15 October, 2024
NIS2: The European directive that promises to reduce cyberattacks and strengthen digital resilience in the EU

The arrival of autumn is accompanied by the transposition of the long-awaited NIS2. This European regulation called the NIS2 Directive, for its acronym in English, Network and Information Security 2, is an expansion of the scope of its predecessor, the original NIS, focusing mainly on clear and ambitious objectives: increasing the general level of cybersecurity in the EU, improve the resilience of networks and information systems and guarantee a faster and more coordinated response to a cyber incident.

Before discussing the Directive, we must understand the current context of the hyperconnection society and the automation of processes in which we are immersed in order to understand why the European Union has responded to these aspects in this way.

We live in a time of our lives in which, for almost all aspects, we need digital devices and an internet connection. Think about it, give yourself a moment. In addition to being hyperconnected, the adoption we are having with artificial intelligence and machine learning is presenting us with new horizons of challenges to which the common population is exposed. This dependence on technology and total connection has made us, in most cases, more efficient and productive, but at the same time, it has also significantly increased the attack surface for cybercriminals.

If we extrapolate this situation of hyperconnection and automation to the business world, we have a combination that needs to be evaluated. On the one hand, we have systems with predictive infrastructure maintenance, real-time traffic management systems, driver assistance, digital payments, and reservations… and on the other, we have targeted and automated phishing attacks, in which identity theft is carried out with voice and video with artificial intelligence, intelligent malware that evades detection and is capable of adapting and mutating in real-time, manipulation of AI models, etc. becomes a significant increase in cyberattacks and directly, the damage they cause, both economically, operationally and reputationally.

Ciberseguridad_Directivas NIS2

Source: OpenAI

Now, is this NIS2 Directive the definitive solution for reducing cyber attacks on companies in the transport sector? To give a reasoned answer, we will analyze the Directive and the sector’s current situation.

The NIS2 Directive distinguishes between essential entities and important entities, depending on the degree of criticality of the sector, the services they provide, and their size. These sectors include the transportation sector, both rail and road, which are considered medium or large companies. However, each Member State may additionally classify other entities as essential. All of this will be included in a list of these entities that each Member State must draw up before April 17, 2025.

New Governance measures are established with respect to NIS for these listed entities. In this sense, governing bodies are required to approve cybersecurity risk management measures and supervise and respond to non-compliance, should it occur. In addition, these bodies will need to attend training to acquire knowledge related to cybersecurity risks.

These measures must be based on an approach based on the management of said risks with respect to the security of the networks and information systems used in their operations or for the provision of the service while minimizing the repercussions of potential security incidents. that may occur. Likewise, ten groups of minimum security requirements or measures are established that each entity must implement, such as, for example, business continuity, supply chain security, cryptography, cybersecurity training, use of multi-factor authentication, etc. In addition, it requires you to notify your reference CIRT of any significant incident within 24 hours of becoming aware of the incident, including detailed information about the incident, measures taken to mitigate it, as well as any potential impact.

Considering the above, what is the difference between an essential entity and an important entity with respect to NIS2? At the moment, none of the measures to be applied would affect both types of entities, unless the transposition of the standard introduced some clarification in this regard. There is a difference in relation to administrative fines, since for example, the maximum fine that can be imposed on essential entities will be €10,000,000 or 2% of the total annual global turnover and, as regards large entities, the maximum fine will be at least €7,000,000 or at least 1.4% of the total global annual turnover, with both opting for the amount that is greater (or €10M or €2M). % of the total worldwide business volume of the previous year).

Once we have analyzed the regulations, we can conclude that it is the right way to improve the resilience of the European Union, especially in today’s context where cybercrime is on the rise, reaching 1.5% of global GDP. This means that it generates almost twice as much business as drug, arms and human trafficking combined.

In conclusion, NIS2 will improve companies’ resilience to cyber attacks, reducing the risk of operational disruptions and improving business continuity. Furthermore, taking into account that it is a European Directive, compliance with it will significantly improve the reputation of companies, strengthening the confidence of clients and business partners in their ability to protect data and services, as well as offer new competitive advantages, positioning companies as leaders in cybersecurity and regulatory compliance, and opening new business opportunities in sectors where security is a priority.

Vicente Camús, Cybersecurity Manager at Globalvia.