NIS2 Directive: What does it mean to senior managers and their cybersecurity strategy?

In this concluding blog of the series that analyzes the changes to the Network and Information Security regulations by the European Union, we focus on what the changes mean to top-level executives and the factors to consider when building cybersecurity strategies going forward.

March 13 2023 by

Ivna O'Neill

Several EU flags waving in front of a large building

Previously in this blog series, we discussed the cybersecurity risk-management measures that are required as part of the new NIS 2 regulations. These requirements make up the framework to enhance cybersecurity across the European Union and are set to keep security teams in high demand over the next few years.

This mandate for raised security measures will have a great impact on the way entities are managed and cybersecurity strategies are devised. The role of the Chief Information Security Officer (CISO) is likely to grow in importance in Europe post-NIS 2, but liability is set to fall onto all top executives within organizations. National authorities will have the ability to audit and assess the application of cybersecurity measures, and serious infringements may result in temporary bans for top managers and suspension of company activities, with the nature of violations potentially made public. Non-compliance can also result in hefty fines, ranging from 7 million euros or 1.4% of annual turnover for companies classified as Important Entities to 10 million euros or 2% of annual turnover for Essential Entities.

Moreover, the EU wants boards to be held accountable for issues, instead of passing the buck down to IT teams. The fines, aimed at c-suite execs, are designed to encourage comprehensive planning and careful investing in preventing problems – as it is much more cost-effective to comply before an incident occurs than leaving the door open for any financial penalties that result after a data breach.

Here is where CISOs can shine — by creating a robust security strategy that avoids the headache of breaches and promotes business continuity, these executives are likely to increase their profile and that of their teams.

Investing right: technical, operational and organizational factors

With the added responsibility, infosec officers and their teams will require bigger budgets and approval to increase spending over the next few years. According to a Gartner forecast report, the market for information security and risk management in 2022 was worth 170 billion euros, with an estimated global growth of 6.5% by 2025. Forecasts by the European Commission suggest an increase in spending between 12% and 22% per sector over the next three to four years on the back of NIS 2 — a figure that is expected to bring benefits far exceeding costs.

To realize such potential, managers must make vital decisions about spending, not only in IT infrastructure but also in human resources and training. Although NIS 2 does not specify what cybersecurity training should look like in each member state, the directive establishes that adequate awareness of cyber threats should be part of best practices for companies. Member states must actively promote and develop cyber protection for citizens, stakeholders and entities, leveraging further regulation if necessary.

Regarding talent, businesses have the added burden to hire in an increasingly competitive market. Staying on top of emerging and evolving cybersecurity threats requires hiring the right expertise or identifying and enabling the right people to learn these skills. Many organizations are already struggling with sourcing traditional computer science, engineering and math graduates, making it essential for recruiters to expand the traditional talent pool.

Adding remote employees to staff is one way to mitigate the shortage, but it is unlikely enough. According to the European Commission, organizations must rethink their value proposition to employees. Strategies focused solely on output and not on the human element are now obsolete. Technology and automation must be adopted to free employees, allowing them to shift from tedious tasks to those that add the most value while helping to develop their careers further. Business processes must be looked at first, with areas like device management being a good example of how repetitive work can be streamlined for efficiency and employee satisfaction. Similarly, the use of machine learning can enhance the work of information security teams while enabling employees to seek a deeper understanding of bad actors, in a way only humans can.

Uncovering existing solutions for evolving problems

The EU has put in place a framework that will highly influence top-level decision-making in the information technology space for the foreseeable future. These measures are comprehensive enough to make a sizeable difference in how companies handle risk and the vast amount of money lost to cyberattacks. This also represents a fantastic opportunity for organizations to familiarize themselves with technology already available and within their reach. Modern security solutions have become less complex and invasive and are much better at preventing threats for enterprises of any size.

Whether or not a business is directly affected by NIS 2, those responsible for its success must thoroughly consider not only relevant regulations, but:

  • trends that influence business and industries
  • the variety and impact of work environments
  • also, the modern and evolving threat landscape

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.