Immunizing Europe against cyber threats: NIS2 and the role of zero trust

It feels like only yesterday I was standing at my kids' end of school year ceremony, now the Euro Soccer Championship are done and the Olympics are in full swing. This summer is hurtling by. And with it, the time organizations have to prepare for the upcoming Network and Information Security 2 (NIS2) Directive, whose key deadline is October 2024.  

Now anyone following my content stream over the past few months might be surprised to know that I used to be skeptical about legislation – about its true motivations and about its efficacy as a result. But the deeper I’ve dived into NIS2, the more convinced I am that this is a huge step forward for cyber security in Europe.

Far from being a performative compliance exercise carried out by single companies, I believe that the NIS2 Directive represents a major step forward in immunizing the entire European region against both current and future cyber threats. With its expanded scope, more stringent cybersecurity requirements, mandates for cyber incident reporting, and potential (personal) fines, it is bringing cyber awareness to boards and industries that historically have not cared as much about security or governance–and is driving them to enhance their cybersecurity postures significantly.

Or at least it should be. If organizations take the time to understand it correctly.

When we spoke to IT leaders about their NIS2 approaches earlier this year, 80% told us that they feel confident their organizations will be compliant by the October deadline, but only 53% believed their teams fully understood the scope of its obligations. And this number fell to 49% when IT leaders were asked the same question about their corporate leadership. What they did know was that NIS2 requires a significant departure from their current security strategies and that many need more support than they were getting to achieve it.

No single solution or software vendor can guarantee compliance with NIS2. An adherence to Zero Trust principles, however, (which the Directive itself suggests organizations adopt as a basic cyber hygiene practice), addresses a number of its criteria – radically shrinking attack surfaces and removing a wide range of technical variables that can hinder compliance progress.

And that is where Zscaler comes in. In our latest whitepaper, ‘Working towards NIS2 compliance - how Zero Trust needs to be a critical part of this journey’, we explore how a Zero Trust architecture – as well as specific Zscaler capabilities and tools – can help organizations meet the challenges NIS2 is throwing at them. And because NIS2 implementation may vary slightly in each member state, we keep our focus on the high-level requirements and principles of the Directive itself, splitting the guidance into four core areas:

·    Cybersecurity risk management measures

·    Cybersecurity governance measures

·    Incident reporting requirements

·    Supervision and enforcement

For those of you who feel like they need an extra shot of support to get their NIS2 efforts over the line by October, it should make for useful reading.

If, however, you’ve skimmed this blog and are feeling quietly confident in your ability to achieve compliance, then I would still suggest you to look at our whitepaper with a view to how you could help support others in your industry or ecosystem. This type of regulative effort really epitomizes the old aphorism that the rising tide lifts all boats. Or – to put it another way – fireproofing your own flat does nothing if the entire block goes up. 

Europe can only truly shore up its cyber-defenses through a concerted effort by organizations of all sizes and industries to enhance their security mechanisms, reduce their exposure to cyber risks and streamline compliance activities.