As the deadline for NIS2 compliance has passed, many organizations are left in confusion, unsure of how to proceed. While the European Union introduced the regulation as a directive, each member state must individually enact it into national law. The challenge, however, is that many countries have yet to pass the necessary laws, leaving organizations in a regulatory limbo.
As the deadline for NIS2 compliance has passed (Oct 17, 2024), many organizations are left in confusion, unsure of how to proceed. While the European Union introduced the regulation as a directive, each member state must individually enact it into national law. The challenge, however, is that many countries have yet to pass the necessary laws, leaving organizations in a regulatory limbo.
In this blog, Tal Morgenstern, Vulcan Cyber Co-founder and CSO shares his perspective on this matter, highlighting a few key challenges and offering advice for organizations:
The core issue: While NIS2 serves as a directive, it is only a framework. Each country must legislate specific laws and detailed regulations to enforce it. Because of this, some organizations are now stuck—unsure of what they need to do, as the legal framework in their country might not yet exist.
Recommendations: Despite this, security professionals should take proactive steps and begin preparations, even if their country hasn’t finalized its legislation.
The core issue: Not preparing for NIS2 compliance means organizations risk facing significant legal uncertainty and potential fines once the laws are enacted. Delaying preparation can lead to rushed implementations, increased vulnerability to non-compliance, and operational disruptions that could impact business continuity.
Recommendations: Even though the laws are not fully enacted, organizations should start preparing their teams and processes for NIS2 compliance. This means educating key stakeholders—management and other departments—about the new regulation and ensuring that current processes align with its requirements. What’s important here is making sure the organization understands the need to adapt to avoid heavy fines, which can be significant under NIS2.
The core issue: One of the biggest concerns for global organizations is their exposure to risk across multiple European countries. A company operating in several countries could find itself compliant in one nation but non-compliant in another due to the disparity in NIS2 law adoption. This adds complexity to managing a comprehensive exposure management program across borders.
Recommendations: Form dedicated teams in each region to monitor regulatory updates, manage compliance efforts, and liaise with local authorities. This ensures timely responses to changes in the legal landscape.
While regulation ≠ security (meaning, compliance doesn’t automatically equate to hermetic security), implementing the processes required by NIS2 can significantly improve your organization’s exposure management program and overall posture. Security professionals should view this as an opportunity to enhance and adopt best practices. The truth is, most of the required processes aren’t unusually difficult or burdensome….
As part of our organization’s preparations for NIS2 compliance, we’ve reviewed our existing procedures. Interestingly, we’ve found that there’s not a significant deviation from what we’re already doing. However, it’s was essential to confirm that everything aligns with the regulation so we can ensure full compliance when the time comes.