate your compliance during audits.
With AnoveAI, we ensure increased simplicity for control owners. Indeed, AnoveAI provides control owners with a thorough set of guidelines so they can concentrate on implementation. In the context of risk management, a control denotes a dedication to risk mitigation and keeping it at a manageable or low level.
You can get assurance from the control owner even if you might not be fully aware of every control. From an auditor's perspective, controls represent the organization's dedication to managing risks and putting internal procedures in place to satisfy external demands.
Auditors assess controls concerning particular internal or external requirement sets. The subsequent maintenance and evaluation processes are made more efficient by precisely establishing controls.
Test once, and comply to many.
Each framework doesn't need to have its own in-control statement. Frameworks often overlap in terms of the controls they propose. This overlap can be mapped to determine where the frameworks intersect. One ''parent''framework is proposed, corresponding to several ''child'' frameworks and their “child” controls.
You just need to test this parent control in the parent framework to ensure compliance with several other underlying controls, as illustrated in Figure 5.
This mapping is already available in technologies like Anove and is updated whenever the framework changes. Companies can now submit a single in-control statement that applies to several frameworks.
AnoveAI proactively proposes actions out of ineffective control testing.
You have probably noticed that many actions to perform to improve ineffective controls are repetitive within an ISMS, such for example:
- Penetration Testing (Simulate cyberattacks to identify vulnerabilities in systems and controls. This can expose weaknesses in access control, security policies, or incident response procedures.) or
- Monitoring (regular monitoring of the effectiveness of implemented changes and conduct reviews to ensure controls remain relevant in the face of evolving threats).
Therefore, thanks to AnoveAI, we provide an AI-powered assistant to propose remediation actions to improve the ineffective controls. We rigorously trained the AI LLM engine based on the years of experience of our experts in the field to advise you at each step.
In conclusion, with the appearance of regulations increasing in complexity in the European market such as NIS2 and AI Act, organisations must shift to a more proactive approach that combines innovation and simplicity of use. Moreover, as we can see with AI Act, AI has become a central actor in GRC as we have more stringent regulations on it. In this case, organisations should leverage AI itself as an ally to face this compliance burden. It's like using venom to cure venom, a paradoxical yet effective remedy in today's medical advancements.
Therefore, Anove is a strategic partner in the ongoing improvement of Digital assurance. With our advanced technology,AnoveAI, we help you comply with NIS2 and AI Act efficiently, following our core principle, “test once, comply many.” Trust Anove to not just help you write and implement controls within your ISMS but also to provide you with the insight you need at the Strategic and Tactical level to guide your organisation towards a future where Digital assurance is seamless and success is inevitable.