Companies face the risk of large fines and suspensions to comply with the EU’s strict cyber laws

Companies could face heavy fines or suspension of services in the European Union under tough new cybersecurity regulations that will come into effect next month.

The EU’s NIS 2 cybersecurity directive will be implemented on October 17 by member states. That means that firms will have to ensure that their operations comply with the obligations set out in the new law.

The regulations place strict requirements on companies around their internal cyber resilience strategy and internal processes.

CNBC covers everything you need to know about NIS 2 – from what the law requires to the potential penalties businesses can face for violating the law.

NIS 2, which stands for Network and Information Security Directive 2, is an EU directive that aims to increase the security of IT systems and networks across the bloc. Introduced in 2020, the law acts as an update to an earlier directive called the NIS.

NIS 2 expands its predecessor to address the latest cybersecurity challenges and threats that have emerged as criminals find new ways to hack companies and compromise their sensitive data.

This directive applies to organizations operating within the EU and providing essential services to consumers, including banks, electricity suppliers, healthcare facilities, network providers, transportation and waste generators.

The main areas it will address are risk management, corporate responsibility, reporting obligations, and business continuity planning in the event of a cyber breach.

Geert van der Linden, executive vice president of global cybersecurity services at Capgemini, told CNBC that NIS 2 has effectively set a new standard for companies on what is acceptable to protect citizens. , to maintain performance and remain resilient in the face of cyber attacks.

“NIS 2 will be seen as a global standard by the judges” when it goes live, Van der Linden added. “For our clients, regardless of whether they are considered valuable or important to the law, they have to look at that foundation and make sure they are compliant.”

By meeting this basis, companies will effectively defend themselves against claims, Van der Linden added. He compared it to taking out home insurance to protect your home from burglars.

“Where do thieves go? It’s always the most protected house. They open every door to see where they can get in,” he said. The same applies to companies that want to protect themselves against cyber attacks, Van der Linden added.

Under NIS 2, firms will also have to scan their digital supply chains for cyber threats and vulnerabilities. Companies today use different products and tools every day, giving criminals more opportunities for attack.

Chris Gow, head of Cisco’s EU public policy group, told CNBC that a “mapping exercise” will take place under NIS 2 where companies must audit their technology suppliers to assess potential risks. .

Businesses will also have a “duty of care” to report and share information about network vulnerabilities and hacks with other companies under NIS 2 – even if it means having to be a victim of cybercrime.

Companies that fail to comply with the new law could face potentially significant fines, as well as other punitive actions.

For highly regarded entities, such as transport, financial and water companies, failure to comply with NIS 2 could lead to a fine of up to 10 million euros ($11.1 million ) or 2% of the world’s annual income – whichever is higher.

Companies deemed important, currently – such as food companies, chemical factories and waste management services – face fines of up to 7 million euros or 1.4% of their annual income for non-compliance.

Companies can also face suspension of services if they fail to comply with NIS 2, as well as close monitoring to see if they have complied.

If a business falls under the threat of a cyber crime, it will have 24 hours to give an early warning to the authorities. This is more stringent than the 72-hour windows that must be notified to the authorities of a data breach under the GDPR (General Data Protection Regulation), which is a different data privacy law in the EU.

“Preparing for NIS 2 is not a race to see what you can do, but a race where the strongest organizations run beyond the baseline and use this effort to their competitive advantage,” Carl Leonard, EMEA cybersecurity expert for Proofpoint. , said CNBC.

“I expect that organizations will be better supported through coordinated efforts at the European Union level,” said Leonard. “This will include shared threat intelligence, a common high level of cybersecurity and a ‘say it together’ attitude.

Businesses are racing to get their internal processes and systems in place, as well as the broader culture around cybersecurity, before the Oct. 17.

Cisco’s Gow said that even without the threat of new regulations coming, businesses are working hard to change their internal culture to ensure they take on the threat of cybercrime and cyber incidents. off.

“Even aside from what’s happening on the regulatory side, we’re seeing that reporting happen from the CISO [chief information security officer] at all levels up to the board and management. “

He added that NIS 2 enables businesses to act quickly to bring their cyber management and systems up to speed with the new laws.

“It definitely has an impact,” he said. “I can see it myself. Insiders come with questions from sales and management, asking ‘How does this play out for us?’ ” He added there is a “preparation to do now” for businesses to make sure they meet the requirements. of NIS2.

However, even though cyber security is mostly focused on boardrooms, this does not stop cyber attacks from happening.

Earlier this year, a ransomware attack on Synnovis, a UK healthcare provider, disrupted more than 3,000 hospital and GP services. The attacker, a Russian hacking group called Qilin, demanded a ransom payment of £40 million.

Gow said it would be a mistake to think that the new regulations would prevent similar incidents from happening in the future, but added that NIS 2 had helped to “create more investigative tools and focus feedback to show how you are doing to raise the overall security standard.”