The NIS2 – What Boards Must Do
The NIS2 – a European directive that follows in the footsteps of NIS1 – requires full implementation by member states on October 17, 2024. This means that member states will have had time between January 16, 2023 and October 17, 2024, to translate the law into more specific rules and instructions to comply effectively. It's worth noting that certain countries and industries have already anticipated this shift and have started adapting to it. In this article, I describe three stances vital to boards or anybody having a steak in the company. And the primary obligations you must consider as of late.
Three stances
Right now, three main issues are important to consider with NIS2. I often use this as an example when board members or investors ask me: NIS2, what should I do about it?
1. Ownership is essential to truly understand your role because it establishes a managerial standard that will impact your ability to act with entrepreneurial freedom.
2. Scoping, or as we call it: demarcating. There is a common misconception that the entire organization must comply with NIS2. However, the legal requirements clearly state that only the vital chains in your production process must comply. Aspects which, if disrupted, could lead to social unrest, bank runs, death, or other types of disasters.
3. Avoid reinventing the wheel and don't be swayed by costly consultants or intimidating cybersecurity companies, all eager to capitalize on the commercial trend. Keep in mind that if your organization already has certain “checks and balances,” you can build on that and provide more specific details.
Do not underestimate the importance of “specifying”. Within NIS2, there are certain requirements that involve making a choice, such as whether you would like to handle certain Operational Security actions on your own or delegate them to a specialist party.
NIS2 as a driver you have to deal with it
I won't reiterate what we already know, but there are some important things to consider beforehand. Namely, does my company belong to an essential or vital sector, or is my company a supplier in this chain? I will use an example from a food retail chain to describe the specific requirements and implications. The legal document states that organizations involved in "Production, processing and distribution of food as defined in Article 3(2), Regulation (EC) No 178/2002 of the European Parliament and of the Council (3) engaged in wholesale and industrial production and processing" must adhere to NIS2 requirements. But then what are "Food businesses" in this context of NIS2? According to the Official Journal of the European Communities, food enterprises are defined as organizations that operate at any stage of the production, processing and distribution of food, and can be subject to both public and private law. They may operate for either profit or nonprofit purposes. Specifically, this product supply includes our suppliers and service providers, as “at any stage” also implies. These organizations must, therefore, begin to meet specific requirements as well.[1] First, we will outline the two key types of requirements: duty of care and duty of notification.
Consequences of not adequately following NIS2 requirements: The competent authority may impose an administrative fine on the violator in case of:
- a. violation of the provisions of or under this Act;
- b. violation of Article 5:20(1) of the General Administrative Law Act.
Article 28 The competent authority is authorized to impose an administrative order to enforce the provisions of or under this Law.
Article 27 The competent authority may require the person who fails to comply with Article 7 or 8 or with the detailed rules referred to in Article 9, by issuing a direction, to take the measures specified therein within a reasonable period of time specified therein.
Duty of Care
The duty of care in this context refers to the necessary preparations and measures taken by an organization to effectively implement and maintain NIS2. Consider establishing a transparent organizational structure, complete with role and function descriptions, as well as a governance framework to identify unique situations or potential issues and make informed decisions. It is not enough to just appoint a Chief Information Security Officer (CISO) and hope for the best. More must be done to ensure successful outcomes. In NIS2, the director, or boartd of directors has a more significant role in governance to prevent fines or, even worse, exoneration. NIS2, what to do with it? So you do have to do something about it.
According to Article 21 of the NIS2 legal documents, there are ten measures that organizations should take to effectively manage cyber security risks. Not once but continuously. Just like you maintain your financial records, it's important to systematically and thoroughly document them. I highlight a few key underestimated measures that need additional explanation, starting with doing risk analysis. This may sound obvious, but it is crucial to properly delineate the applicability of your NIS2. When it comes to food processing, there are certain risks to consider. These risks include potential attacks on production systems or smart meters (IoT, OT), attacks on the supply chain, or even potential sabotage of equipment i.e., all risks that can negatively impact product quality and thus public health. Take for example the ‘Cheese Hack’ that left global retailer Ahold without cheese for weeks[2] Empty shelves are a problem, but infected chocolate has far more serious consequences.[3]
Zero Trust strategies
Article 89 of NIS2 discusses the implementation of the Zero Trust principles. This means that we are establishing technology to more strictly regulate any implicit trust that may have developed over the years. Something like an extra passport and baggage check at the airport. In Zero Trust, it's crucial to identify what's important and how it relates to the organization. This involves first determining the significance of “protect surface”. In the case of food production, this could refer to a system where milk is processed by pasteurization and then packaged. Performing a risk analysis is important for this system in order to determine its exact scope and the necessary measures for reducing risks. A service provider may be granted access to the system in order to perform maintenance work. One effective way to regulate access to a system is to enhance its access controls by requiring an additional factor, such as a code generated by an authenticator. If access rights are set too broadly, it can allow unwanted guests to enter. This measure is so effective that it keeps out around half of these uninvited guests.
By the way, did you know that a Zero Trust approach was mandated for NATO trading partners through an Executive Order in 2021?[4].
“Harvard professors Hunter and Westerman examined companies that treated risk management as a continuous improvement process and showed that those who did were perceived to have higher market value.”
A Zero Trust strategy is built around various concepts, including “trust nothing, verify everything.” This means that every request made to such a critical system is accompanied by an additional verification process, as you may know from Google Mail or Microsoft 365. For the convenience of users, biometric verification is now available, which makes the process much easier. Monitoring these additional verifications in our production systems is not only a safer practice, but it's also required by NIS2. Should something go wrong, these verifications will allow us to quickly identify the issue and the appropriate parties that need to be notified, such as chain partners, customers, suppliers or possibly the police. The latter falls under mandatory notification in its entirety. You should be able to reproduce, mitigate, and report a serious incident fully and effectively. Here are a few examples.
Article F is my personal favorite in NIS2. “Policies and procedures to assess the effectiveness of cybersecurity risk management measures.” Especially given that these policies and procedures are frequently documented on paper but seldom effectively put into practice. As a practitioner/researcher with 20 years of experience, I have seldom come across a reliable operational reference for this issue. According to a report on CSOOnline, half of all security products are not configured correctly, which causes them to malfunction. This is like having a lock on your door with the key stuck in it all day and night. And then you need to know that the majority of hackers use automated tools to “feel” that door handle and thus can easily get in. So the leading cause of successful digital intrusions is incomplete reconfiguration. This is our low-hanging fruit for the solution. The fruit is already on the ground, so it is very easy for me to pick it up without any effort.
Board IT competence is positively associated with business performance. Findings suggest that company performance is not only better but also more consistent across time. (Joshi, A. 2019)
What we can learn from others
Above all, let us take inspiration from the American approach to NIS2. The Presidential Executive Order's top-down approach aims to enhance cyber resilience through the Zero Trust five-step model. Additionally, publicly traded companies are required by the Security and Exchange Commission to appoint a CISO to the board, while the director of the Federal Trade Commission (FTC) can be held liable for “bad practices”. This top-down regulation makes directors more aware of the need for key steering information to properly track the effectiveness of NIS2 implementation and avoid any duplication. In fact, several of the processes and tasks related to GDPR (healthcare and notification) are comparable to those of NIS2 and can be further developed upon.
Five questions Boards can ask
Apart from the responsibility of care and reporting, directors also have a duty to provide education among other obligations. Similar to the requirement of continuing education points for supervisors and managers, this program aims to raise awareness and transfer knowledge in order to develop competence and enable effective action. The courses that I offer to directors and managers at Antwerp Management School are designed to teach various skills, such as enabling the CISO to think like a CFO and vice versa, so that they can each better understand and fulfill their respective roles. So that they can better understand each other's perspectives and work together as allies in battle. And so, we can think about how to achieve maximum effectiveness with minimal resources. Here, I am providing you with a small sample of the questions that are covered in these training sessions. Directors and DGAs can ask their security officer these questions in advance. To obtain the current status and progress of NIS2:
- What were the key outcomes of the risk analysis conducted on our Protect Surfaces key chains? Additionally, what treatment plans have we developed to ensure we achieve the desired outcome? Lastly, what is that desired outcome?
- Who in our supply chain is available 24/7/365 in case of an incident, and when was this last tested?
- To whom and what should we report in case of an incident or disruption? Have we recently tested this process, and if so, what lessons were learned?
- What is our typical timeframe for detecting and containing incidents in terms of impact on operations and trading? When is this time frame tested in reality?
- How can we measure the effectiveness of our security measures and ensure that they are properly implemented in real time? This includes verifying the quality of our measures, such as their configurations.
Asking these questions will facilitate constructive dialogue, both prior to October 18th and following the implementation date.
Hooper, states that "organizations need to embrace their concern about cybersecurity and build it into their selection criteria for board members."
Novel views to compliance
Now that we are taking measures to ensure duty of care, reporting and reaction in case of disruptions, and education, we are under the supervision of the authorities. We already know that the large number of NIS2-compliant companies in the EU, in addition to all kinds of other EU legislation that will follow, will pose challenges for supervisors. They not only lack the capacity but also the necessary technological knowledge of auditors. The small number of auditors who are currently able to handle NIS2 is insufficient. Therefore, they will need to explore alternative methods of supervision. Just like with financial reports or VAT returns, we can also learn from the “reverse burden of proof”. We request that the supervised parties submit a periodic report, “In Control Statement”, to demonstrate the effectiveness of the NIS2 implementation. I wrote about this earlier as a sort of NIS2 seal of approval, and this idea appears to be gaining traction with policymakers. In fact, a seal of approval through a control statement can serve as a unique selling proposition (USP) for companies.
Compliance as a Unique Selling Point (USP)
Ultimately, I believe that entrepreneurs have a responsibility to think critically and strategically, specifically about how new developments may affect them and how they can proactively respond. Here are three reflections that you can discuss with your management team right away:
- How can we effectively reuse existing processes and procedures, such as those already established for ISO9001, 27001, or GDPR, when implementing NIS2? Additionally, how can we incorporate “reuse” into this implementation? For instance, can we administer a measurement once a year and still remain compliant with various laws and regulations? The principle known as "test once and comply many times" can be further explored through the information provided here.[5]
- How can I fulfill my managerial responsibility and think strategically to set up the processes required for NIS2, including Security Operations and Incident Response? For example, should I handle that task on my own, or should I attempt to recruit, train, and retain employees in a competitive job market? As a food company, I acknowledge that security is not my primary focus. Or are commercial market players better equipped for this? I previously wrote about the ‘IKEA effect’ and the choice between doing something oneself or outsourcing it.[6]
- Finally, I must reflect on what my investment plan should entail with regard to NIS2 and other industry regulations and standards. As an entrepreneur, it's important to consider commercial Request for Proposals (RFPs) that often mandate compliance with specific industry standards for information processing. Consider the Payment Card Industry Standard, NEN7510 for healthcare, and the Baseline Information Security for Government (BIO) if you plan to conduct business with the government. And if you have ambitions to conduct business abroad, it’s important to be aware of the Federal Trade Commission (FTC) standard for financial companies doing business in the US and processing more than 5,000 records. Similarly, if you plan to do business in California, you should adhere to the California Consumer Privacy Act (CCPA). In the future, an internationally focused company may need to handle a wide range of customer requirements. Therefore, it's wise to consider these investments and maximize the reusability of controls from now on.
Companies that proactively address information security and cyber risks are aware of how to handle NIS. By leveraging their NIS2 compliance as a USP, they can gain an edge over competitors. This will allow them to be perceived by customers as a company that values quality, transparency, and honesty.
About the author:
Yuri Bobbert is a professor of Information System Science (ISS) at the Antwerp Management School (AMS). In addition to his academic work, he is also actively engaged in practice around the world, serving as the CEO of Anove and the Global CSO of ON2IT. He manages numerous research projects, including those related to Zero Trust, measurable Cybersecurity, standardized frameworks, Cybereconomics and decision-making, and affordable cybersecurity for small and medium-sized enterprises (SMEs).
References:
[1] The legal texts can be found at: https://eur-lex.europa.eu/legal-content/NL/TXT/HTML/?uri=CELEX:32022L2555#d1e32-143-1
[2] https://www.rtlnieuws.nl/economie/tech-business/artikel/5224919/kaas-hack-lege-schappen-albert-heijn
[3] In 2022, Belgian Chocolate manufacturer BarryCallebaut recalled its chocolate due to a salmonella infection in its production chain. https://www.vrt.be/vrtnws/nl/2022/04/05/ferrero-terugroepactie/
[4] Executive Order on Improving the Nation's Cybersecurity. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
[5] Tech regulations: How to relieve the burden of supervisory bodies and reduce the risk for investors. https://www.anove.ai/post/tech-regulations-how-to-relieve-the-burden-of-supervisory-bodies-and-reduce-the-risk-for-investors
[6] The IKEA effect on Cybersecurity investment decisions. https://12ways.net/blogs/the-ikea-effect-on-cybersecurity-investment-decisions/
