Impact of NIS 2 on Your Organisation
Keep reading to learn how NIS 2 may impact organisations in both under and heavily regulated industries.
While NIS 2’s requirements are consistent across a range of industries, the impact on your organisation will depend heavily on your current state of cybersecurity maturity.
If your industry is already heavily regulated—for instance, if you’re in financial services—there’s a good chance you’ll already have some of NIS 2’s requirements covered.
On the other hand, if your industry has historically not been heavily regulated, you may find preparing for NIS 2 a significant undertaking. Below are three types of organisations that are likely to find elements of NIS 2 challenging to comply with ahead of the enforcement date.
Download our full NIS 2 guide.
1. Technology and SaaS Companies
In the past, technology companies were required to comply with relatively few strict cybersecurity regulations. While many companies adopted voluntary measures (e.g., SOC 2 and ISO 27001) for competitive reasons, their legal obligations rested primarily on securing sensitive customer information.
As a result, technology providers typically have strong technical controls in place but may struggle to implement the additional governance, policy, and procedural controls required under NIS 2.
In particular, technology companies are likely to find NIS 2’s supply chain requirements difficult to meet, at least initially.
Many technology companies rely on a complex web of third-party relationships and dependencies. While they likely have those dependencies and relationships documented, they may not have a comprehensive program to identify the inherent risks and ensure that all third parties are taking adequate cybersecurity precautions.
There are several viable frameworks for implementing effective and NIS 2-compliant supply chain security measures. However, none of them are light lifts, so technology companies will need to move quickly to ensure they are in place before the enforcement date.
2. Other First-Time Regulated Organisations
Organisations already subject to NIS undoubtedly had a head start on NIS 2 compliance. However, this may not entirely be due to the NIS Directive itself.
Many organisations from essential sectors—for example, financial services, banking, healthcare, and critical infrastructure—have been subject to cybersecurity legislation and scrutiny for some years now.
In these cases, complying with the original NIS Directive was unlikely to have been particularly taxing. And while NIS 2 is undoubtedly tougher than any preceding regulations in certain areas, most of these organisations will at least have strong governance and technical capabilities to build on.
NIS 2, on the other hand, applies to many sectors that have previously been relatively untouched by cybersecurity regulation. While most organisations have some controls in place, their initial maturity level will likely be well below what’s needed for NIS 2.
Again, it’s unlikely to be technical controls that pose a significant obstacle to compliance. It’s far more likely to be the governance, policy, and procedural controls—particularly the supply chain security, procurement, and HR requirements.
3. Unaffected Third Parties
In theory, organisations that aren’t covered by NIS 2 will be unaffected. However, in practice, there are many organisations that—while not directly affected—are either current or prospective suppliers or partners of organisations that are covered by NIS 2.
You can think of this as the trickle down effect of NIS 2, and it’s a completely intentional side effect of the Directive’s supply chain security requirements.
If your organisation is connected (or plans to be) with essential or important entities, you can expect those organisations to demand evidence of the cybersecurity measures you take while delivering whatever service you provide them.
Be sure to reach out to any NIS 2-affected organisations you supply or partner with to find out what they need to work with you after the enforcement date. In this context, SOC 2 attestations and ISO 27001 certifications are a common means of addressing concerns during discussions with your customers.
If you’re ready to see how Drata can help lessen the burden of NIS 2 compliance, book a demo with our team.
