Compliance officers across the European Union are grappling with the demands of the new NIS2. Replacing the previous NIS1 Directive[1], NIS2 (Directive 2022/2555/EU[2]) sets more stringent cybersecurity requirements across “Highly Critical” sectors, from energy to digital infrastructure, including Banking and financial market infrastructures.
The highly critical sectors are mentioned in Annex I of Directive (EU) 2022/2555.
But NIS2 is more than a checklist of requirements; it represents a whole new field of action. For compliance teams facing “compliance fatigue,” the key to success lies in mastering two foundational principles: the all-hazards approach and cyber hygiene. By adopting a comprehensive approach to risk management and security, compliance leaders can enhance their organisations’ resilience, better preparing them for a secure digital future.
The All-Hazards Approach
What Is It?
NIS2’s all-hazards approach[3] pushes organisations to look beyond conventional IT threats, requiring a broad assessment of risks across all operational areas, from HR to the supply chain. Cyber incidents may be the most prominent risks, but NIS2 recognises that any area that indirectly supports IT infrastructure can pose security threats if left unmanaged.
IT Risks: Traditional vulnerabilities like system flaws, network weaknesses, and outdated software remain critical, particularly given today’s advanced malware and phishing tactics. Companies should favour proactive measures, such as penetration testing and intrusion detection, to reduce these risks. The 2017 WannaCry ransomware attack[4], which exploited a software vulnerability and affected thousands of systems globally, highlighted the importance of vigilant IT risk management.
HR Risks: Security also depends heavily on personnel. Untrained staff can accidentally expose systems to cyber threats. Compliance teams must address issues like data misuse, insider threats, and social engineering, and NIS2 mandates that management teams participate in cybersecurity training[5], underscoring the need for a proactive approach to HR risk management.
Supply Chain Risks: A company’s cybersecurity is often only as strong as its partners. The SolarWinds breach[6] illustrated how vulnerabilities in third-party software can allow attackers to infiltrate even well-defended organisations. NIS2 requires rigorous third-party risk assessments[7], ensuring that all service providers adhere to cybersecurity standards to protect the entire supply chain.
Why It Matters
NIS2 underscores that resilience isn’t just about IT defences; it’s about securing the continuity of the entire organisation. This broad approach equips companies to adapt to unexpected disruptions, protecting all components of the operation and minimising downtime. Compliance leaders who adopt the all-hazards framework strengthen their organisation’s reliability and contribute to create a more comprehensive shield against potential crises.
How the Leaders Do It
Top compliance professionals see NIS2’s all-hazards approach as a strategic defence tool. They foster resilience by embedding a culture of risk awareness across all departments, ensuring that everyone from HR to procurement understands their role in cybersecurity. This unified effort ensures that all organisational components support the digital security strategy and align with regulatory standards.
Cyber Hygiene, The First Line of Defense
The Daily Routine
Like personal hygiene protects physical health, cyber hygiene practices provide essential protection against cyber threats. For NIS2 compliance, fundamental cybersecurity measures such as multi-factor authentication, encryption, and secure communication channels are non-negotiable. These actions create an affordable, effective cybersecurity foundation that can scale with evolving threats.
Multi-Factor: Authentication (MFA): Requiring multiple verification steps significantly reduces unauthorised access risks. MFA is essential, particularly for sectors like finance, where data breaches carry severe consequences.
Encryption: Safeguarding data during transmission and storage keeps sensitive information secure, even if it is accessed illegally. In May 2024, Ticketmaster experienced a significant data breach[8] where hackers accessed unencrypted customer data, including names, addresses, emails, phone numbers, and partial credit card details – emphasising the critical importance of robust encryption policies to protect sensitive customer information.
Secure Communication Channels: All data within an organization should flow through secure channels. Tools like VPNs and secure messaging apps reduce risks of eavesdropping or interception, strengthening internal security.
Why It Matters
Cyber hygiene is more than “best practice”; it’s essential for reducing infiltration risks. Without consistent application, even sophisticated systems can fail. By embedding these fundamentals into daily routines, compliance professionals protect their organisations and ensure security awareness aligned with NIS2’s standards.
How the Leaders Approach It
Leading compliance officers make cyber hygiene a core aspect of organisational culture. They collaborate with IT and department heads to ensure cyber hygiene becomes second nature for all employees. Through regular cybersecurity training and reinforcement of daily protocols, compliance professionals cultivate a shared responsibility for cybersecurity that extends beyond compliance, building long-term resilience.
Conclusion: The Stakes and Path to Resilience
With fines reaching €10 million or 2% of global annual turnover[9], NIS2 compliance stakes are high. However, for compliance leaders, the drive toward NIS2 compliance is more than avoiding penalties: it’s about building a stronger, more resilient organisation. By mastering the all-hazards approach and instilling cyber hygiene practices, compliance officers are doing more than meeting regulatory demands. They are fortifying their organisations against threats, elevating security, and embedding cybersecurity deeply into their operational culture.
As the European Union steps into this new cybersecurity era, the role of the compliance officer is expanding, requiring a proactive approach to risk management and innovation. By championing NIS2’s principles, professionals contribute to establish robust systems that can withstand tomorrow’s challenges, keeping their organisations secure and adaptable in a rapidly evolving digital landscape.
[1] As of 18 October 2024, Directive 2016/1148/EU (Network and Information Systems) (NIS) will be repealed by Directive 2022/2555/EU (NIS2), dated 14 December 2022, which shall be implemented by the member states by 17 October 2024. Entities of the banking and financial sector fall within the scope of application of the NIS2 Directive. However, with regard to financial entities, this Directive shall be read in conjunction with Regulation 2022/2554/EU on digital operational resilience for the financial sector (DORA), which will be applicable as of 17 January 2025, with a direct effect in all member states. Source: https://ntpartnerlawfirm.com/fintech-in-luxembourg-2024/
[2] Consolidated text: Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (Text with EEA relevance)Text with EEA relevance https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02022L2555-20221227
[3] See article 21.2: “The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents…”
[4] Josh Fruhlinger (24 Aug 2022) “WannaCry explained: A perfect ransomware storm” https://www.csoonline.com/article/563017/wannacry-explained-a-perfect-ransomware-storm.html
[5] See article 20.2: “Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain
sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.”
[6] Saheed Oladimeji, Sean Michael Kerner (03 Nov 2023) “SolarWinds hack explained: Everything you need to know” https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know
[7] See article 21.2 (d): “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;”
[8] Mark Sellman (May 30 2024) “Ticketmaster customers urged to change passwords after global hack”
[9] See article 34.4: “4. Member States shall ensure that where they infringe Article 21 or 23, essential entities are subject, in accordance with paragraphs 2 and 3 of this Article, to administrative fines of a maximum of at least EUR 10 000 000 or of a maximum of at least 2 % of the total worldwide annual turnover in the preceding financial year of the under taking to which the essential entity belongs, whichever is higher.
