Get Started free
Partner map

SME guide to NIS2 rules for cyber security in EU

August 4, 2024

SME guide to NIS2 rules for cyber security in the EU

Cybersecurity in the EU is on its way to becoming a legal obligation. This week Belgium drafted the legislation for cyber security requirements to pass into law based on the NIS2 Directive. Like seat belts in cars, cyber security efforts are on the way to becoming mandatory precautions for businesses large and small. This blog explains how NIS2 matters to SMEs.

1.          What is NIS2 and why does it matter to SME’s?

2.          The business case for SMEs to embrace NIS2

3.          How can you comply?

1.          What is NIS2 and why does it matter to SMEs?

–             NIS2 is the EU’s Network and Information Security (NIS) Directive update. It is the first piece of EU-wide legislation on cybersecurity. NIS2 is intended that from October 2024, pending approval by national governments,  businesses take their information security seriously. Businesses will need to demonstrate  that their IT and infrastructure is secure and resilient to the online threat environment. The scope is 30 industries that are ‘essential’ and ‘important’ and the medium and large businesses within them.

–             NIS2 matters to SMEs because although it is initially aimed at larger essential and important industries, infrastructure and larger businesses their supply chains will start to align too. This because larger businesses are obliged to check the cybersecurity of their suppliers including SMEs.

–             The key benefits for SME’s focus on NIS2 are that it will reduce cyber risk, by ensuring greater control of cyber security. In general, improvements in security lead to overall quality improvements.

–             The cost to SME’s of ensuring compliance are based on basic policies, processes, and a baseline for continuous monitoring of vulnerabilities, and security controls.

–             The costs increase with risk when people, technology and process leave gaps for cyber criminals.

In detail:   EU NIS2 Cybersecurity risk-management measures to consider includes

–             Policies on risk analysis and information system security;

–             Incident handling;

–             Business continuity, such as backup management and disaster recovery, and crisis management;

–             Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;

–             Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;

–             Policies and procedures to assess the effectiveness of cybersecurity risk-management measures;

–             Basic cyber hygiene practices and cybersecurity training;

–             Policies and procedures regarding the use of cryptography and, where appropriate, encryption;

–             Human resources security, access control policies and asset management;

–             The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

2.          The business case for NIS2 for SMEs

Benefits

–             The biggest benefit of NIS2 is, intentionally, security – of a business’ reputation, revenue, and resources continuity. Ensuring that businesses have done the essentials to stay secure across people, IT and process, every day. Companies with low security run risk danger of going out of business after a severe cyber attack.

–             Compliance will allow access to do more business in the EU. As businesses review their supply chains, SME’s who are transparent about their standards can expect greater success. (In the UK, ‘Cyber Essentials’ has been a successful programme because all government contracts require it for tender)

–             Compliance will become essential for many companies in the future. Some larger corporates have already started putting this requirement in their procurement policies, requiring suppliers to show evidence of their baseline security (see Cyber Trust in Austria).

–             Brand building – as above, Cyber Fundamentals are now a recognised badge for online quality and trust from businesses who show they are in control of their cyber risk.

–             Additionally  IT Auditor experts including Charde Janse van Vuuren of Schuiteman in Netherlands can see the overlap in work for NIS2 and ISA315  standards .

Costs

–             Compliance risk – not aligning to supply chains may risk businesses, especially with larger companies who must be compliant to NIS 2

–             Fines – Those businesses who should be compliant but not face millions of Euros in fines. For now this is not most SMEs.

Opportunities

–             Overlap

o            Work for ISA315 can in some instances cover NIS2 requirements

o            Compliance with Cyber Fundamentals likewise covers some (not all) requirements

–             A clear dashboard from Lupasafe shows you where you are meeting key requirements for NIS 2, including network security, vulnerabilities, cyber hygiene and training, asset management, multi-factor authentication.

–             A deep security assessment for the business and even supply chain with the EU’s Cyber Security for SMEs project ‘CYSSME’. This is currently accepting applications for security assistance from SME businesses within the EU, allowing for up to €20,000 per business in cyber security support. See www.cyssme.eu .

3.          How can you comply

Lupasafe’s dashboard is a simple way to start your NIS2 compliance. It shows all your vulnerabilities across people, IT, and process. This means you can quickly see any point in your business that is at risk, whether its people working from home, cloud software not updated, compromised passwords, or phishing risks.

Specific standards to align to are being rolled out by EU nations.

The Netherlands recently launched this NIS2 checklist

Book a demo of Lupasafe to see how our Dashboard puts you in the picture forhelps manage NIS2, for you, your clients, and supply chains.

Don’t face fines like the 1/3rd of large businesses who aren’t yet ready

Appendix

Additional materials to support implementation of NIS2 controls

  1. NIS2 Directive  Original EU directive on NIS 2
  2. Quick start guide: NIST Cybersecurity Framework for Small Businesses
  3. Incident handling https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
  4. Security controls ISO/IEC 27002:2013 Code of practice for information security controls
  5. Cryptographic policy https://iso-docs.com/products/isms-cryptographic-policy
  6. Business continuity guidelines https://www.thebci.org/certification-training/good-practice-guidelines.html
  7. Supply chain risks https://csrc.nist.gov/Projects/cyber-supply-chain-risk-management/publications

MSPsBlog
Company