While digital transformation is driving many positive developments across the public and private sectors, this rapid adoption of new technologies also puts organizations at greater risk of a cyberattack. Critical industries that rely on a mix of IT and operational technology (OT) are of particular concern, as entities in these industries are often prime targets for malicious actors. According to the Fortinet 2023 State of Operational Technology and Security report, nearly 80% of respondents said they had over 100 IP-enabled OT devices in their environment, highlighting the complexities of securing an ever-expanding attack surface. Furthermore, 75% of OT organizations experienced at least one intrusion last year.

Given these heightened risks, the Parliament and the Council of the European Union (EU) adopted the NIS2 Directive in December 2022, requiring organizations operating in any of the 27 member states that provide critical services-including governments as well as sectors like energy, transportation, healthcare, and banking-to adhere to a consistent set of cybersecurity measures, standards, and practices. The NIS2 Directive covers numerous aspects of cybersecurity, with many requirements focusing on the standardization of risk management and reporting and greater collaboration and information sharing among member states.

NIS2 is designed to establish common security standards across all member states while fitting into the broader scope of existing EU and Member State laws, ultimately enhancing organizations' resilience against an evolving threat landscape. EU member states will have to transpose the NIS2 provisions into national laws by October 17, 2024, becoming enforceable after that.

Member States Are Working Toward Implementing NIS2 Requirements

Public and private organizations in the scope of NIS2  have less than one year to develop and implement a comprehensive compliance readiness plan, procure certified security technologies, and adopt new governance, practices, and incident response protocols. We're encouraged that many member states are already progressing toward adopting these requirements into their national laws. Below are several examples.

Hungary

In Hungary, there is an existing regulation related to cybersecurity supervision for government entities in which the compliance standards are similar to those outlined in the NIS2 Directive. Given the parallels, the current regulation is being revised to incorporate all NIS2 standards, meaning that not only government entities are concerned but also companies with 50 or more employees or$10 million or more in annual revenue.

Germany

Earlier this year, the Federal Ministry of the Interior and Homeland published a public discussion paper regarding the updated NIS2 regulation. The professional associations affected, such as Bitkom and VDI, were asked to comment. This represents a positive step as entities seek to understand and implement the requirements outlined in NIS2. 

Nordics

In the Nordic region, we expect a local interpretation of the new directive to be published in early 2024. In Sweden, for example, a governmental inquiry was appointed earlier this year and should be completed no later than February 2024. We're also observing local interpretation of NIS2 combined with local interpretation of other key EU measures around cyber resilience, such as the Digital Operational Resilience Act and Critical Entities Resilience Directive.

We've also observed many organizations in the Nordic region prioritizing the NIS2 requirements. Most larger companies have frameworks in place currently that support the implementation of NIS2. Among the smaller companies impacted by NIS2, numerous entities are already working to adopt the appropriate security technologies and some are also consolidating security solutions to just one or a few vendors, creating efficiencies and streamlining their operations. Whether municipalities and public entities will be part of the scope remains to be seen.

Enhance Your Security Posture to Meet NIS2 Compliance

NIS2 is the centerpiece of various new regulations that will transform the regulatory landscape and require a culture shift across the whole networking and information security industry. The EU is leading the charge with its proposed Data Act, AI Act, Cyber Resilience Act, and the new Product Liability regime (to name just a few). This new legal framework will require heightened attention to handling and securing organizations' information, data, and systems.

While organizations are already making progress toward achieving NIS2 requirements, this directive gives EU member states the backbone to build a harmonized set of cybersecurity rules while offering covered entities an opportunity to proactively assess and strengthen their security posture. Business leaders should consider several core areas as they prepare to comply with NIS2 standards, including overall cybersecurity strategy and governance, infrastructure and application security, and incident detection and response, without losing sight of the overall regulatory transformation the EU is pushing for.

Essential entities will have higher fines than important entities, but obligations remain the same. For small or understaffed security teams, achieving NIS2 compliance may feel daunting. That's why organizations need a comprehensive security platform that they can manage through a single pane of glass, not a collection of disparate point products stitched together. The Fortinet Security Fabric offers complete protection across your entire network, with end-to-end visibility and control over your security posture.

Discover the latest NIS2 resources including the new webinar series on-demand "Navigating NIS2 Compliance with Fortinet SecOps".