The news might have reached you: NIS 2 is there! Well, at least it’s coming to your organization, or an organization near you very soon. As it always goes, all of a sudden we are in a world of NIS 2 experts that will guarantee the adoption and compliance of the NIS 2.
I don’t know about you, but subjectively I get a very uncertain feeling. It’s great to see the endeavors of the experts to assist and very happy to see more mature security companies willing to assist. What I do see is that many kinds of offers of assistance are largely geared toward compliance. Frankly, this compliance-driven approach scares me.
Compliance means conforming to a rule at a minimum level, such as a specification, policy, standard, or law. In Belgium, the NIS2 bill (transposing the European NIS 2 directive) was approved by the federal parliament on 19 April 2024 (as the second country in the EU). We now see a great many offers to assist in NIS 2 compliance.
What worries me is that compliance is geared towards a minimum requirement with the law instead of focusing on the spirit of the law, its purpose, the desired objectives, and the wanted effects. The idea behind NIS 2 is to force the targeted entities to (finally) strengthen their perimeter against ever-increasing threats. Ideally, this should have been done for a long time.
Legislation like NIS 2 is the result of wanting to address non-conformities.
Non-conformities against common sense, ethical behavior, and best practices, non-conformities against basic information security hygiene. We have seen that with the GDPR (companies that struggle most with the GDPR are the ones that do not or have not respected your privacy), DORA (requirements for financial institutions based on insufficient investment in security or governance and ownership in the financial sector), NIS 2 (essential entities that did not fall under NIS were reluctant to live up to basic security investments).
I put it to you that a secured environment (in proportion to the value of protected assets) will bring with it automatically a correct level of compliance. Working towards compliance will not guarantee a secure environment per se and lead to a “tick in the box” culture.
We need to challenge this approach. Focusing on security, following the best practices, enhancing our resilience capabilities, and supporting our organizations, will bring with it compliance with the legal expectations of NIS 2. It is by acting according to our security principles, following our known paths of ISO27001, using our CCB Cyber Fundamentals, by working through our NIST frameworks, that we will achieve the desired effects in the spirit of NIS 2.
When you are assured that you have put in place your security measures, you will live up to the NIS 2 standards and expectations. It’s by working together, by involving our colleagues from legal, HR, and our peers, by supporting each other, and by addressing audit remarks, that we will endure.
NIS 2 compliance will support the security needs and business cases to strengthen our security posture. It puts an emphasis on the personal accountability of the highest levels of an organization. It forces decision-makers to account for the investments in people, processes, knowledge, and technology to cover their risks. It addresses the vulnerability controls as never before (ex.: supply chain).
At the end of the day, it encompasses potential heavy consequences for decision makers, not for being attacked, not for being breached, but for ignoring the information security needs, for ignoring needed investments, for ignoring the lack of organization-wide measures, for ignoring reality.
Personally, I am very happy with this step in the right direction through NIS 2. NIS 2 has created, through its compliance need, and potential consequences, a strong case to support information security professionals in getting attention to security needs at the correct levels.
Make use of NIS 2 to further your security endeavors, but focus on security. Compliance will come through a security approach. We need NIS 2 to support us in building a stronger, more resilient mesh in Europe, for now, and for the future.
Happy NIS 2 deployment 😊