NIS2 directive establishes new cybersecurity requirements for companies and their managers
NIS2 is part of the EU’s efforts to help companies and organizations adapt to the growing threat from cyber-attacks. Among other things, it establishes new categories for European organizations based on the importance of cybersecurity to their sector.
Madrid, May 8, 2023 - On December 27, 2022, the European Union launched the Network Information Security Directive, known as NIS2, to tackle the increase number of cyber-attacks and their impact on business and industry. To discuss the implications of NIS2, leading Spanish business daily Expansión and Cipher, Prosegur’s cybersecurity area, organized “The impact of NIS2 regulations on managers and board members".
The event, attended by cybersecurity experts and executives from leading companies in the technology and cybersecurity sector, focused on the implications of NIS2 on companies and their managers, as well assessing the challenges organizations face in adapting to the growing number of cyber-security threats.
Javier Cabrerizo, Prosegur’s Global Managing Director, welcomed delegates, highlighting Prosegur's commitment to global security: "Prosegur’s mission is to make the world a safer place, and to do this we protect families, homes and a very important asset, money. In addition, our activity extends far beyond the physical world; our work expands to new platforms, precisely where cybersecurity comes into play."
Jesús Yáñez, Partner for Regulatory Compliance, Privacy and Cybersecurity at Écija Abogados, contextualized the new implications of NIS2 and the impact it will have on business in EU member states: "Europe is aware that the current cybersecurity directive is not sufficient for the protection of companies. The aim of the NIS2 directive is to create a culture of cybersecurity."
This was followed by a panel discussion attended by executives from several leading companies in the Spanish technology and cybersecurity sector: Carlos Rodríguez Sanz, Regional Cybersecurity Product Leader APAC and Europe at AXA XL; José Seara, CEO of Denexus; Carlos Pelegrín Fernández López, Partner of Corporate Learning Solutions at ESADE; Margarita Fernández de Prada, Director of Digital Transformation at Iberdrola Group; and David Fernández Granado, CEO of Cipher.
Implications of the NIS2 directive for organizations
NIS2 is part of the EU’s efforts to help companies and organizations adapt to the growing threat from cyber-attacks. Among other things, it establishes new categories for European organizations based on the importance of cybersecurity to their sector, the type of service they offer, and their size. It extends its scope of application to sectors that it considers essential and important for society. In addition, it sets up a compliance chain, whereby companies and their customers and suppliers must notify any cybersecurity incident.
David Fernández Granado, CEO of Cipher, argued that NIS2 is an incentive for the entire company, while highlighting some of the directive’s challenges, such as lack of awareness of cybersecurity and the technological fragmentation found in many companies. Likewise, he highlighted the importance of employees having a universal knowledge of the tools needed to deal with this growing threat. At the same time, the lack of talent and the speed at which the sector is changing are other challenges that organizations must address. Regarding the latter, Fernández Granado pointed out that organizations must adapt to the pace of growth in the sector so that all links in the chain operate on the same terms.
José Seara, spokesperson for Denexus, emphasized the need to promote public-private collaboration to implement new technologies, agreeing with Fernández Granado about the importance of transferring the challenge of cybersecurity to managers who are still unaware of the risks, in order to make this a shared responsibility.
The new regulations are expected to extend liability to company managers and, as a result, demand for cyber insurance is expected to grow exponentially. Carlos Rodríguez Sanz of AXA XL argued that the industry needs a governance framework that defines responsibilities, and stressed the importance of having an incident response plan and carefully analyzing contracts with suppliers, as NIS2 holds all businesses in the supply chain accountable.
This chain of responsibility also involves small and medium-sized companies involved in key work and that must therefore be involved in cybersecurity. Fernández Granado explained that companies in the sector are emphasizing the importance of integrating the SMEs they work with about cybersecurity, but that there is still a long way to go.
In order to deal effectively with the threat of cyber-attacks and assume the responsibilities implied by NIS2, specialized training in cybersecurity at the top of companies is essential. Carlos Pelegrín, from the ESADE business school, underscored the importance of continuous training for managers, allowing them to keep up to date with technological advances and new threats. Pelegrín added that it is essential for training to be practical and for drills and training to be carried out on a regular basis so that managers are able to act in the event of any security incident.
Keys to position Spain in the cybersecurity sector
Margarita Fernández de Prada, Director of Digital Transformation at Iberdrola Group, welcomed NIS2 as an opportunity to position Spain as a benchmark in adapting to new technologies, while contributing to retaining talent here. Pointing out that although digitalization offers advantages, she noted that it also increases organizations’ vulnerability to cyber-attacks. Therefore, it is important that companies consider these risks and take advantage of NIS2 as an opportunity to take responsibility for cyber security.
In conclusion, Fernández Granado reiterated that his mission is to bring the security that Prosegur already provides in the physical world to the digital sphere, identifying the weak points that cause cyber incidents. In addition, he pointed out that 80% of attacks are carried out by the same actors and rely on vulnerabilities that emerged in 2019. The ongoing task is to raise awareness of the importance of companies assuming greater responsibility for their cybersecurity.