NIS2, the latest version of the EU Network and Information Security Directive, comes into force on 18 October. That’s barely over three months from the time of writing.

But unlike the EU GDPR, which was well signposted for years before coming into effect in May 2018, arguably the same can’t be said for NIS2. A report from Microsoft found that 70 per cent of business leaders weren’t aware of, or prepared for, the directive.

That’s despite a key part of the directive putting the responsibility for cybersecurity at board and senior management level. Under the Directive, business leaders need to supervise the implementation of risk management measures and sign off on them.

Board-level accountability for cybersecurity

BH Consulting CEO Brian Honan believes this puts cybersecurity “firmly where it belongs”. The accountability that NIS2 brings will be a “game changer”, he adds. It could lead to more budget, resources and support to cybersecurity projects that help organisations become compliant.

One of the biggest changes to NIS2 is its scope; the original NIS Directive impacted hundreds of organisations in critical sectors. Now its successor will directly impact 180,000 organisations across Europe, the EU estimates. They cover industry sectors including health, digital infrastructure, public administration, ICT providers, and waste management.

Step 1: Understand the NIS2 Directive

Familiarise yourself with NIS2’s requirements. It introduces stricter security measures with a strong focus on resilience and accountability. Implementing the Directive calls for extensive planning, collaboration and a commitment to cybersecurity from the very top of the organisation.

Step 2: Carry out a cybersecurity risk assessment

Identify and assess the potential cyber risks your business may face. This exercise will help you understand your vulnerabilities and develop appropriate security measures to mitigate these specific risks.

Step 3: Implement technical and organisational measures

Put in place appropriate technical and organisational measures to protect your networks and systems from cyber threats. This can include firewalls, encryption, access controls, and regular software updates.

Step 4: Develop an incident response plan

Create a comprehensive incident response plan that outlines the steps to take in the event of a cybersecurity incident. This plan should include procedures for reporting incidents to the National Cyber Security Centre (NCSC) and cooperating with competent authorities.

Step 5: Train staff on cybersecurity awareness

Educate your staff on cybersecurity best practices and raise awareness about the potential risks they may encounter. Regular training sessions can help employees identify and respond to security threats effectively.

Step 6: Secure sensitive information

Implement appropriate security measures to protect sensitive information within your organisation. This may involve restricting access to sensitive data, implementing encryption, and regularly backing up critical data.

Step 7: Allocate a dedicated cybersecurity budget

Make sure that your business dedicates sufficient resources to address cybersecurity risks effectively. The Hiscox Cyber Readiness Report recommends dedicating 22 per cent of the overall ICT budget to cybersecurity.

Step 8: Seek expert guidance

You don’t have to go it alone: consider seeking guidance from cybersecurity specialists to ensure you are taking the necessary steps to secure your systems and data. External companies can provide support and advisory services tailored to the needs of SMEs.

​Step 9: Consider certification

Whether NIS2 will impact you directly or indirectly, you should seriously consider getting certified to a standard like ISO27001. It’s an independent assessment of how you do security, and it gives you the confidence to present to senior management, and give assurance to customers. You might be surprised to know they aren’t just for large organisations: at BH Consulting, we have helped very small companies of fewer than 10 people to get certified to the standard.

Step 10: Stay informed and adapt

​Cybersecurity is an evolving field – just think of the strides AI is making in this space. That’s why it’s essential to stay updated on the latest cybersecurity trends, threats, and regulations. This lets you adapt your measures accordingly to address emerging risks effectively.

Complying with the NIS2 Directive and improving cybersecurity measures is crucial for SMEs to protect their businesses and maintain the trust of their clients and partners. Even for organisations that aren’t in scope, the growing threat of cybersecurity risks means that businesses of all sizes need to be prepared.

Cyber attacks have changed, therefore how we protect against them needs to change as well. We’ve seen a large increase in disruptive attacks, and new technologies like AI being used to find vulnerabilities in software or to produce more believable phishing emails.

But there’s help. As well as the steps in this blog, the EU cybersecurity agency ENISA has a guide to help SMEs understand the various cost-effective ways they can secure their business. Ireland’s NCSC also has a publication to help organisations get ready.

Any organisation that goes through the process of complying with NIS2 will, by definition, be making themselves more resilient. In doing so, they will earn the trust of customers and partners and reduce their exposure to risk.

As with any journey, it’s good to know were you are and where you’re heading towards. Investing in cybersecurity is not just a cost but an investment in the long-term success and resilience of your business.