NIS2 is set to change how companies across Europe engage and react to cybersecurity within their organisations. Roland Singer, VP IT Services Sharp Europe, looks at what the NIS2 directive means for SMEs and how they can be prepared to adopt the changes.
Modern business thrives on connectivity. Whether exchanging emails, joining meetings, working over open Wi-Fi networks, or sharing documents with others, the world is connected and open for business. With that in mind, small and medium-sized enterprises (SMEs) today are more susceptible to cyberattacks than ever. Studies have found that small businesses are more frequently the target of cyber-crime, while Sharp research shows that one third (33%) of European businesses have been impacted by a computer virus attack.
What is the Network and Information Directive (NIS2)
In view of the growing threat of cyber-attacks, the European Union (EU) has set in place several directives that make it essential for companies to optimise their cyber resilience – the ability to prevent, withstand and recover from cyber incidents. The first of these, Network and Information Security (NIS) Directive, was introduced in 2016 and was aimed at achieving a high common level of network and information system security across all infrastructures.
The Network and Information Systems (NIS) Directive is a EU-wide legislation that sets cybersecurity standards and imposes obligations on operators of essential services and digital service providers to ensure their network and information systems remain secure and resilient against cyber threats.
This has been under review and the NIS2 Directive is set to come into effect in October 2024 and intends to boost the collective cyber resilience of the EU further by requiring robust risk management, security controls, and regular audits/testing to be put in place. While allowing some national flexibility, NIS2 establishes EU-wide cybersecurity baselines mirroring global standards and best practices. This will ensure a higher level of preparedness and resilience against cyber incidents that could potentially disrupt the functioning of essential services and critical infrastructure.
NIS2 aims to achieve this by introducing more stringent cybersecurity standards and requirements for organisations, including the implementation of cybersecurity policies, incident response plans, and regular risk assessments. It also imposes stricter risk management and reporting obligations on organisations, requiring them to take appropriate measures to manage cybersecurity risks and report significant cyber incidents to national authorities.
Furthermore, it also widens the scope of the original regulations by including more sectors and entities it deems essential or important, such as the public administration sector, energy, healthcare, digital services, postal/courier, food production and distribution, digital infrastructure, and manufacturing.
Along with considering a wider range of organisations, NIS2 introduces new checks and balances for small businesses too. Small and Medium-sized Enterprises (SMEs) with 50+ employees and €10M+ revenue are subject to NIS2's heightened cybersecurity requirements.
SMEs and the need for NIS2 Education
For the directive to be a success, businesses of all sizes across Europe need to improve technical IT security at all points across the organisation. Better security can only work if all devices are integrated into the IT security strategy. This means not only primary devices but also peripheral devices. This is something that increasingly applies to MFPs, whose security is still neglected by most companies, as Sharp research found that 19% of SMEs had been impacted by a printer security breach.
Smaller firms that fall within the scope of NIS2 should take several steps to prepare for and comply with the new cybersecurity requirements. In the first instance, SMEs should work with their IT Support provider to carry out a comprehensive risk assessment to identify potential cybersecurity vulnerabilities, threats, and areas for improvement across the organisation.
Equally, the business should review and update contracts, service-level agreements, and other relevant documents to ensure they support NIS2 requirements and clearly define cybersecurity responsibilities and obligations.
Once all assessments have been carried out, it is vital to develop and implement cybersecurity policies and procedures across the business. These procedures must align with the requirements of NIS2, such as risk management practices, incident reporting protocols, and security measures for network and information systems.
The challenge for companies is not only to implement such measures, but also to continue to perform regular effectiveness checks, whether in the form of vulnerability scans, security assessments, penetration tests or simulated cyber-attacks.
Education is the key to NIS2 Success
Cyber threats are often seen as purely happening to a business from outside. However, it is important to realise that most IT security breaches are caused mainly by human error rather than by technological failure. As a result, a business can make the technology as secure as it needs to be, but if employees do not understand how and why security is needed, the policies simply won’t work.
Regular employee cybersecurity and awareness training is therefore an essential part of any organisation’s cybersecurity solution, regardless the size of the business. Such training will ensure staff understand the need for cybersecurity and follow best practices for protecting sensitive information and systems.
By taking proactive steps to ensure that cybersecurity is a priority and readily aligns with NIS2 requirements, SMEs can better protect themselves against cyber threats, ensure business continuity, and avoid potential fines or penalties for non-compliance.
If you would like to know how Sharp Europe can help you keep your business ahead of evolving threats, CONTACT US.
