Back in 2021, the White House issued an executive order compelling federal government agencies to develop a plan for implementing a zero trust architecture. This was followed by a memorandum that mandated federal agencies to achieve specific zero trust security goals by the end of 2024.

Last year, as you may have heard, the SEC in the United States issued new rules compelling publicly traded companies to disclose material cybersecurity breaches. As it’s happened, the SEC has wasted no time in showing its regulations have teeth, with the first prosecutions having already taken place.

So, there’s a lot going on in the USA, but it’s not the only place in the world where policymakers are pushing for—or even mandating—the adoption of zero trust principles. This year the European Union will be updating and tightening its Network and Information Systems (NIS) directive, and as anyone who experienced the arrival of the GDPR regulations on privacy will tell you, the reach of EU regulations can be great indeed.

NIS 2.0

The NIS 2.0 directive comes into force in October 2024, mandating that management bodies within organizations in specific categories implement cybersecurity risk management measures. Impacted categories extend to:

Energy
Transport
Banking
Financial market infrastructure
Health
Drinking water
Wastewater
Digital infrastructure
ICT service management (B2B)
Public administrations
Space
Postal and courier services
Waste management
Manufacture, production, and distribution of chemicals
Food production, processing, and distribution
Manufacturing
Digital providers
Research

As you can see, the directive is focused on critical physical and digital infrastructure within EU member states, but it also has reach. It applies not only to organizations within the EU, but also to any organization worldwide that provides services to any of the protected sectors within the EU. As with the SEC regulations, there are strict rules for prompt incident reporting.

The stick

The picture is abundantly clear at this point. Government bodies in regions covering hundreds of millions of citizens have recognized that the risk of inadequate cybersecurity practices is severe enough to warrant strict regulations and even severe penalties. The carrot has been in place for many years—now comes the stick!

The carrot

So, what’s the carrot? What are the positive aspects to strengthening your security defenses? Sure, it starts with reducing cyberattack risk and achieving compliance, but what else? Organizations that implement robust cybersecurity practices stand to gain significantly in terms of cost reduction, competitiveness, business continuity, and customer trust. Not just one carrot, but a whole bunch!

Help is at hand. The NIS 2.0 directive itself includes clear guidance on how to improve your cybersecurity stance, and you won’t be surprised to learn that the first recommended cyber hygiene practice listed is the adoption of zero trust principles. In fact, as you review these lengthy regulatory and legal requirements, zero trust comes up routinely as the holy grail to aim for.

“Users should log into applications, rather than networks”

Help is also available from Zscaler, where we’ve been designing and building the foundational pillars of a zero trust architecture since 2007. If you’d like to speak to someone about implementing zero trust and achieving regulatory compliance, whatever your industry, please get in touch. Alternatively, join one of our monthly introductory webinars to learn more and ask questions. Click here and search ‘start here’ to find the next session to sign up for.