Europe Imposes More Cybersecurity Obligations on Companies
Europe Imposes More Cybersecurity Obligations on Companies
The new demands arise from the impending need currently perceived in cybersecurity since the amount and complexity of cyberattacks keeps on growing.
The future Cybersecurity European Regulation “NIS2” intends to establish a common cybersecurity level in the European Union armonizing national legal provisions towards a new European cybersecurity regulatory framework. Among the features this Regulation will include, you may find aspects related to the response to security incidents, reinforcing security in the supply chain, information encryption or vulnerability disclosure. Likewise, it is forseen cybersecurity will be seen as the highest managerial level business responsibility, which may entail revising the legal responsibility of administrators and directors from those companies.
The picture portrayed by this regulation, although it is still just a draft, recommends for those companies affected to start plannng their cybersecurity management and to identify which new measures should be adopted next. However, this planning must not only be elaborated keeping in mind the possible penalties the regulation may imply, but rather because they may represent a risk for the company's own business continuity.
New Regulation NIS2 shows clear advances regarding the current Directive NIS regarding its application range and scope, more clearly when providing a second level of recommendations to non-bound agents, that is incorporating big companies and SMEs from non-essential activities into cybersecurity policies. The new Directive NIS2 fixes the deficiencies from Directive NIS regarding institutional strategy and transposition to the internal regulations of the Member States, among them the ambiguous delimitation of the application scope of the Directive, which means significant information differences regarding the extent and depth of the European Union's de facto intervention to the scale of the Member States. As a result of the previously described situation, the minimum security level of information systems reached in the Member States is not as high nor as common as intended. The draft of the Directive NIS2 improves also the armonization level of the security requirements and notification to make regulation compliance easier by the entities that offer cross-border services with the objective of improving the limited capacity of the joint response that up to this date EU Member States have shown in crisis situations.
The new Directive NIS2 fixes the deficiencies in the Directive NIS regarding institutional strategy and transposition to the internal regulations of the Member States
These features arise from the impending need that we currently experience in the domain of cybersecurity since the amount and complexity of cyberattacks keep on growing.
Proving that, we find the data provided to the repport, that reflect that cybercrime duplicated in 2019 and ransomware tripled in 2020 but still, European companies and institutions keep on investing in cybersecurity 41% less than in the United States.
Recent studies also show concerning data: the damage caused by ransomware could reach 17 thousand millon Euros by the end of 2021, which multiplies by 57 the cost compared to 2015. Likewise, it is foreseen that in 2021, companies will suffer a ransomware attack every 11 seconds, compared to 40 seconds in 2016.
More companies should adopt new measures and comply with obligations
The new Directive NIS2, in its project stage, collects new and more restrictive obligations for companies regarding cybersecurity. Particularly in terms of supervision, risk management, report elaboration and information exchange, in addtion to penalty regimens among the different Member States.
If we compare Directive NIS2 with current Spanish legislation, which is the Royal Decree 12/2018, developed by the Royal Bill-Decree 43/ 2021, the scope of the new Directive will include a higer number of companies, which must adopt new measures and comply with additional obligations regarding information security. Among the new sectors affected, you may find companies that belong to the following sectors: postal service, waste management, chemical products, food, health device manufacturing, electronics, machinery or motor vehicles.
At Uniway, we know that the new Directive NIS2 will suppose a challenge for many companies and in addition, you need to remember that cybersecurity is key for company business continuity. Therefore, in our service catalogue we offer different solutions to manage business cybersecurity. If you need help, don't hesitate to contact us and we will gladly give you custom advice!
